Binding on BusinessObjects insecure like php_register_globals?

Binding on BusinessObjects looks great as you don't have to write FormObjects. But it is easy to inject Values into the tree of objects and this does not feel very secure.

PetClinic Example:

Code:
wget petclinic/editPet.htm?petId=2 --post-data '[otherParams]amp;owner.firstName=INJECT'
This way you can set owners.firstName with editPetForm. (It seems to be ok as you can edit the name anyway) But It looks something like PHP infamous register_globals. Of course the implementation doesn't save the owners firstName, but i guess hibernate would do because it changes its state. And for me at least it doesn't matter if the object state is saved or not as long as wrong data can be injected into the domain model itself.

What is so evil about writing FormObjects. It's separates concerns, its more secure and writing formObjects is easy and quick.

kind regards,
Janning

Nothing is evil about using Form Objects.
You are free to do so if you wish.
The inclination to use Business Objects directly comes from the desire to reduce the amount of code you have to write.

This seems like it is a controversial topic from what I have read, and you will find opinions leaning both ways.
The Spring web documentation does point out the security issue of bindng to Business Objects, and recommends that you set allowed fields or disallowed fields in the initBinder method, which completely avoids this problem.

If you feel comfortable with a separate command Object from the Business Object, then use that approach. You are not forced to bind to Business Objects when using the SimpleFormController.

Even if you decide to use a Business Object, I have found that you typically need other control type properties as well, that don't belong in the Business Object.
In that case, I typically would nest the Business Object within a command Object.

Good luck to you.