why setDisallowedFields for id? -- Spring petclinic example

Question

From the Spring API, i understood that @InitBinder is used to initialize some binding rules..

In the petclinic example why we have setdisallowed("id")? when the id is not displayed on the form?

@InitBinder
public void setAllowedFields(WebDataBinder dataBinder) {
    dataBinder.setDisallowedFields("id");
}

The id field is not displayed on the web page then why we are using the above code?

can we have some thing like this:

@InitBinder
public void setAllowedFields(WebDataBinder dataBinder) {
    dataBinder.setDisallowedFields("FirstName");
}

as per the above code the first name field of the owner object will not be set though user enters on the form? Is that correct?

link for the source

Answer 1

Because it can still be submitted if the end-user modifies the page or the request (for example using FireBug). Thus he can inject values into your bound object even if you don't want this.