PUT and POST fail on unknown properties Spring different behavior

前端未结

关注

 4  1504

I am writing Spring Boot application using Spring Data Rest repositories and I want to deny access to resource if request body contains JSON that has unknown properties. Def

相关标签:

4条回答

萌比男神i

2021-01-07 20:26

You're using Jackson2ObjectMapperBuilder, which has the property DeserializationFeature.FAIL_ON_UNKNOWN_PROPERTIES set to the disabled value by default.

0 讨论(0)
发布评论:

提交评论
- 加载中...
陌清茗

2021-01-07 20:27
When it creates new entity then it converts json directly to java entity object through deserialization process where required validation is involved. But when it updates existing entity then it converts json to JsonNode and then merge with existing entity and as expected no validation happens because it is feature for json deserialization to java object.

As workaround you can additionally convert JsonNode to entity object and it will work as you expect.

I did quick example how to gain required validation.

go to https://github.com/valery-barysok/gs-accessing-data-rest

It is not clear solution but you can improve it :)

This example override existing spring class on classpath org.springframework.data.rest.webmvc.config.PersistentEntityResourceHandlerMethodArgumentResolver

Note You must put this class on classpath before original version.

I did copy-past this class to project and modified readPutForUpdate method:
```
private Object readPutForUpdate(IncomingRequest request, ObjectMapper mapper, Object existingObject,
                                RootResourceInformation information) {

    try {

        JsonPatchHandler handler = new JsonPatchHandler(mapper, reader);
        JsonNode jsonNode = mapper.readTree(request.getBody());
        // Here we have required validation
        mapper.treeToValue(jsonNode, information.getDomainType());

        return handler.applyPut((ObjectNode) jsonNode, existingObject);

    } catch (Exception o_O) {
        throw new HttpMessageNotReadableException(String.format(ERROR_MESSAGE, existingObject.getClass()), o_O);
    }
}
```
and i used application.properties file to configure DeserializationFeature.FAIL_ON_UNKNOWN_PROPERTIES
0 讨论(0)
发布评论:

提交评论
- 加载中...
有刺的猬

2021-01-07 20:37
I think the behaviour you are observing is by design. When a POST is issued you are creating the resource so the JSON is deserialised into your entity type and Jackson is performing this task.

A PUT is working differently in spring data rest. The interesting part is handled in PersistentEntityResourceHandlerMethodArgumentResolver.readPutForUpdate.

The json is read into a JsonNode, the entity is read from the data store and then in DomainObjectReader.doMerge the implementation iterates over the json fields. It applies the json to the entity and saves it later in the controller implementation. It also discards all the fields that do not exist in the persistent entity:
```
if (!mappedProperties.hasPersistentPropertyForField(fieldName)) {
    i.remove();
    continue;
}
```
This is my understanding from reading the code. I think you could argue that this is a bug. You could try to report it at spring data rest`s jira - https://jira.spring.io/browse/DATAREST. As far as I know there is no way to customise this behaviour.
0 讨论(0)
发布评论:

提交评论
- 加载中...

天命终不由人

2021-01-07 20:37

you can annotate your model with :

@Entity
@JsonIgnoreProperties(ignoreUnknown=false)
public class Person{
    @Id
    @GeneratedValue(strategy = GenerationType.AUTO)
    private long id;

    private String firstName;
    private String lastName;

    /* getters and setters */
}

0 讨论(0)