I have a rest request returning a list of elements. The returned type is an interface annotated with #JsonTypeInfo, so that the serialized objects will have a "type" property.
With the non reactive implementation the objects in the list are correctly serialized, while with the reactive implementation the list root objects don't have the "type" field.
I found this issue saying that is the expected behavior, but I don't understand why it works differently with the two quarkus implementations (quarkus-resteasy-jackson and quarkus-resteasy-reactive-jackson). And frankly, from a user point of view, I don't see why this behavior is considered correct.
Related
I have a controller with a method like
#PostMapping(value="/{reader}")
public String addToReadingList(#PathVariable("reader") String reader, Book book) {
book.setReader(reader);
readingListRepository.save(book);
return "redirect:/readingList/{reader}";
}
When I run a static code analysis with Sonarqube I get a vulnerability report stating that
Replace this persistent entity with a simple POJO or DTO object
But if I use a DTO (which has exactly the same fields as the entity class, then I get another error:
1 duplicated blocks of code must be removed
What should be the right solution?
Thanks in advance.
Enric
You should build a new separate class which represents your Entity ("Book" ) as Plain Old Java Object (POJO) or Data Transfer Object (DTO). If you use JSF or other stateful technology this rule is important. If your entity is stateful there might be open JPA sessions etc. which may modify your database (e.g. if you call a setter in JSF on a stateful bean).
For my projects I ignore this Sonar rule because of two reasons:
I alway you REST and REST will map my Java Class into JSON which can be seen as a DTO.
REST is stateless (no server session) so no database transaction will be open after the transformation to JSON
Information obtained from sonarsource official documentation.
On one side, Spring MVC automatically bind request parameters to beans
declared as arguments of methods annotated with #RequestMapping.
Because of this automatic binding feature, it’s possible to feed some
unexpected fields on the arguments of the #RequestMapping annotated
methods.
On the other end, persistent objects (#Entity or #Document) are linked
to the underlying database and updated automatically by a persistence
framework, such as Hibernate, JPA or Spring Data MongoDB.
These two facts combined together can lead to malicious attack: if a
persistent object is used as an argument of a method annotated with
#RequestMapping, it’s possible from a specially crafted user input, to
change the content of unexpected fields into the database.
For this reason, using #Entity or #Document objects as arguments of
methods annotated with #RequestMapping should be avoided.
In addition to #RequestMapping, this rule also considers the
annotations introduced in Spring Framework 4.3: #GetMapping,
#PostMapping, #PutMapping, #DeleteMapping, #PatchMapping.
See More Here
Hi I want to parse a json that i retrieve by hitting an legacy system, and build a response json. We are using Spring Boot having a jackson dependency. The problem i have is almost 75% of fields from legacy can be mapped directly or on basis of simple rules (0: false, 1:true). But, there are some complex rules as well like based on certain conditions and data present in some fields, we can map them to a nested object etc. To cater to this requirement which approach should we consider -
POJO approach to fetch the data from legacy target. Use bean util. copyproperties to populate the response bean (75% of properties), and then apply the business transformations on this POJO to tranform based on business logic. (Would we need two pojos here a. to copy from beanutil.copyproperties and then b. create final response dto ??)
Do not use pojo directly parse the JSON apply the transformations and then create a new POJO or response DTO. (But, this may not be generic solution and would need to be done on case by case basis).
Main considerations are approach should be fast, and generic to be applied like a framework. Thanks aakash
The considerations should be like below:
- Are the POJOs reusable?
- Is the JSON multilevel and very large?
If the answer is yes for both, then better to choose POJOs for cleaner implementation. Otherwise JsonObject parsing.
Hope this will help.
I'm just getting started with CoreNLP. From all the code samples I've seen (particularly the one on CoreNLP's main website: http://nlp.stanford.edu/software/corenlp.shtml#Usage), I've gathered that Annotation objects hold the annotated document, and CoreMap objects hold the sentences (if "ssplit" annotation is enabled).
To keep my code lightweight, I'm only passing CoreMap to one of my functions. However, in one instance I need to retrieve the parent Annotation document object. Is there any backpointer using the CoreMap object, or will I have to pass in the Annotation object to my function as well?
The overall document is an Annotation. The Annotation contains a List which contains the sentences. Each sentence is a CoreMap. I don't know of any way to get the parent Annotation from a CoreMap, so I would just pass the Annotation object to your function.
I am using Jersey to implement rest api and Jackson to provide JSON support. I am trying to remove certain properties before serialization by overriding BeanSerializerModifier.changeProperties method.
But removing properties will be based on query parameter. Is there any way to access the query parameter in my implementation?
Use of BeanSerializerModifier itself would get complicated as the method is only called once when construction necessarily JsonSerializer for the first time. As to passing query parameters, you could pass them using contextual attributes and ObjectWriter (constructed from ObjectMapper), but that means taking over quite a bit of serialization automation from Jersey.
There is one mechanism that could be helpful in modifying serialization aspects without taking over the whole process: registering ObjectWriterModifier, using ObjectWriterInjector. These are part of Jackson JAX-RS provider, added in Jackson 2.3. Without knowing more details I don't know how easy this would be; part of the issue is that query parameters are more of an input side things, so there is no direct access to them from output processing side.
I found that, by default when I using Spring MVC, "2010/01/02" binds correctly, but "2010-01-02" does not.
I know Spring has some useful binding mechanisms like initBinder. However, in this question I want to know where is the rule defined. Does anyone know that for example RFC documents of HTTP or Spring references.
It's just coincidence.
Spring MVC can implicitly convert input parameters to model objects via their single-argument constructor that takes String (if model objects have such constructors). Date has this constructor, though it's deprecated, so that this behaviour is determined by behaviour of that constructor.