I am sending a PATCH request with null values in some properties of the entity and I see that the fields are updated in the database whereas according to spec they shouldn't (partial update). Trying to understand what's going on I see that the DomainObjectMerger is instantiated as a #Bean but its merge method never used (no references found and in debug mode breakpoint is never fired). Could someone explain how and when is the DomainObjectMerger used?
EDIT: I created a sample project with a failing test. The test tries to PATCH an entity passing null as a password and expects the password to not have been affected. But it fails because the password is now null in the database
https://github.com/otinanism/demo-rest-data
The code works as expected. Your PATCH payload looks like this:
{"id":"bc421109-edaf-4d4f-8d4c-71b62aa4d99f","username":"alex","password":null}
That's telling the server to wipe out the value for the password field. If you want to leave the password field untouched, make sure it's not even contained in the request payload, e.g. by configuring the ObjectMapper to not render null values.
Related
I am using spring-security-saml2 1.0.0.RELEASE.
It works well and pretty good for me.
But New requirement is rised. I need saml-token as string.
can I get the saml-token as string. I find saml-token in log.
But how to get the saml-token as string format?
Good question, I've just added a new chapter to the Spring SAML manual which addresses this issue:
Authentication assertion
Assertion used to authenticate user is stored in the
SAMLCredential object under property authenticationAssertion. By
default the original content (DOM) of the assertion is discarded and
system only keeps an unmarshalled version which might slightly differ
from the original, e.g. in white-spaces. In order to instruct Spring
SAML to keep the assertion in the original form (keep its DOM) set
property releaseDOM to false on bean WebSSOProfileConsumerImpl.
Assertion can be serialized to String using the following call:
XMLHelper.nodeToString(SAMLUtil.marshallMessage(credential.getAuthenticationAssertion()))
I would like to start a discussion on the purpose of the blank constraint now that data binding has changed in Grails 2.4 to convert incoming empty(blank) strings from request params to null. Would it be useful to catch validation errors from data not introduced via a web request? We are considering removing many of our application's blank constraints. We do have information also coming into the app from file uploads and web services.
Thanks in advance.
You're correct that the blank constraint is largely redundant since Grails 2.4 when the data is bound from a web request). However it's still necessary to validate data from other sources, e.g. a daily Quartz job that downloads data from a web service and saves it to the database. Because there's no databinding involved, blanks would not be converted to null, so the constraint is still required.
If your rule is that you don't want to allow blank values then I think it is perfectly reasonable and probably a good idea to express that as a constraint. The fact that the data binder converts blanks to null by default will help make sure blank values are not assigned when the data binder is used, but that shouldn't replace expressing that blank values are not allowed. If you leave the constraint off and there is ever a mistake in the app (or the framework, or a plugin, etc...) that causes your rule to be violated, you won't know about it.
As I understand, to update any object with couchdb. I have to send the whole object back since it is actually "inserting" a new revision for the same id. This is all neat and works quite well.
But then I have a problem, I'm not so sure how should I handle that. I have an object that can't be sent to my user completely. I have to hide certain informations such as password hash.
The data is sent to the client, the revision is sent too. Now when I try to update my object I have one problem. Since some data is missing, the update will erase the attributes that are missing from my user.
That said, the easiest way I have is to get the object from couchdb, check if id and rev matches. If it does match, merge the object with the missing attributes. It will work pretty well and I can support deleting attributes too.
Then using this technique, I could add my objects to a cache that will reduce the time to query frequent objects from the database. If the object can be updated, then clear the cache for that id. If the object is newer, then I'll have to handle the error or merge the object.
Is there any better "good way" to handle this problem?
edit
After thinking about it during the night, I think I found a much much better solution. Instead of having my username and password inside my profile. I'll separate the identification object from the use profile.
In other words, I'll have to split up the object as much as possible to keep things isolated... On the plus side, I can add multiple authentication for one profile without messing with the profile itself. I can return profiles and anything necessary without returning any secret object.
It will complicate a bit the logic of insertion but it should be quite easy...
Get 1 id from couchdb using the uuid api "_uuids"
Insert password authentications (username, password, profile_id) using that uuid
If succeed, insert profile using the uuid that we got at 1
If anything wrong happen, rollback and tell the users what's wrong.
Also the nice thing about this method is that I can add access_token for oauth2 using the profile id and the logic will be almost the same as password, the auth type will differ but any auth type should work almost the same.
Yeah, extracting the secret stuff from the profile documents sounds like the way to go.
ASP.net MVC 3 out of the box forms authentication
when certain users on certain browsers try and authenticate they get the following error
Server Error in '/MVC' Application.
--------------------------------------------------------------------------------
The parameters dictionary contains a null entry for parameter 'rememberMe' of
non-nullable type 'System.Boolean' for method 'System.Web.Mvc.ActionResult
LogOn(System.String,
System.String, Boolean, System.String)' in 'RipsMVC.Controllers.AccountController'. An
optional parameter must be a reference type, a nullable type, or be declared as an
optional parameter.
Parameter name: parameters
the problem is its not all the time but whenever i turn on fiddler2 it automatically works so i have no clue what the root cause is .
I don't think it related to fiddler, maybe you need to make rememberMe with [DefaultValue(false)] or make it a bool?.
Anyway, you can setup a breakpoint and check the request body (using Request.Forms) to see the difference with/without fiddler.
Is remember me a checkbox on the form? HTML says that checkbox values are only submitted if they are checked. So if it is unchecked, you need to send a hidden field with a false value. Using MVC #Html.CheckBox should do this automatically. However, if your HTML just renders out a single checkbox, then it might not be submitted to get a false value on the server.
I have two tables, users and tokens.
Each user have a activated field and each token have the {id, token, user_id, created} fields.
The way the app should work is:
On the creation, the app will -
make sure that the activated field is empty (to avoid manipulations to the submitted data).
a token will be created in the tokens table.
On update, the app will -
NOT create a new token.
NOT allow an update of any kind to the activated field.
check if a new email has been submitted, and if so: will create a new token and set the activated field to false.
I know how to activate the account through the controller and how to setup the router for that.
What I need is mainly the model configuration.
For example:
I think that the token creation should be done in the afterSave method, so - how do I determine if the method is called by an update or by a create operation?
Thanks for any help
yossi you can also specify the fields that should be saved from the form though - a whitelist of fields it is ok to save in you $this->save() call. That way you can stop a hacker passing an ID in the request, and you should just set it in the controller yourself then with $this->Token->id = whatever you have, I would personally use saveField ('activated) in conjunction with this (just saves a single field!). Fat models is best if you can but get it working first then refactor it if you have got stuck. Better than wasting lots of time writing perfect first time.
You question is unclear. If you have a default value for a field, then why not set it in the database rather than doing something in aftersave? If you need to do something that should be done only in certain circumstances, then write a custom method in your model to perform the tasks you want either on creation or update.
Edit
So, if your record has an id, then you know it exists in the database. So, the simple thing to do is (in any method) check to see if the model has an id field and that it is not empty. If it's empty, then you know that you are creating a record and you can do x task. If it isn't, then do y task.
if(isset($modelData['ModelName']['id']) && !empty($modelData['ModelName']['id'])){
//This is an update
} else {
//This is a new record
}