I want to implement a basic user repository using Spring LDAP and it's concept of Object-Directory Mapping (ODM).
My User class is pretty straightforward :
#Entry(objectClasses = { "inetOrgPerson", "organizationalPerson", "person", "shadowAccount", "top" }, base = "ou=people")
public class User {
[...]
#Id
private Name dn;
#Attribute(name = "uid")
#DnAttribute(value = "uid")
private String username;
#Attribute(name = "cn")
private String fullName;
#Attribute(name = "givenName")
private String firstName;
#Attribute(name = "sn")
private String lastName;
#Attribute(name = "o")
private String organization;
#Attribute(name = "userPassword")
private String password;
// Getters & Setters
[...]
}
And basic methods of my repository :
public User findByUid(String uid) {
return ldapTemplate.findOne(query().where("uid").is(uid), User.class);
}
public void update(User user) {
ldapTemplate.update(user);
}
Everything works fine except for the password attribute. For example, if I change only the user first name, the password is also changed.
I want to know how to deal with an encoded password (using the SHA - Secure Hashing Algorithm).
I don't see any annotations allowing to specify the encoding method.
Do we have to deal with it manually?
Short version
#Attribute(name = "userPassword", type = Type.BINARY)
private byte[] password;
is the correct definition of your password attribute. This is because LDAP stores the password as binary too.
To provide a convenient way of interaction, you should modify the setter for password:
public void setPassword(String password) {
this.password = password.getBytes(StandardCharsets.UTF_8);
}
Long version
The problem is your definition of userPassword. It is a java.lang.String. And the Spring LDAP ODM Attribute annotation defaults to Type.STRING.
Your LDAP gets the string as a byte array and checks if it has a proper prefix (in our case {SSHA}). If there is no prefix present it hashes the given string with its configured hash algorithm and stores it in the attribute as binary. Here lays the root cause. Your attribute definition differs. LDAP has a binary, you have a string.
When you read the entry again, to modify the first name, the password attribute gets read too. But, as it should be a string in the object, Spring converts the binary array to a string. This conversion is wrong, as it creates a string.
e.g.
you put test in the password field of your entity object.
Spring takes the string and sends it unmodified to the LDAP server.
the server hashes the string and saves it as {SSHA}H97JD...
you read the entry again
spring gets a byte[] containing the ASCII numbers representing the stored value
[123, 83, 83, 72, 65, 125, 72, 57, 55, 74, 68, ...]
conversion to a string results in the following:
123,83,83,72,65,125,72,57,55,74,68,...
spring sets this string in your entity as password value
you modify the first name
spring takes the password string again and sends it as is to the server
the servers prefix check indicates an unhashed password and applies the hash algorithm again on the string, because 123,83, starts not with {SSHA}
the server changes the password again.
Related
I have following user details model that is used in POST & PUT controllers of /user resource.
public class UserDetails {
#NotBlank
private String username;
#NotBlank
private String password;
#NotBlank
private String firstName;
#NotBlank
private String lastName;
#NotBlank
private String nic;
#NotNull
private Integer roleId;
// constructor & getters setters
}
#PostMapping("/org/employee")
public void createEmployee(#RequestBody EmployeeDetailsModel empDetails) {
employeeService.createUser(empDetails);
}
#PutMapping("/org/employee")
public void updateEmployee(#RequestBody EmployeeDetailsModel empDetails) {
employeeService.updateUser(empDetails);
}
Here, UserDetails has #NotNull & #NotBlank validations. POST would work fine because to create a user, all details are mandatory. But when updating with PUT, I don't need all properties of UserDetails to be filled.
So my questions are,
How this kind of scenarios are handled? Do we usually force clients to send all those details whether they are changed or not?
Is it possible to disable request body validation just for a particular endpoint or do I have to create separate model that looks the same but without validations?
Seeing your post I can infer that you are interested in modifying the resource
Well to do this you should to use PATCH method instead of PUT.
In PUT you need to send the entire data since it is intended for replacing the resource which is not in the case of the PATCH.
Well in case of the PUT or PATCH we need to ensure that we have an existing resource. Hence before saving it is necessary that we get the original resource from the data store. Then we can modify it with the help of the validation rules on the Entity itself.
so your code should be like.
Considering you have a repository class named as
EmployeeRepository
#PutMapping("/org/employee/{id}")
public void updateEmployee(#RequestBody EmployeeDetailsModel empDetails, #PathVariable("id") int id) {
Optional<Employee> emp = employeeRepo.findById(id);
if (emp.isPresent()) {
// update the new values using setters
// Finally update the resource.
employeeService.updateUser(empDetails);
} else {
throw new ResourceNotFoundException("Your custom msg");
}
}
The repository code should be placed inside the service method ie updateUser but I have placed it here just for demonstration.
I have the below input class and when i trigger the api without 'interactionId' param in the input,
I expect validation error message "interactionId cannot be empty" but the validation passes through which i guess could be due to the fact that interactionId has a default value of 0.
Can someone pls. help to enforce this validation on the 'long' parameter when its not given in input?
with #NotEmpty for the customerId param, its working as expected. Using #NotEmpty for the long param "interactionId" is throwing a different error that #notempty cannot be used for long.
public class Input {
#NotEmpty(message = "customerId cannot be empty")
private String customerId;
#Valid
#NotNull(message = "interactionId cannot be empty")
private long interactionId;
// setters and getters
}
my controller class:
#RestController
public class Controller {
#PostMapping(value="/detailed-customer-transaction", produces =
MediaType.APPLICATION_JSON_VALUE)
#ResponseBody
public ResponseEntity<Object> detailTransactions(#Valid #RequestBody Input
params)
{
return new ResponseEntity<>(Dao.detailTransactions(params), HttpStatus.OK);
}
Above issues is resolved after changing to Long instead of long.
Query #2
I need another help. I have a String input param which takes date-time format in below format. Given its a string parameter, how can i validate for the pattern="yyyy-MM-dd'T'HH:mm:ss.SSS'Z'"
long should be Long, because long is a primary type in java, not an object, so Long is an object that can be checked whether it is null
this is one of my REST controller,
#RestController
#RequestMapping("/users/Ache")
public class Users {
#GetMapping
public User getUser() {
User user = new User();
return user;
}
}
As response, Spring boot will translate my Object to JSON,
this is response:
{
"username": "Ache",
"password": "eee",
"token": "W0wpuLAUQCwIH1r2ab85gWdJOiy2cp",
"email": null,
"birthday": null,
"createDatetime": "2019-03-15T01:39:11.000+0000",
"updateDatetime": null,
"phoneNumber": null
}
I want to remove password and token fields, How can I do?
I know two hard ways:
create a new hash map
and add some necessary fields, but it too complex
set those two fields to null
but it still leaves two null valued fields, it is too ugly.
Any better solution?
Spring leverages Jackson library for JSON marshalling by default. The easiest solution that comes to mind is making use of Jackson's #JsonIgnore but that would ignore the property on both serialization and de-serialization. So the right approach would be annotating the field with #JsonProperty(access = Access.WRITE_ONLY).
For instance, inside a hypothetical User class:
#JsonProperty(access = Access.WRITE_ONLY)
private String password;
#JsonProperty(access = Access.WRITE_ONLY)
private String token;
An alternative would be using #JsonIgnore only on the getter:
#JsonIgnore
public String getPassword() {
return this.password;
}
You can also create another class, for instance UserResponse with all the fields except password and token, and make it your return type. Of course it involves creating an object and populating it, but you leave your User class clean without Jackson annotations, and de-couples your model from your representation.
Keep the getter and setter but add the WRITE_ONLY JsonProperty. This way password validations will work when you use the entity as the request body.
#NotBlank
#JsonProperty(access = Access.WRITE_ONLY)
private String password;
I am trying to have a list in a model using #DBRef but I can't get it to work.
This is my User model:
#Data
#Document
public class User {
#Id
#JsonSerialize(using = ToStringSerializer.class)
private ObjectId id;
#Indexed(unique = true)
#NotBlank
private String email;
#NotBlank
private String name;
#NotBlank
private String password;
#DBRef
private List<Server> servers;
}
Server model:
#Data
#Document
public class Server {
#Id
#JsonSerialize(using = ToStringSerializer.class)
private ObjectId id;
#NotBlank
private String name;
#NotBlank
private String host;
}
The structure is very simple, every user can have multiple servers. But when I add servers to the user the server is created, but the servers array contains one null entry("servers" : [ null ]). So the server isn't added to the user. This is how I create a server and add it to an user:
#PostMapping
public Mono create(#Valid #RequestBody Server server, Mono<Authentication> authentication) {
return this.serverRepository.save(server).then(authentication.flatMap(value -> {
User user = (User) value.getDetails();
user.getServers().add(server);
return userRepository.save(user);
})).map(value -> server);
}
So I simply create and save a server, add the server the user and then save the user. But it doesn't work. I keep having an array with one null entry.
I've seen this page: http://www.baeldung.com/cascading-with-dbref-and-lifecycle-events-in-spring-data-mongodb. But it is for saving the child document, not for linking it. Also it is for a single document, not for an array or list.
Why is my list not being saved correctly?
All my libraries are coming from spring boot version 2.0.0.M6.
UPDATE
When removing #DBRef from the user's servers property the servers are getting saved, but they of course get double created, in the server collection and in every user.servers. So the error has something to do with references.
After some googling I found the answer...
https://jira.spring.io/browse/DATAMONGO-1583
https://jira.spring.io/browse/DATAMONGO-1584
Reactive mongo doesn't support this.
Actually there is a way to resolve DbRefs without to using the blocking driver. Yes - the references are resolved in a blocking fashion, but does not require a second connection. In order to achieve this we have to write our own DbRefResolver: NbDbRefResolver.java. In the provided resolver there is a flag: RESOLVE_DB_REFS_BY_ID_ONLY. If is switched on will not going to resolve the DbRefs from the database, but instead will resolve them to fake objects with id only. It is up to implementation to fill the references later in non-blocking fashion.
If the flag RESOLVE_DB_REFS_BY_ID_ONLY is set to false it will eagerly resolve the references by using the non-blocking driver, but will block the execution until the references are resolved.
Here is how to register the DbRefResolver in the app: DbConfig.kt
Files attached are provided here: https://jira.spring.io/browse/DATAMONGO-1584
Me did it like that for roles :
#Unwrapped(onEmpty = Unwrapped.OnEmpty.USE_NULL)
private Collection<Role> roles;
you can check the doc (2021) here : https://spring.io/blog/2021/04/20/what-s-new-in-spring-data-2021-0
I have such field in my domain model class validation constraints:
#Column(nullable = false, name = "name")
#NotEmpty(groups = {Envelope.Insert.class, Envelope.Update.class})
#Size(min = 3, max = 32)
private String name;
When this field is empty ("") or null, validator produces both "cannot be empty" and "size must be between..." error messages. I understand it, but when I show this validation error to the client, it seems quite odd (because when something is null / empty it cannot fulfill size requirement, it's not a logical).
Is there some way how to tell Spring to do validation in proper order? If is not #NotEmpty then do not check #Size, and when #NotEmpty is fulfilled check #Size.
According to Hibernate official document:
By default, constraints are evaluated in no particular order and this
regardless of which groups they belong to. In some situations,
however, it is useful to control the order of the constraints
evaluation. In order to implement such an order one would define a new
interface and annotate it with #GroupSequence defining the order in
which the groups have to be validated.
At first, create two interface FirstOrder.class and SecondOrder.class and then define a group sequence inside OrderedChecks.java using #GroupSequence annotation.
public interface FirstOrder {
}
public interface SecondOrder {
}
#GroupSequence({FirstOrder.class, SecondOrder.class})
public interface OrderedChecks {
}
Finally, add groups in your bean constraints annotations.
#Column(nullable = false, name = "name")
#NotEmpty(groups = {FirstOrder.class, Envelope.Insert.class, Envelope.Update.class})
#Size(min = 3, max = 32, groups=SecondOrder.class)
private String name;
The following example is taken from the JSR-303 docs
public class Address {
#NotEmpty(groups = Minimal.class)
#Size(max=50, groups=FirstStep.class)
private String street1;
#NotEmpty(groups=SecondStep.class)
private String city;
#NotEmpty(groups = {Minimal.class, SecondStep.class})
private String zipCode;
...
public interface FirstStep {}
public interface SecondStep {}
#GroupSequence({Firststep.class, SecondStep.class})
public interface Total {}
}
and calling the validator like this
validator.validate(address, Minimal.class, Total.class);