I found that, by default when I using Spring MVC, "2010/01/02" binds correctly, but "2010-01-02" does not.
I know Spring has some useful binding mechanisms like initBinder. However, in this question I want to know where is the rule defined. Does anyone know that for example RFC documents of HTTP or Spring references.
It's just coincidence.
Spring MVC can implicitly convert input parameters to model objects via their single-argument constructor that takes String (if model objects have such constructors). Date has this constructor, though it's deprecated, so that this behaviour is determined by behaviour of that constructor.
Related
I have a controller with a method like
#PostMapping(value="/{reader}")
public String addToReadingList(#PathVariable("reader") String reader, Book book) {
book.setReader(reader);
readingListRepository.save(book);
return "redirect:/readingList/{reader}";
}
When I run a static code analysis with Sonarqube I get a vulnerability report stating that
Replace this persistent entity with a simple POJO or DTO object
But if I use a DTO (which has exactly the same fields as the entity class, then I get another error:
1 duplicated blocks of code must be removed
What should be the right solution?
Thanks in advance.
Enric
You should build a new separate class which represents your Entity ("Book" ) as Plain Old Java Object (POJO) or Data Transfer Object (DTO). If you use JSF or other stateful technology this rule is important. If your entity is stateful there might be open JPA sessions etc. which may modify your database (e.g. if you call a setter in JSF on a stateful bean).
For my projects I ignore this Sonar rule because of two reasons:
I alway you REST and REST will map my Java Class into JSON which can be seen as a DTO.
REST is stateless (no server session) so no database transaction will be open after the transformation to JSON
Information obtained from sonarsource official documentation.
On one side, Spring MVC automatically bind request parameters to beans
declared as arguments of methods annotated with #RequestMapping.
Because of this automatic binding feature, it’s possible to feed some
unexpected fields on the arguments of the #RequestMapping annotated
methods.
On the other end, persistent objects (#Entity or #Document) are linked
to the underlying database and updated automatically by a persistence
framework, such as Hibernate, JPA or Spring Data MongoDB.
These two facts combined together can lead to malicious attack: if a
persistent object is used as an argument of a method annotated with
#RequestMapping, it’s possible from a specially crafted user input, to
change the content of unexpected fields into the database.
For this reason, using #Entity or #Document objects as arguments of
methods annotated with #RequestMapping should be avoided.
In addition to #RequestMapping, this rule also considers the
annotations introduced in Spring Framework 4.3: #GetMapping,
#PostMapping, #PutMapping, #DeleteMapping, #PatchMapping.
See More Here
I am using Jersey to implement rest api and Jackson to provide JSON support. I am trying to remove certain properties before serialization by overriding BeanSerializerModifier.changeProperties method.
But removing properties will be based on query parameter. Is there any way to access the query parameter in my implementation?
Use of BeanSerializerModifier itself would get complicated as the method is only called once when construction necessarily JsonSerializer for the first time. As to passing query parameters, you could pass them using contextual attributes and ObjectWriter (constructed from ObjectMapper), but that means taking over quite a bit of serialization automation from Jersey.
There is one mechanism that could be helpful in modifying serialization aspects without taking over the whole process: registering ObjectWriterModifier, using ObjectWriterInjector. These are part of Jackson JAX-RS provider, added in Jackson 2.3. Without knowing more details I don't know how easy this would be; part of the issue is that query parameters are more of an input side things, so there is no direct access to them from output processing side.
I am wondering what are the requirements for a method (or a class) to be labeled with #Controller? As for input arguments, the Spring tutorial seems to indicate that methods can sometimes take in nothing and sometimes take in a Model object:
http://blog.springsource.com/2011/01/04/green-beans-getting-started-with-spring-mvc/
And this:
Spring MVC Controllers Return Type
seems to indicate that the return type can be a String or a ModelAndView. I tried to look that up in the official documentation but couldn't find much info. I presume there must be some requirements. Any pointers?
In Spring Class is marked as #Controller, methods are marked as #RequestMapping handling specific request based on parameter,url path, accept header etc.
Spring MVC is highly flexible and allows you to have many return types see spring reference see "Supported method return types" section on the same page.
Also spring-mvc-3-showcase blog
Is it possible to give Spring MVC's form binding some kind of type hint to indicate what class to instantiate and populate with form data?
I've got some quite unusual requirements to try and build a dynamic form, that represents a collection of different objects. The user can add objects from a selection of types to this collection, and then set the properties for that object type using form elements. I can figure out how to create the form using jQuery, but I'm not sure how to get Spring to handle a load of POST data when it won't know what types to bind to in advance.
One way that I can think of doing this is to write your own custom HandlerMethodArgumentResolver , which is responsible for translating the request into the argument values of the controller methods. You should be able to create a custom annotation that will indicate to Spring MVC, that your custom handler method argument resolver will be resolving the specific annotated method arguments(say #CustomType Object argument).
Once the call comes into the handler resolver, you can probably determine the type that the json request should map to, and call the json mapper with the actual type.
You can register a custom argument resolver this way:
<annotation-driven>
<argument-resolvers>
<beans:bean class="..CustomArgumentResolver"/>
</argument-resolvers>
</annotation-driven>
I'm trying to convert a struts 1 application to Spring MVC 3.0. We have an form with quite a few parameters, most of which where automatically binded in struts. However there where a number of fields in the format fieldName_# where # is a number that we manually bound by looping through the request.
I'm looking for a tidier way to do this in Spring mvc, but don't know where to start.
Ideally we should have them as fieldName[#] and it would be easier, but we cannot change this and have to keep the fieldName_# format. Also the number of these fields that are sent in the request are unknown.
One way to achieve this is by wrapping the servletRequest and implementing the getParameter (and associated methods) such a way that parameters with name fieldName_# are returned as fieldName[#]. A servletFilter would be one option to wrap the request.