Turning off parameter mapping in read-only HTTP requests
Hi,
I'm starting to play around with SpringMVC and I was trying to figure out what would be the best approach to link my entities to the web views as stateless as possible.
One way I've found is to use the @ModelAttribute on a method that receive in parameter (from the request) the entity ID, which finds it from the service/persistence layer, and return it so it is inserted into the Model of the current request.
In addition, Spring MVC binds any incoming parameter that matches a field of my entity and updates its value automatically (through the WebDataBinder object).
My question is concerning this last behaviour. I find it useful that my entity gets updated when some data has been posted by the client. But I would like to avoid it on a simple GET request (which I see as read-only). Current behaviour would allow to update the entity by adding parameter in the query of such request, which could be a security issue.
I know about the dataBinder.setAllowedFields() and stuff but I would prefer a way to disable any kind of field mapping a any GET request. Is there any way to do it?
Here's a sample prototype to make it clearer what I am looking for...
Thanks!Code:@ModelAttribute Entity retrieveEntity(@RequestParam(required=true) Long id) { // This is called before the request handler and before parameters are mapped to the entity return entityRepository.get(id); } @RequestMapping(value="/modify", method=RequestMethod.POST) public ModelAndView handleModifyRequest(@ModelAttribute Entity entity) { // Here, I want my entity to reflect the parameters passed in the posted form (this works) .... } @RequestMapping(value="/read", method=RequestMethod.GET) public ModelAndView handleReadRequest(@ModelAttribute Entity entity) { // Here, I DON'T want my entity to reflect the parameters passed in the URL (which is what happens...) .... }
Reply With Quote
Originally Posted by Marten Deinum
