restrict propagation of model attributes

**speculatius** · Feb 2nd, 2013, 11:17 AM

Hi all,

currently I am learning spring mvc. Here is my situation...

Lets say I have model class like this:

Code:

class Person {
  private String firstname;
  private String surname;
  private Integer likesCount;
  // ...setters and getters
}

Then I have controller to enable user to change his name...

Code:

@Controller
class PersonUpdateController {
  @RequestMapping(value = "\person", method = RequestMethod.POST)
  public update(@ModelAttribute("person") Person person, ...) {
    // ...validation and save
  }
}

And finally I have form...

Code:

<f:form action="person" method="post" modelAttribute="person">
  <f:input path="firstname"/>
  <f:input path="surname"/>
  <input type="submit"/>
</f:form>

When user uses this form, he is able to post only firstname and surname to the backend. But technically it is possible to send in request also likesCount, and that is security issue. In php framework Yii it is possible to specify which attributes should be propagated/saved to backend by defining validation criteria on every model class. Is something like that possible in spring? I think some kind of interceptor could do the trick? Or do you have some design pattern to solve this? Thank you.

**Springinger** · Feb 2nd, 2013, 08:56 PM

You can do it in you Controller as:

Code:

@Controller
class PersonUpdateController {
  @RequestMapping(value = "\person", method = RequestMethod.POST)
  public update(@ModelAttribute("person") Person person, ...) {
     Person newPerson = new Person();
     newPerson.setFirstname(person.getFirstname());
     newPerson.setSubmit(person.getSubmit());
    // ...validation and save
  }
}

**speculatius** · Feb 3rd, 2013, 08:04 AM

Thanks for reply. I got also another useful hint here.

Thread: restrict propagation of model attributes

Thread Tools

Display

restrict propagation of model attributes

Posting Permissions