如何在 Spring Boot REST API 中启用对 JSON/Jackson @RequestBody 的严格验证? [英] How do I enable strict validation of JSON / Jackson @RequestBody in Spring Boot REST API?
问题描述
如果在 JSON 请求中指定了额外的参数,我该如何抛出错误?例如,xxx"不是有效参数或在 @RequestBody
对象中.
How do I throw an error if extra parameters are specified in the JSON request? For example, "xxx" is not a valid parameter or in the @RequestBody
object.
$ curl -X POST -H "Content-Type: application/json" -H "Authorization: Bearer $TOKEN" -d '{"apiKey": "'$APIKEY'", "email": "name@example.com", "xxx": "yyy"}' 本地主机:8080/api/v2/stats
$ curl -X POST -H "Content-Type: application/json" -H "Authorization: Bearer $TOKEN" -d '{"apiKey": "'$APIKEY'", "email": "name@example.com", "xxx": "yyy"}' localhost:8080/api/v2/stats
我尝试将 @Validated
添加到界面,但没有帮助.
I tried adding @Validated
to the interface, but it didn't help.
@RequestMapping(value = "/api/v2/stats", method = RequestMethod.POST, produces = "application/json")
public ResponseEntity<DataResponse> stats(Principal principal, @Validated @RequestBody ApiParams apiParams) throws ApiException;
我想启用严格"模式,以便在请求中存在额外的虚假参数时会出错.我找不到办法做到这一点.我找到了确保有效参数确实存在的方法,但没有办法确保没有额外的参数.
I would like to enable a 'strict' mode so that it will give an error if extra, spurious parameters exist in the request. I could find no way to do this. I found ways to ensure the valid parameters do exist, but no way to ensure there are not extra parameters.
public class ApiParams extends Keyable {
@ApiModelProperty(notes = "email of user", required = true)
String email;
<小时>
public abstract class Keyable {
@ApiModelProperty(notes = "API key", required = true)
@NotNull
String apiKey;
Spring Boot 1.5.20
Spring Boot 1.5.20
推荐答案
在幕后,Spring 使用 Jackson 库将 POJO 序列化/反序列化为 JSON,反之亦然.默认情况下,框架用于执行此任务的 ObjectMapper
将其 FAIL_ON_UNKNOWN_PROPERTIES
设置为 false
.
Behind the scene, Spring uses the Jackson library to serialize/deserialize POJO to JSON and vice versa. By default, the ObjectMapper
that the framework uses to perform this task has its FAIL_ON_UNKNOWN_PROPERTIES
set to false
.
您可以通过在 application.properties
中设置以下配置值来全局打开此功能.
You can turn this feature on GLOBALLY by setting the following config value in application.properties
.
spring.jackson.deserialization.fail-on-unknown-properties=true
或者,如果使用 YAML 格式,请将以下内容添加到您的 application.yaml
(或 .yml
)文件中:
Or if using YAML format, add the following to your application.yaml
(or .yml
) file):
spring:
jackson:
deserialization:
fail-on-unknown-properties: true
随后,如果您想忽略特定 POJO 的未知属性,可以使用该 POJO 类中的注释 @JsonIgnoreProperties(ignoreUnknown=true)
.
Subsequently, if you want to ignore unknown properties for specific POJO, you can use the annotation @JsonIgnoreProperties(ignoreUnknown=true)
in that POJO class.
不过,这可能意味着需要进行大量手动工作.从技术上讲,忽略那些意外数据并不违反任何软件开发原则.在某些情况下,您的 @Controller
前面可能有一个过滤器或 servlet,它在执行您不知道的其他操作,这些操作需要那些额外的数据.看起来值得付出努力吗?
Still, this could mean a lot of manual work going forward. Technically, ignoring those unexpected data doesn't violate any software development principles. There might be scenarios where there's a filter or servlet sitting in front of your @Controller
doing additional stuff that you're not aware of which requires those extra data. Does it seem worth the effort?
这篇关于如何在 Spring Boot REST API 中启用对 JSON/Jackson @RequestBody 的严格验证?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!