如何在 Spring Boot REST API 中启用对 JSON/Jackson @RequestBody 的严格验证? [英] How do I enable strict validation of JSON / Jackson @RequestBody in Spring Boot REST API?

问题描述

如果在 JSON 请求中指定了额外的参数，我该如何抛出错误?例如，xxx"不是有效参数或在 @RequestBody 对象中.

How do I throw an error if extra parameters are specified in the JSON request? For example, "xxx" is not a valid parameter or in the @RequestBody object.

$ curl -X POST -H "Content-Type: application/json" -H "Authorization: Bearer $TOKEN" -d '{"apiKey": "'$APIKEY'", "email": "name@example.com", "xxx": "yyy"}' 本地主机:8080/api/v2/stats

$ curl -X POST -H "Content-Type: application/json" -H "Authorization: Bearer $TOKEN" -d '{"apiKey": "'$APIKEY'", "email": "name@example.com", "xxx": "yyy"}' localhost:8080/api/v2/stats

我尝试将 @Validated 添加到界面，但没有帮助.

I tried adding @Validated to the interface, but it didn't help.

@RequestMapping(value = "/api/v2/stats", method = RequestMethod.POST, produces = "application/json")
public ResponseEntity<DataResponse> stats(Principal principal, @Validated @RequestBody ApiParams apiParams) throws ApiException;

我想启用严格"模式，以便在请求中存在额外的虚假参数时会出错.我找不到办法做到这一点.我找到了确保有效参数确实存在的方法，但没有办法确保没有额外的参数.

I would like to enable a 'strict' mode so that it will give an error if extra, spurious parameters exist in the request. I could find no way to do this. I found ways to ensure the valid parameters do exist, but no way to ensure there are not extra parameters.

public class ApiParams extends Keyable {

    @ApiModelProperty(notes = "email of user", required = true)
    String email;

<小时>

public abstract class Keyable {

    @ApiModelProperty(notes = "API key", required = true)
    @NotNull
    String apiKey;

Spring Boot 1.5.20

Spring Boot 1.5.20

推荐答案

在幕后，Spring 使用 Jackson 库将 POJO 序列化/反序列化为 JSON，反之亦然.默认情况下，框架用于执行此任务的 ObjectMapper 将其 FAIL_ON_UNKNOWN_PROPERTIES 设置为 false.

Behind the scene, Spring uses the Jackson library to serialize/deserialize POJO to JSON and vice versa. By default, the ObjectMapper that the framework uses to perform this task has its FAIL_ON_UNKNOWN_PROPERTIES set to false.

您可以通过在 application.properties 中设置以下配置值来全局打开此功能.

You can turn this feature on GLOBALLY by setting the following config value in application.properties.

spring.jackson.deserialization.fail-on-unknown-properties=true

或者，如果使用 YAML 格式，请将以下内容添加到您的 application.yaml(或 .yml)文件中:

Or if using YAML format, add the following to your application.yaml (or .yml) file):

spring:
  jackson:
    deserialization:
      fail-on-unknown-properties: true

随后，如果您想忽略特定 POJO 的未知属性，可以使用该 POJO 类中的注释 @JsonIgnoreProperties(ignoreUnknown=true).

Subsequently, if you want to ignore unknown properties for specific POJO, you can use the annotation @JsonIgnoreProperties(ignoreUnknown=true) in that POJO class.

不过，这可能意味着需要进行大量手动工作.从技术上讲，忽略那些意外数据并不违反任何软件开发原则.在某些情况下，您的 @Controller 前面可能有一个过滤器或 servlet，它在执行您不知道的其他操作，这些操作需要那些额外的数据.看起来值得付出努力吗?

Still, this could mean a lot of manual work going forward. Technically, ignoring those unexpected data doesn't violate any software development principles. There might be scenarios where there's a filter or servlet sitting in front of your @Controller doing additional stuff that you're not aware of which requires those extra data. Does it seem worth the effort?

这篇关于如何在 Spring Boot REST API 中启用对 JSON/Jackson @RequestBody 的严格验证?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！