Spring MVC + Hibernate:从浏览器部分更新模型 [英] Spring MVC + Hibernate: Partial model update from browser
问题描述
当只显示Spring MVC模型bean的一部分时,有没有办法在模型中更新从浏览器返回的内容?
假设我们有一个用户类(当然,这个例子中只有公有属性):
public class User {
public String名字;
public String lastName;
public String email;
public日期subscriptionExpiration;
$ / code> 现在我将前三个属性显示为JSP中的输入字段,并且希望相应地更新数据库中的对象。只有这3个参数应该更新,而不是第四个参数。一种完成此操作的方法是
pre $ @ $ c $ @RequestMapping(/ user / {userId},method = RequestMethod.POST)
public String saveChanges(@PathVariable userId,User user,Model model){
User oldUser = User.loadFromDB(userId);
oldUser.firstName = user.firstName;
oldUser.lastName = user.lastName;
oldUser.email = user.email;
oldUser.saveToDB();
model.addAttribute(user,oldUser);
}
但这意味着硬编码可能会改变的所有属性,太多了。
有什么方法可以根据用户允许更改的内容来确定要更新的字段吗?该机制应该比仅仅假设请求参数中的所有内容都可以更改更明智,否则任何精明的用户都可以手动将其他字段注入请求。
使用@Entity (dynamicUpdate = true)无法解决我眼中的问题,因为我没有将整个User对象返回到请求中,这样做会带来很多安全漏洞。
我是否在Spring中缺少一个很好的功能,或者有没有其他方法可以在概念上解决这个问题?任何提示都非常感谢!
请参阅知道如何使用@InitBinder来允许/阻止Spring绑定一些模型字段来请求参数。这允许确保 subscriptionExpiration 不能通过注入请求参数来修改。
请参阅文档,了解如何在方法和方法参数上使用@ModelAttribute注释从数据库中加载用户,并在调用@RequestMapping方法之前将其添加到模型中,并在@RequestMapping方法被调用时使用请求参数填充此用户。 RequestMapping方法被调用。这允许从DB获取用户,并让Spring使用来自请求的ne值填充它。您所要做的就是验证用户的新状态并将其保存到数据库。
When only displaying a part of a Spring MVC model bean, is there a way to only update in the model what comes back from the browser?
Let's say we have a User class (public properties only in this example, of course):
public class User {
public String firstName;
public String lastName;
public String email;
public Date subscriptionExpiration;
}
Now I display the first three properties as input fields in a JSP and want to update the object in the database accordingly. Only these 3 parameters should be updated, NOT the fourth one. One way to accomplish this would be
@RequestMapping("/user/{userId}", method=RequestMethod.POST)
public String saveChanges(@PathVariable userId, User user, Model model) {
User oldUser = User.loadFromDB(userId);
oldUser.firstName = user.firstName;
oldUser.lastName = user.lastName;
oldUser.email = user.email;
oldUser.saveToDB();
model.addAttribute("user", oldUser);
}
but this would mean hardcoding all properties that could change, which I don't like too much.
Is there any way to determine what fields to update based on what the user was allowed to change? That mechanism should be smarter than just assuming that everything that's in the request parameters may be changed, otherwise any savvy user could manually inject additional fields into a request.
Using @Entity(dynamicUpdate=true) does not solve the problem either in my eyes, as I'm not getting the whole User object back in the request, and doing so would open up many security holes.
Am I missing a nice feature in Spring or is there any other way to conceptually solve for this problem? Any hints are greatly appreciated!
See this question to know how to use @InitBinder to allow/prevent some model fields to be bound by Spring to request parameters. This allows making sure that the subscriptionExpiration can't be modified by injecting a request parameter.
And see the documentation for how to use the @ModelAttribute annotation on methods and on method arguments to load a user from the database and add it to the model before the @RequestMapping method is called, and to populate this user with request parameters when the @RequestMapping method is called. This allows getting a user from the DB and have Spring populate it with ne values coming from the request. All you have to do is validate the new state of the user and save it to the database.
这篇关于Spring MVC + Hibernate:从浏览器部分更新模型的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
