Don’t expose more than you think needs exposing. If a certain property on an object is not useful to a consumer and internal to your business, then don’t return it. Sometimes you may like to reuse the same form class for receiving request data in multiple handlers/controllers. For example, say you have this for user registration: UserForm where the user registration handler looks as below: Now, say you have another handler for users, looking as below: updating Noticed the same above? userForm Consequently, someone can call the end-point with the unrequired fields(i.e. email & password), thus injecting those into your form! So to prevent it, we can use annotation. @JsonView What is @JsonView and how to use it? We can use @JsonView to limit or control fields display for different users. To prevent injection discussed above, first define a marker interface as below: Then, in annotate with the fields you want to receive when updating: userForm, @JsonView(UpdateUser.class) Finally, use the same annotation in the handler, as below: That’s all you need to prevent the injection. Conclusion: This is very useful particularly when you are reusing the domain classes as forms. For example, if you reuse a User domain class as the form and then save it straight to the database, you can get hacked. When registering, what if a malicious user adds an id or a createdDate field, which gets injected instead of auto-generated? Take a few minutes and ponder the question before you jump to a conclusion. I hope you learned something from this article. Thanks for reading, and happy coding!. Do share your feedback and suggestions in the comments section below.

Avoid security loopholes using @JsonView

About Author

Comments

TOPICS

THIS ARTICLE WAS FEATURED IN

Related Stories

The Guide To Core Redux Concepts

The Noonification: Reduce Javascript: Master the Basics (1/11/2023)

The Noonification: Satoshi Might Be a Bitcoin ETF Skeptic (1/13/2024)

The Noonification: Small Puddle of Freedom (11/25/2022)

The Noonification: How to Use AI for Your B2B Marketing (11/11/2022)

105 Stories To Learn About Functional Programming

The Guide To Core Redux Concepts

The Noonification: Reduce Javascript: Master the Basics (1/11/2023)

The Noonification: Satoshi Might Be a Bitcoin ETF Skeptic (1/13/2024)

The Noonification: Small Puddle of Freedom (11/25/2022)

The Noonification: How to Use AI for Your B2B Marketing (11/11/2022)

105 Stories To Learn About Functional Programming

Light-Mode

Classic

Newspaper

Minty

Dark-Mode

Neon Noir

Minty

HN StartUps