Hackernoon logoAvoid security loopholes using @JsonView by@paruldhingra

Avoid security loopholes using @JsonView

Use @JsonView to limit or control fields display for different users. Don't expose more than you think needs exposing. Avoid security loopholes using @JonView. Use the same annotations to annotate the fields you want to receive when updating. For example, in userForm, annotate with userForm(UpdateUser.class) the fields. The same annotations are used in the handler, as below:.glygly.glyphobe.globe-globe: [email protected] paruldhingra Software Enginner.
image
Parul Dhingra Hacker Noon profile picture

Parul Dhingra

Software Enginner | Blogger | A brain ambidextrous geek | Machine Learning Enthusiasts

Don’t expose more than you think needs exposing.

If a certain property on an object is not useful to a consumer and internal to your business, then don’t return it.

Sometimes you may like to reuse the same form class for receiving request data in multiple handlers/controllers. For example, say you have this UserForm for user registration:

image

where the user registration handler looks as below:

image

Now, say you have another handler for updating users, looking as below:

image

Noticed the same userForm above?

Consequently, someone can call the end-point with the unrequired fields(i.e. email & password), thus injecting those into your form!

So to prevent it, we can use @JsonView annotation.

What is @JsonView and how to use it?

We can use @JsonView to limit or control fields display for different users. To prevent injection discussed above, first define a marker interface as below:

image

Then, in userForm, annotate with @JsonView(UpdateUser.class) the fields you want to receive when updating:

image

Finally, use the same annotation in the handler, as below:

image

That’s all you need to prevent the injection.

Conclusion:

This is very useful particularly when you are reusing the domain classes as forms. For example, if you reuse a User domain class as the form and then save it straight to the database, you can get hacked.

When registering, what if a malicious user adds an id or a createdDate field, which gets injected instead of auto-generated? 

Take a few minutes and ponder the question before you jump to a conclusion.

I hope you learned something from this article.

Thanks for reading, and happy coding!. Do share your feedback and suggestions in the comments section below.

Tags

Join Hacker Noon

Create your free account to unlock your custom reading experience.