Spring request handlers should not allow persistent objects (@Entity
and @Document
) to be passed through arguments.
Spring automatically binds request parameters to arguments of request handling methods annotated with @RequestMapping
, @GetMapping
, @PostMapping
etc.
Persistent objects, i.e. instances of classes annotated with @Entity
or @Document
, are modified by a persistence framework such as Hibernate.
Having persistent objects as arguments to request handling methods is dangerous because it might allow malicious users to craft input that could beat Spring's security mechanisms. If this practice is followed, in certain cases it might be possible to modify the fields of a table in an unexpected manner.
@Entity
public class Book {}
@Controller
public class SomeController {
@PostMapping
public String saveBook(Book book) {
bookRepository.save(book);
}
}
Consider introducing a Data Transfer Object (DTO).
public class BookDTO {}
@Controller
public class SomeController {
@PostMapping
public String saveBook(BookDTO bookDTO) {
Book book = new Book();
// ... map fields manually between `bookDTO` and `book`.
bookRepository.save(book);
}
}