Win a copy of Head First Go this week in the Go forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Liutauras Vilda
  • Bear Bibeault
  • Paul Clapham
  • Jeanne Boyarsky
Sheriffs:
  • Devaka Cooray
  • Junilu Lacar
  • Tim Cooke
Saloon Keepers:
  • Tim Moores
  • Ron McLeod
  • Tim Holloway
  • Claude Moore
  • Stephan van Hulst
Bartenders:
  • Winston Gutkowski
  • Carey Brown
  • Frits Walraven

Spring Boot - spring (jackson?) doesn't recongnize interface?  RSS feed

 
Greenhorn
Posts: 19
Java jQuery PHP
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hey! I have a very simple interface, as seen below. The point of this interface is to construct the base properties of a user, excluding any private information such as passwords and email.


Then I have my User entity class. This class implements the IUser, and introduces further properties such as passwords and email. This data is only to be viewed by the user themselves, and not other users.


Then I have my controller for /users/{user_id}, which other users can access. This is supposed to view only information in "IUser", but instead, it shows all the properties in "User" as well, which is bad for security. Note that I have enabled Web Support, so Spring automatically takes the user id provided and finds the user in the database.



It also does not show followers or following? Thanks for any help!

Staff note (Paul Clapham):

E-mail address redacted as per Marius's request.

 
Marius Richardsen
Greenhorn
Posts: 19
Java jQuery PHP
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Nobody???
 
Sheriff
Posts: 21653
101
Chrome Eclipse IDE Java Spring Ubuntu VI Editor Windows
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Please show some patience. Not everybody has a lot of time on their free Sundays. Also, please don't use any foul language in the future.

About your problem, I think this is something that some libraries (including Jackson) automatically do - they don't look at the declared type, but the actual type. They will therefore include any public property (either field or method based) that's not ignored. And that's where you should seek your solution - in ignoring properties.

I think in this case the easiest is to ignore everything by default, and only expose what you want. That means:
* Annotate your class with @JsonAutoDetect and set all visibility settings to Visibility.NONE.
* Use @JsonProperty on the fields, getters and setters you do want exposed.
 
Marius Richardsen
Greenhorn
Posts: 19
Java jQuery PHP
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

Rob Spoor wrote:Please show some patience. Not everybody has a lot of time on their free Sundays. Also, please don't use any foul language in the future.

About your problem, I think this is something that some libraries (including Jackson) automatically do - they don't look at the declared type, but the actual type. They will therefore include any public property (either field or method based) that's not ignored. And that's where you should seek your solution - in ignoring properties.

I think in this case the easiest is to ignore everything by default, and only expose what you want. That means:
* Annotate your class with @JsonAutoDetect and set all visibility settings to Visibility.NONE.
* Use @JsonProperty on the fields, getters and setters you do want exposed.



Apologies. Now, your solution does work, however, it is not ideal in my situation. Because I have another endpoint: GET /users, which uses the authentication token sent in the header to determine current user, and then displays them. In this case, the User is only viewing their own information, and it should then also show private data such as email, which would then be ignored with your solution. Is there no other way other than creating wrapper objects that take each other as the parameter, and then only copies over some fields?
 
Rob Spoor
Sheriff
Posts: 21653
101
Chrome Eclipse IDE Java Spring Ubuntu VI Editor Windows
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
There is one way I can think of: use MOXy instead of Jackson. That uses the declared type to do its mapping, not the actual type. I wouldn't want to use that myself though.

I've worked with MOXy when we were still using WebLogic (where it's the default JSON mapper), and due to some MOXy custom code we had we kept it when migrating to Spring Boot. It's not great though - if you want to use Spring MVC you need to build a bridge, because MOXy is built for JAX-RS. Its performance compared to Jackson or GSON is also pretty poor.

I'd do the simple thing - create a DTO or wrapper class for returning only the bare information.
 
Marius Richardsen
Greenhorn
Posts: 19
Java jQuery PHP
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

Rob Spoor wrote:There is one way I can think of: use MOXy instead of Jackson. That uses the declared type to do its mapping, not the actual type. I wouldn't want to use that myself though.

I've worked with MOXy when we were still using WebLogic (where it's the default JSON mapper), and due to some MOXy custom code we had we kept it when migrating to Spring Boot. It's not great though - if you want to use Spring MVC you need to build a bridge, because MOXy is built for JAX-RS. Its performance compared to Jackson or GSON is also pretty poor.

I'd do the simple thing - create a DTO or wrapper class for returning only the bare information.



Thank you. Seems like I will have to use DTO or wrapper class then.
 
It is sorta covered in the JavaRanch Style Guide.
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!