1

Spring MVC request mapping search for the closest match on parameters. We've just run into a good example today why this current implementation is problematic. we have 2 functions:

@RequestMapping(method = Array[RequestMethod](RequestMethod.DELETE), params = Array[String]("lastName", "firstName"), produces = Array[String]("application/json"))
def deletePersons1(request: HttpServletRequest, @RequestParam("lastName") lastName: String, @RequestParam("firstName") acref: String)
@RequestMapping(method = Array[RequestMethod](RequestMethod.DELETE), params = Array[String]("lastName", "birthDate"), produces = Array[String]("application/json"))
def deletePersons2(request: HttpServletRequest, @RequestParam("lastName") lastName: String, @RequestParam("birthDate") birthDate: Date)

The http request is:

DELETE http://host:port/deletePersons?lastName=smith&firstName=john&birthDate=08-10-2015

Users wanted to delete only Smith,John and also thought they could add a birth date. But since the first function doesn't get the date and the user made a mistake and put there a date then, in our case, the second function was used since it was the closest to match. still I don't know why the second and not the first.

The result was that all people with last name Smith that where born at... were deleted.

This is a real problem! because we only wanted to delete a specific person but end up with deleting many others.

Is there any solution for that?

Aniket Kulkarni
  • 12,825
  • 9
  • 67
  • 90
igreenfield
  • 1,618
  • 19
  • 36

1 Answers1

1

Update:

The problem came from the fact that there were overlapping variables between your functions and users attempted to use a mix of them. To ensure that this specific problem will not reccurr you can explicitly state that you do not want to accept requests that contain certain extra variables for (when that parameter is not needed). For example the example problem above can be solved by changing the second definition from (note the !firstName param):

@RequestMapping(method = Array[RequestMethod](RequestMethod.DELETE), params = Array[String]("lastName", "birthDate"), produces = Array[String]("application/json"))
def deletePersons2(request: HttpServletRequest, @RequestParam("lastName") lastName: String, @RequestParam("birthDate") birthDate: Date)

to:

@RequestMapping(method = Array[RequestMethod](RequestMethod.DELETE), params = Array[String]("!firstName", "lastName", "birthDate"), produces = Array[String]("application/json"))
def deletePersons2(request: HttpServletRequest, @RequestParam("lastName") lastName: String, @RequestParam("birthDate") birthDate: Date)
Gergely Bacso
  • 14,243
  • 2
  • 44
  • 64
  • thanks for the typo fix, but this was only typo in my question not in the real scenario. – igreenfield Sep 07 '15 at 18:09
  • You are right about that, but what if the overlapping is more complicated, more permutations. I will need to write all the unwanted params? Isn't it would be great if spring let me say I want to much only this parameters? – igreenfield Sep 08 '15 at 15:43
  • 1
    I think there is no standard way to switch of this intelligent request-mapping logic. The closest I found is this topic: http://stackoverflow.com/questions/31364657/can-spring-mvc-strictly-map-query-strings-to-request-parameters – Gergely Bacso Sep 09 '15 at 16:28
  • What do you think about this [Jira ticket](https://jira.spring.io/browse/SPR-13122) – igreenfield Sep 09 '15 at 17:52