0

Its been suggested that a object Id should not be sent to the view in a hidden Id tag because a malicious user could edit the source html and submit (post) the data back to the wrong record, and that a better way is to store the object in a session var until it returns.

I have read this SO answer but it didn't help me in terms of this question.

I have a DTO OccurencePerson which stores details of the occurence and a collection of people. The form controller is setup like this:

CLASS

@Component
@Controller
@SessionAttributes(value = { "user", "occModelView" })
public class FormController {

GET HANDLER

@GetMapping("/occurence/{occeno}")
public String findOcc(@PathVariable String occno, @ModelAttribute("occViewModel") OccViewModel occViewModel, Model model, HttpSession session, SessionStatus sessionStatus) {

    Occurence occ = occurenceRepository.findByoccno(occno);
    occViewModel.setOccurence(occ);
    occViewModel.setPersons(occPersonRepository.findOccPersonByEpisode(occurence.getId()));

    model.addAttribute("occViewModel", occViewModel);
    session.setAttribute("occViewModel", occViewModel);
    sessionStatus.equals(occViewModel);
    return "occurence";

POST HANDLER

@PostMapping("newOccurence")
public String episodeSubmit(@Valid @ModelAttribute OccViewModel occViewModel, BindingResult result) {
    if (result.hasErrors()) {
        List<ObjectError> errors = result.getAllErrors();
        for(ObjectError error : errors) {
        }
        return "occurence";
    } else {
        occService.saveNewOccurence(occViewModel.getOccurence(), occViewModel.getPersons()); 
        return "redirect:/dash";

How would you use session vars to return a object from Hibernate and then return that object to Hibernate such that it doesn't create a new object?

As it stands at the moment if I remove the hidden tags in the html which store the occurrence id, and persons id and submit the data back it creates a new occurrence/persons.

Al Grant
  • 2,102
  • 1
  • 26
  • 49
  • 1
    A few notes: 1. You could use "merge()" instead of save/persist to update values of an existing object. 2. IMHO it is ok to use object ids in the view, the system must authorize access anyway 3. just an idea - JSF uses encrypted and signed view state to pass the view model between requests. – gusto2 Sep 04 '17 at 12:07
  • Is your relationships annotated correctly in JPA? Can you give post what is inside occService.saveNewOccurence(), because I think you are attaching the objects into the hibernate sessions. – aksappy Sep 05 '17 at 17:41

1 Answers1

0

You would store the Id in the view model - but not expose it on the page -

OccViewModel occViewModel - This is your DTO populated from findOcc, so would have attributes -

  • Id
  • Other values

You then have a mapping of your DTO to the JPA object

The fact the OccViewModel is stored in session and contains the ID means you can refind the JPA model to ensure it hasnt been updated elsewhere

farrellmr
  • 1,815
  • 2
  • 15
  • 26