1

Should I deal with unexpected json fields in a request? Lets assume that I have got paymentDTO as a input to my controller;

public class PaymentDTO {
    private String fromAccountNumber;
    private String toAccountNumber;
    private BigDecimal amount;

... constructor
... getters 
... setters
}

What I expect as a request is:

{
"fromAccountNumber": "1",
"toAccountNumber": "2",
"amount": 50.0
}

What if the user posts a request like below:

{
"fromAccountNumber": "1",
"toAccountNumber": "2",
"amount": 50.0,
"customField1": 100,
"anotherField2: "data"
}

Could it cause any problem in my Spring Boot controller? If so, how should I handle unexpected json request fields?

Mark Rotteveel
  • 100,966
  • 191
  • 140
  • 197
Aksoy
  • 91
  • 1
  • 8
  • Does this answer your question? [Ignoring new fields on JSON objects using Jackson](https://stackoverflow.com/questions/5455014/ignoring-new-fields-on-json-objects-using-jackson) – burm87 Dec 21 '20 at 09:59

2 Answers2

2

My advice is to fail (i.e. 400 Bad Request, not a 500) on unmatched properties. That way, mistakes in clients will become apparent more quickly.

tgdavies
  • 10,307
  • 4
  • 35
  • 40
-1

If you are using springboot, adding this line in your application.properties files will ignore unknown properties:

spring.jackson.deserialization.fail-on-unknown-properties=false
Piaget Hadzizi
  • 702
  • 8
  • 15
  • The OP is not asking how to configure it globally, they are asking what implications it may have. – terrorrussia-keeps-killing Dec 21 '20 at 10:18
  • @fluffy, I think the last question is asking about how to handle unknown properties. I have given one solution: to ignore them globally so that you don't get any error. Yekta expressed that what the controller could have a problem so ignoring the properties will make sure the the controller will no complain when deserialing the body – Piaget Hadzizi Dec 21 '20 at 10:29
  • I disagree. The question is entitled with _Should I ..?._ so it sounds more like a question of is it worth _doing something_. Next, the second-last question is asking _Could it cause any problem ...?_ -- problems of what kind exactly? Client-server negotiation? Security risks? Performance issues? The third and the last question is asking _... how should I handle unexpected JSON ...?_ Is it asking for ignoring the fields? – terrorrussia-keeps-killing Dec 21 '20 at 10:34
  • @flufy, Let me ask you a question. How esle can one handle unknown JSON properties? Besides ignoring them? I'm not the one who asked the question but the sense of the title is : how should I deal with unexpected json fields in a request? – Piaget Hadzizi Dec 21 '20 at 10:40
  • It's a good question indeed, and there are at least two options else: 1) fail on unmapped properties (the default Jackson behavior, right? results in HTTP 400 Bad Request simply rejecting the user input); 2) logging unmapped properties while ignoring/failing so that gather some more information on the inbound requests (AFAIK, not a Jackson built-in). I do believe it depends on the particular application requirements, and these aren't clear from what the OP has asked. What if they use Gson, not Jackson? I would rather clarify the question first. – terrorrussia-keeps-killing Dec 21 '20 at 10:46
  • The depth with which you want the question to be clear is impossible! The next thing you'll be all their requirements and source code in order to assist them! I assisted them using the supplied information. The will try the solution if it doesn't work they your answer(if you will ever answer their question) – Piaget Hadzizi Dec 21 '20 at 10:57
  • Instead of focusing on correcting the solution given to the question that is not clear to you, you were supposed to ask for clarity from the one who asked the question – Piaget Hadzizi Dec 21 '20 at 10:59
  • No, I'm just trying to tell that the OP's information supplied in the question is not full enough just to say "hey, I do believe you're using Jackson, ignore them all". – terrorrussia-keeps-killing Dec 21 '20 at 10:59