Return error on unknown fields in JSON request body of specific controllers

Question

I have SpringBoot application X that has customer facing APIs. Those APIs receive request body as JSON.

Application X issues API calls to application Y and receives responses with JSON body.

I want to prevent application X from receiving unknown fields in the request body on customer-facing controllers.

I was thinking about spring.jackson.deserialization.fail-on-unknown-properties=true but if I understand correctly such configuration will cause a failure also if a call from application X to application Y will return response body with unknown field. Therefore this configuration will make the API between application X and application Y more coupled and less robust.

I am looking for a way to enforce "fail-on-unknown-fields" only for deserialization of request body at customer facing controllers of an application while allowing deserialization at other parts of the application to ignore unknown fields

Example: I have the following customer facing API.

@PostMapping
public Response updateProduct(@RequestBody Product product) {
.....
}

Where

class Product {
    private int id;
    private String name;
    private int price;
}

I want to prevent customer from passing the following body to request, because colour is not a know field.

{
  "id": 777,
  "name": "apple",
  "price": 2,
  "colour": "red"
}

But - I want it the "fail-unknown-fields" to be enforced on this controller only and not at other places where Jackson is used to deserialized responses received from other applications.

Answer 1

You can create a new ObjectMapper instance in your controller explicitly configuring its DeserializationFeature#FAIL_ON_UNKNOWN_PROPERTIES to the value true that will force the fail in the case of unknown properties inside the json in the post request body like below:

@PostMapping(value = "/updateproduct")
public Product updateProduct(@RequestBody String productString) throws JsonProcessingException {
    ObjectMapper objectMapper = new ObjectMapper();
    objectMapper.configure(DeserializationFeature.FAIL_ON_UNKNOWN_PROPERTIES, true);
    //it will fail in case of unknown properties inside the json string
    Product product = objectMapper.readValue(productString, Product.class);
    return product;
}

Choosing to convert the request body json to String you can configure manually your ObjectMapper local instance while you have to decide how to proceed when there is a json processing exception (in my case I simply decided to directly throw the exception but a different behaviour can be adopted) or the UnrecognizedPropertyException exception like the case you presented.

EDIT: answer the OP comment below

But instead of receiving String and explicitly creating a objectMapper, I would like to find a way to keep it Product and to somehow tell Spring "use this ObjectMapper bean for this specific controller".

I am not aware if it is possible to do exactly what you want, but you can achieve something pretty similar: you can define a custom ObjectMapper bean in your configuration class so having a default primary bean and your custom bean:

@Configuration
public class ApplicationConfiguration {

    @Bean
    @Primary
    public ObjectMapper objectMapper() {
        return Jackson2ObjectMapperBuilder
                .json()
                .build();
    }

    @Bean("customObjectMapper")
    public ObjectMapper getCustomObjectMapper() {
        return Jackson2ObjectMapperBuilder
                .json()
                .build()
                .configure(DeserializationFeature.FAIL_ON_UNKNOWN_PROPERTIES, true);
    }
}

Then in the same controller you can refer both the two beans, so one method will end with success because it works with the default primary bean and the other one will fail:

@RestController
@RequestMapping("/")
public class ExampleController {

    //fine, it is using the default primary bean so it ignores
    //unknown properties in the json 
    @PostMapping(value = "/updateproduct")
    public Product updateProduct(@RequestBody Product product) {
        return product;
    }

    @Autowired
    @Qualifier("customObjectMapper")
    private ObjectMapper objectMapper;

    //it is using the custom bean so it will fail 
    //with unknown properties in the json
    @PostMapping(value = "/updateproductfail")
    public Product updateProductFail(@RequestBody String productString) throws JsonProcessingException {
        Product product = objectMapper.readValue(productString, Product.class);
        return product;
    }
}

Answer 2

Add to the Product:

@JsonAnySetter
public Map<String,Object> unknownAttributes = new HashMap<>();

Then in the controller use:

if (!product.unknownAttributes.isEmpty()) {

}

Answer 3

To change this on project level, you can add on your application.properties the following content:

spring.jackson.deserialization.fail-on-unknown-properties=true

Or if you are using an application.yaml:

spring:
  jackson:
    deserialization:
      fail-on-unknown-properties: true

This configuration will affect on project level, so you can keep using the correct DTO on the @RequestBody object received. This way, you don't have to do any change on your controller, but may be advisable to control the exception in your @ControllerAdvice.