Prevent binding for @ModelAttribute [SPR-13402]

[spring-projects-issues]

Kazuki Shimizu opened SPR-13402 and commented

Add new attribute(preventBinding) to prevents binding for request parameter at @ModelAttribute.
I want to obtained an read only object (Entity that was fetched from the database, etc) from the Model without binding request values for security countermeasure.

e.g.)

@Controller
@RequestMapping("account/{accountId}")
@SessionAttributes(types = {AccountUpdateForm.class, Account.class})
public class AccountUpdateController {

    @ModelAttribute public AccountUpdateForm setUpAccountUpdateForm() { return new AccountUpdateForm(); }

    @ModelAttribute public Account findAccount(@PathVariable String accountId) { return accountRepository.findOne(accountId); }
    // ...
    @RequestMapping(path = "update", method = RequestMethod.POST)
    public String update(
            @PathVariable String accountId,
            @Valid AccountUpdateForm form,
            BindingResult result,
            // ### new attribute of @ModelAttribute ###
            @ModelAttribute(preventBinding = true) Account account,
            RedirectAttributes redirectAttributes) {
        // ...
        return "/account/{accountId}/update?complete";
    }

    @RequestMapping(path = "update", method = RequestMethod.GET, params = "complete")
    public String updateComplete(SessionStatus sessionStatus){
        sessionStatus.setComplete();
        return "account/complete";
    }

}

How do think?
I submit PR at later.

---

Affects: 4.2 GA

Issue Links:

• @ModelAttribute binding defined globally for particular attribute rather than per method invocation [SPR-16083] #20632 @ModelAttribute binding defined globally for particular attribute rather than per method invocation
• Introduce @FromModel as substitute to @ModelAttribute(binding=false) [SPR-15267] #19832 Introduce @FromModel as substitute to @ModelAttribute(binding=false)
• Portlet MVC @ModelAttribute interdependency is still not supported [SPR-13694] #18269 Portlet MVC @ModelAttribute interdependency is still not supported

Referenced from: pull request #866, and commits 2e7470b

[spring-projects-issues]

Kazuki Shimizu commented

I've submit a PR for this issue.

[spring-projects-issues]

Juergen Hoeller commented

Let's consider this for 4.3, possibly as a binding=false attribute (true being the default). When used on a model attribute method (i.e. a method returning a model attribute), we could store the binding declaration for all use of that model attribute, effectively enforcing a read-only status for that attribute across all handler methods.

For the time being, I suppose declaring a ModelMap attribute and simply calling get for the desired object does the job as well, since no binding will be involved there?

Juergen

[spring-projects-issues]

Kazuki Shimizu commented

Thanks for quick response.

Let's consider this for 4.3 ...
OK!

Workaround code is as follow:
Is this OK ?

    @RequestMapping(path = "update", method = RequestMethod.POST)
    public String update(
            @PathVariable String accountId,
            @Valid AccountUpdateForm form,
            BindingResult result,
            ModelMap model,
//            @ModelAttribute(preventBinding = true) Account account,
            RedirectAttributes redirectAttributes) {
        Account account = (Account)model.get("account");
        // ...
        return "/account/{accountId}/update?complete";
    }

Thanks.

[spring-projects-issues]

Rossen Stoyanchev commented

Yes that should work.

[spring-projects-issues]

Kazuki Shimizu commented

Thanks!
ModelMap.get("account") or Model.asMap().get("account") , Which is good style ? Is same ?

[spring-projects-issues]

Rossen Stoyanchev commented

Since you need to access Map attributes, then might as well go straight to ModelMap.

[spring-projects-issues]

Kazuki Shimizu commented

Thanks for advice! I think to use ModelMap.

[spring-projects-issues]

Rossen Stoyanchev commented

I suppose declaring a ModelMap attribute and simply calling get for the desired object does the job as well, since no binding will be involved there?

Juergen Hoeller, did you mean wrapping an attribute returned from an @ModelAttribute method with ModelMap? If so we'd have to also update it at some point before view resolution to unwrap it. Alternatively since we are using a ModelAndViewContainer we could simply add a look up for attributes that should not have binding applied.

[spring-projects-issues]

Rossen Stoyanchev commented

This is now available in master (see commit 2e7470). It would be great if you had a chance to confirm it works for your use case.

[spring-projects-issues]

Kazuki Shimizu commented

Thanks for resolve !!
I've confirmed changes using 4.3.0.BUILD-SNAPSHOT :)

[spring-projects-issues]

Rossen Stoyanchev commented

Thanks for confirming!