I have the following code that allows a user to update name and year.
Model
@Entity
public class Person implements Serializable{
private static final long serialVersionUID = 1L;
private String name;
private int year;
public String getName() {
return name;
}
public void setName(String name) {
this.name = name;
}
public int getYear() {
return year;
}
public void setYear(int year) {
this.year = year;
}
}
Controller
@RequestMapping(value = "/person", method = RequestMethod.POST)
public ModelAndView editPerson(@ModelAttribute Person person)
{
//perform operations
//display results
ModelAndView modelAndView = new ModelAndView("Person.html");
modelAndView.addObject("personBind", person);
return modelAndView;
}
View
<form action="person" method="post" th:object="${personBind}">
Name:
<input type="text" th:field="*{name}" />
Year:
<input type="text" th:field="*{year}" />
Now I want to do some validation in the year field. For instance, if the user inputs a string instead of a number on that field, the current code will throw an exception because it doesn't allow to set a string in an integer attribute.
So how to validate the input? Don't want to use @Valid. Want to do some custom validations.
The way I found to do this is to create a string version of the year field in the model (getter/setter). Then use that strYear in the view and do the validation in the controller. Like the updated code below. Is that the correct approach or there's a better way to do this? I ask because not sure if it's correct to create a string version of getters/setters for every numeric attribute that needs to be validated. Seems a lot of duplication.
Model
@Entity
public class Person implements Serializable{
private static final long serialVersionUID = 1L;
private String name;
private int year;
@Transient
private String strYear;
public String getName() {
return name;
}
public void setName(String name) {
this.name = name;
}
public int getYear() {
return year;
}
public void setYear(int year) {
this.year = year;
}
public String getStrYear() {
return strYear;
}
public void setStrYear(String strYear) {
this.strYear = strYear;
}
}
Controller
@RequestMapping(value = "/person", method = RequestMethod.POST)
public ModelAndView editPerson(@ModelAttribute Person person)
{
//validate
boolean valid = Validate(Person.getStrYear());
if(valid==true)
{
Person.setYear(Integer.ParseInt(Person.getStrYear()));
//save edit
}
else
{//display validation messages}
//display results
ModelAndView modelAndView = new ModelAndView("Person.html");
modelAndView.addObject("personBind", person);
return modelAndView;
}
View
<form action="person" method="post" th:object="${personBind}">
Name:
<input type="text" th:field="*{name}" />
Year:
<input type="text" th:field="*{strYear}" />
Validation can be tricky and difficult, some things to take into account when doing validation...
The model in MVC (Model, View, Controller) does not, and generally should not, be the same as your Domain Model. See @wim-deblauwe's comment and the Q&A section below.
There are SERIOUS security issues with using a real Domain Model object as the form backing object due to the way that Spring does auto setting of values during form submittal. For example, if we are using a User object that has a password field on it as our form backing object, the form could be manipulated by browser developer tools to send a new value for the password field and now that new value will get persisted.
All data entered via an html form is really String data that will need to get transposed to its real data type (Integer, Double, Enumeration, etc...) later.
There are different types of validation that, in my opinion, need to happen in different temporal order.
There shouldn't be any temporal coupling between validators. Meaning that if a field is optional, then 'data type' validator shouldn't fail validation if a value isn't present. See the validators below.
Domain Object / Business Object:
@Entity
public class Person {
private String identifier;
private String name;
private int year;
public String getIdentifier() {
return identifier;
}
public String getName() {
return name;
}
public void setName(String name) {
this.name = name;
}
public int getYear() {
return year;
}
public void setYear(int year) {
this.year = year;
}
}
To populate an html form via a Spring MVC Controller we would create a specific object that represents that form. This also includes all the validation rules as well:
@GroupSequence({Required.class, Type.class, Data.class, Persistence.class, CreateOrUpdatePersonForm.class})
public class CreateOrUpdatePersonForm {
@NotBlank(groups = Required.class, message = "Name is required.")
private String name;
@NotBlank(groups = Required.class, message = "Year is required.")
@ValidInteger(groups = Type.class, message = "Year must be a number.")
@ValidDate(groups = Data.class, message = "Year must be formatted yyyy.")
private String year;
public CreateOrUpdatePersonForm(Person person) {
this.name = person.getName();
this.year = Integer.valueOf(person.getYear);
}
public String getName() {
return name;
}
public void setName(String name) {
this.name = name;
}
public String getYearStr() {
this.year;
}
public void setYearStr(String year) {
this.year = year;
}
public int getYear() {
return Integer.valueOf(this.year);
}
}
Then in your controller to use the new CreateOrUpdatePersonForm object:
@Controller
public class PersonController {
...
@ModelAttribute("command")
public CreateOrUpdatePersonForm setupCommand(@RequestParam("identifier") Person person) {
return new CreateOrUpdatePersonForm(person);
}
//@PreAuthorize("hasRole('ADMIN')")
@RequestMapping(value = "/person/{person}/form.html", method = RequestMethod.GET)
public ModelAndView getForm(@RequestParam("person") Person person) {
return new ModelAndView("/form/person");
}
//@PreAuthorize("hasRole('ADMIN')")
@RequestMapping(value = "/person/{person}/form.html", method = RequestMethod.POST)
public ModelAndView postForm(@RequestParam("person") Person person, @ModelAttribute("command") @Valid CreateOrUpdatePersonForm form,
BindingResult bindingResult, RedirectAttributes redirectAttributes) {
ModelAndView modelAndView;
if (bindingResult.hasErrors()) {
modelAndView = new ModelAndView("/form/person");
} else {
this.personService.updatePerson(person.getIdentifier(), form);
redirectAttributes.addFlashAttribute("successMessage", "Person updated.");
modelAndView = new ModelAndView("redirect:/person/" + person.getIdentifier() + ".html");
}
return modelAndView;
}
}
The @ValidInteger and @ValidDate are validators that we wrote ourselves.
@ValidInteger:
public class ValidIntegerValidator implements ConstraintValidator<ValidInteger, String> {
@Override
public void initialize(ValidInteger annotation) {
}
@Override
public boolean isValid(String value, ConstraintValidatorContext constraintValidatorContext) {
boolean valid = true;
if (StringUtils.hasText(value)) {
try {
Integer.parseInteger
(value);
} catch (NumberFormatException e) {
valid = false;
}
}
return valid;
}
}
@Target({METHOD, FIELD})
@Retention(RUNTIME)
@Constraint(validatedBy = ValidIntegerValidator.class)
@Documented
public @interface ValidInteger {
String message() default "{package.valid.integer}";
Class<?>[] groups() default {};
Class<? extends Payload>[] payload() default {};
}
@ValidDate
public class ValidDateValidator implements ConstraintValidator<ValidDate, String> {
private String format;
@Override
public void initialize(ValidDate annotation) {
this.format = annotation.format();
}
@Override
public boolean isValid(String inputDate, ConstraintValidatorContext constraintValidatorContext) {
boolean valid = true;
if (StringUtils.hasText(inputDate)) {
SimpleDateFormat dateFormat = new SimpleDateFormat(format);
dateFormat.setLenient(false);
try {
dateFormat.parse(inputDate);
} catch (ParseException e) {
valid = false;
}
}
return valid;
}
}
@Target({METHOD, FIELD})
@Retention(RUNTIME)
@Constraint(validatedBy = ValidDateValidator.class)
@Documented
public @interface ValidDate {
String message() default "{package.dateformat}";
Class<?>[] groups() default {};
Class<? extends Payload>[] payload() default {};
String format();
}
Then in your view jsp or template you'll need to display the errors if there are any:
<html>
...
<body>
<common:form-errors modelAttribute="command"/>
...
</body>
</html>
There is a lot more to deal with validation, like comparing two fields together, or accessing your persistence layer to verify that a person name is unique, but that takes a lot more explanation.
Q: Can you provide links that explain the thought behind not using the Domain Model as the MVC Model?
A: Sure, Entities VS Domain Models VS View Models and Entity vs Model vs View Model
TL;DR: Using different objects for the Domain Model and the MVC Model is because it reduces coupling between application layers and it protects our UI and Domain Model from changes in either layer.
Validation of data needs to occur at all entry points to an application: UI, API, and any external systems or files that are read in.
An API is just a UI for computers and needs to follow the same rules as the human UI.
Accepting data from the internet is fraught with peril. It is better to be more restrictive than less restrictive. This also includes making sure that there aren't any strange characters coughMicrosoft's 1252 character encodingcough, Sql Injection, JavaScript Injection, making sure that your database is setup for unicode and understanding that a column that is setup for 512 characters, depending on the language can only actually handle 256 characters due to codepoints.