Announcement Announcement Module
Collapse
No announcement yet.
Spring MVC + JPA - Binding/Updating Associated Entities Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Spring MVC + JPA - Binding/Updating Associated Entities

    Hi all,

    Some of this question is related to JPA, but it's more about approaches than technology so hopefully someone will be able to offer advice.

    I'm using Spring MVC and Hibernate to power a website that allows users to create products, and product descriptions. I have a Product entity, which has a bidirectional one-to-many relationship with ProductDescription.

    If when submitting a form that binds to an instance of Product, and specifies all of its ProductDescriptions, then a malicious user could enter bogus IDs for the ProductDescriptions and 'hijack' other users' data. One solution to this would be to always create the ProductDescriptions anew, so delete them when the form is submitted, and create new ones each time. This seems inefficient because of the extra delete and write operations that would be needed every time the Product is updated (even if the ProductDesciptions haven't changed).

    Another alternative would be to check 'ownership' of the child entities before running an update.

    How do other people get around this issue? Do most people do delete/insert, or selective update?

    Here's an example of the sort of POST submission I'm talking about:
    Code:
    id=1
    name=My Product
    descriptions[0].id=123
    descriptions[0].text=A lovely description of my product
    descriptions[0].price=100
    descriptions[1].id=123
    descriptions[1].text=Another lovely description of my product in another language
    descriptions[1].price=50
    And an example of the kind of class I'm talking about:
    Code:
    public class Product
    {
       @Id
       @GeneratedValue(strategy = GenerationType.AUTO)
       private Integer id;
       @OneToMany(mappedBy = "product")
       private Set<ProductDescription> descriptions;
       private String name;
    }
    
    
    public class ProductDescription
    {
       @Id
       @GeneratedValue(strategy = GenerationType.AUTO)
       private Integer id;
       private Integer price;
       @ManyToOne
       private Product product;
       private String text;
    }

  • #2
    I'm curious as to other responses here. But what I found was were several options:

    1. Don't rely on pure http binding and use either a SessionAttribute (or soon flashscope from greenhouse or 3.1) with the the binder set to disallow fields you don't want to allow modified. But sessionattributes bring their own issues related to multiple windows/tabs.
    2. Consider using Spring Security ACL. That way if people manually muck with the POST - the worst they can do is modify data that they already have access to. But Spring Security ACL isn't free either and there's some aop required to get it to work on entity beans. And generally JPA (at least 1.0) requires bidirectional relationships. So you have to be careful to protect both sides of the relationship.

    -Andy

    Comment

    Working...
    X