Chapter 1: Introduction to Spring REST API Security

To effectively secure client requests, familiarity with core Spring REST API annotations is crucial. Key annotations include @RestController, @RequestMapping, @GetMapping, @PostMapping, @PutMapping, @DeleteMapping, @PathVariable, @RequestParam, and @RequestBody. A solid understanding of @PathVariable, @RequestParam, and @RequestBody is particularly important for this discussion.

If you are new to these concepts, please refer to the linked article before continuing here.

Chapter 2: Validating Request Body

Imagine we need to modify the date of an existing appointment:

{

"id": 1,

"date": "2024-03-26", // changing from "2024-03-25"

"title": "visiting relative"

}

(Note: The comments above are for clarity—please remove them when testing.)

If we mistakenly submit the following without the "date" attribute:

{

"id": 1,

"title": "visiting relative"

// "date" attribute is missing

}

The request would still succeed, resulting in a null date for the appointment:

Request: GET http://localhost:8080/appointments/1

Response:

{

"id": 1,

"date": null,

"title": "visiting relative"

}

To prevent such issues, input validation is essential before data is saved to the database. Here are three necessary modifications:

1. Add a Dependency: Include the "spring-boot-starter-validation" in your Maven pom.xml file. This package provides the necessary runtime and API to establish validation rules.

<dependency>

<groupId>org.springframework.boot</groupId>

<artifactId>spring-boot-starter-validation</artifactId>

</dependency>

2. Apply Validation Constraints: Use the @NotNull and @NotBlank annotations on relevant fields in the AppointmentDTO, the class representing the request body.

@NotNull

public LocalDate date;

@NotBlank

public String title;

3. Use @Valid Annotation: Apply the @Valid annotation to the mapped request body in the update API method. This directs Spring to check the constraints defined in AppointmentDTO.

@PutMapping("/{id}")

public void update(@PathVariable("id") Long id, @Valid @RequestBody AppointmentDTO appointmentDTO) {

this.appointmentService.updateAppointment(id, appointmentDTO);

}

If we submit the same invalid input again, a 400 Bad Request response will be returned:

Request: PUT http://localhost:8080/appointments/1

Request body:

{

"id": 1,

"title": "visiting relative"

}

Response:

{

"timestamp": "2024-03-27T16:20:47.618+00:00",

"status": 400,

"error": "Bad Request",

"path": "/appointments/1"

}

The server console will log a validation error, indicating that the null value for the 'date' field is not acceptable.

Chapter 3: Validating Path Variables and Parameters

Path variables and request parameters are required by default. Failing to submit a required parameter will lead to a 400 (Bad Request) response, similar to what happens with @NonNull constraints on parameters.

@GetMapping("/search")

public List search(@RequestParam("date") String date) {

return this.appointmentService.findAppointmentByDate(date);

}

If a request is made without the required ?date= query parameter:

Request: GET http://localhost:8080/appointments/search

Response:

{

"timestamp": "2024-03-27T16:34:18.855+00:00",

"status": 400,

"error": "Bad Request",

"path": "/appointments/search"

}

Optional Parameters

To allow for optional parameters, utilize an Optional container, which overrides the @RequestParam.required attribute. You can check for the presence of a value using Optional.isEmpty() or Optional.isPresent().

@GetMapping("/search")

public List search(@RequestParam("date") Optional<String> date) {

if (date.isEmpty()) return appointmentService.listAppointments();

return this.appointmentService.findAppointmentByDate(date.get());

}

If the ?date= parameter is omitted:

Request: GET http://localhost:8080/appointments/search

Response:

[

{

"id": 1,

"date": "2024-03-25",

"title": "visiting relative"

},

{

"id": 2,

"date": "2024-04-06",

"title": "baby shower party"

}

]

Alternatively, you can set required = false and define the variable as nullable.

@GetMapping("/search")

public List search(@RequestParam(value = "date", required = false) String date) {

if (date == null) return appointmentService.listAppointments();

return this.appointmentService.findAppointmentByDate(date);

}

Optional Path Variables

Making path variables optional can be complex and is generally discouraged, as it may create confusion in request handling.

@GetMapping("/")

public List list() {

return this.appointmentService.listAppointments();

}

@GetMapping("/{id}")

public AppointmentDTO view(@PathVariable("id") Long id) {

return this.appointmentService.findAppointment(id);

}

Automatic Type Conversion

Spring's automatic type conversion feature is vital for preventing attacks like SQL Injection. When defining a path variable, Spring ensures that the input matches the expected data type.

@GetMapping("/{id}")

public AppointmentDTO view(@PathVariable("id") Long id) {

return this.appointmentService.findAppointment(id);

}

In this case, Spring checks that the supplied value is a valid 64-bit integer and rejects any invalid characters or formats.

To further explore SQL injection defenses and type conversion, check out the video below.

Conclusion

In summary, we explored the validation of request variables, parameters, and bodies in Spring REST API implementations to enhance data integrity and security. To validate input effectively:

1. Add the "spring-boot-starter-validation" dependency to your project's pom.xml.
2. Apply validation constraints like @NotNull and @NotBlank to the relevant fields in your DTO.
3. Use the @Valid annotation on the mapped request body in your API methods to activate validation.

Additionally, we discussed the default mandatory nature of path variables and parameters, explored options for making parameters optional, and cautioned against optional path variables due to potential confusion. Finally, we highlighted Spring's automatic type conversion feature, which plays a crucial role in defending against SQL injection attacks by validating and converting input data.