Uploaded image for project: 'Spring Data REST'
  1. Spring Data REST
  2. DATAREST-1007

POST duplicate entry not causing PK collision in Spring Data REST

    Details

    • Type: Bug
    • Status: Waiting for Feedback
    • Priority: Minor
    • Resolution: Unresolved
    • Affects Version/s: 2.6 GA (Ingalls)
    • Fix Version/s: None
    • Component/s: Repositories
    • Environment:
      Ubuntu 16.04 TLS/Eclipse Neon.2 Release (4.6.2)

      Description

      As per Spring Data REST Documentation, POST method creates a new entity from the given request body. However, I found it could also update the existing entity. In some cases, this can be problematic. Here is an example:

      DemoApplication.java

      package com.example;
      
      import org.springframework.boot.SpringApplication;
      import org.springframework.boot.autoconfigure.SpringBootApplication;
      
      @SpringBootApplication
      public class DemoApplication {
      
          public static void main(String[] args) {
              SpringApplication.run(DemoApplication.class, args);
          }
      }
      

      UserRepository.java

      package com.example;
      
      import org.springframework.data.repository.PagingAndSortingRepository;
      
      public interface UserRepository extends PagingAndSortingRepository<User, String> {}
      

      User.java

      package com.example;
      
      import javax.persistence.Entity;
      import javax.persistence.Id;
      
      @Entity
      public class User {
          @Id
          private String username;
          private String password;
          public String getUsername() {
              return username;
          }
          public void setUsername(String username) {
              this.username = username;
          }
          public String getPassword() {
              return password;
          }
          public void setPassword(String password) {
              this.password = password;
          }
      }
      

      pom.xml (within project tag)

      <modelVersion>4.0.0</modelVersion>
      
      <groupId>com.example</groupId>
      <artifactId>demo</artifactId>
      <version>0.0.1-SNAPSHOT</version>
      <packaging>jar</packaging>
      
      <name>demo</name>
      <description>Demo project for Spring Boot</description>
      
      <parent>
          <groupId>org.springframework.boot</groupId>
          <artifactId>spring-boot-starter-parent</artifactId>
          <version>1.5.1.RELEASE</version>
          <relativePath/> <!-- lookup parent from repository -->
      </parent>
      
      <properties>
          <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
          <project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
          <java.version>1.8</java.version>
      </properties>
      
      <dependencies>
          <dependency>
              <groupId>org.springframework.boot</groupId>
              <artifactId>spring-boot-starter-data-jpa</artifactId>
          </dependency>
          <dependency>
              <groupId>org.springframework.boot</groupId>
              <artifactId>spring-boot-starter-data-rest</artifactId>
          </dependency>
      
          <dependency>
              <groupId>com.h2database</groupId>
              <artifactId>h2</artifactId>
              <scope>runtime</scope>
          </dependency>
          <dependency>
              <groupId>org.springframework.boot</groupId>
              <artifactId>spring-boot-starter-test</artifactId>
              <scope>test</scope>
          </dependency>
      </dependencies>
      
      <build>
          <plugins>
              <plugin>
                  <groupId>org.springframework.boot</groupId>
                  <artifactId>spring-boot-maven-plugin</artifactId>
              </plugin>
          </plugins>
      </build>
      {cdemo}
      
      application.properties: empty
      
      URL: http://localhost:8080/users
      
      Method: POST
      
      JSON content:
      
      {"username":"user","password":"password"}
      I assumed the above POST request was getting HTTP 201 at the first time, and only for one time. However, I was able to send the above POST request many times, and got HTTP 201 all the time. In addition, I was also able to change the password in the database using POST request.
      
      I believe that this is a security problem. For example, I might allow anonymous user registration through a POST request. But, with above situation, the existing user could be overwritten.
      
      Question: How can I prevent a new entity being created from a POST request if an old entity has already existed with the same id? Or, did I miss interpret the Spring Data REST Documentation?
      Supplementary explanation:
      
      The cause of this issue is the design behind Spring Data REST. Because Spring Data REST is built upon Spring Data JPA, which was not used to directly expose to the "outside". So it "trusts" data that comes in. The method isNew in org.springframework.data.repository.core.support.AbstractEntityInformation shows how data is determined as new or not new.
      
      {code:java}
      public boolean isNew(T entity) {
      
          ID id = getId(entity);
          Class<ID> idType = getIdType();
      
          if (!idType.isPrimitive()) {
              return id == null;
          }
      
          if (id instanceof Number) {
              return ((Number) id).longValue() == 0L;
          }
      
          throw new IllegalArgumentException(String.format("Unsupported primitive id type %s!", idType));
      }
      

      The result of isNew method will eventually effects save method in org.springframework.data.jpa.repository.support.SimpleJpaRepository.

      public <S extends T> S save(S entity) {
      
          if (entityInformation.isNew(entity)) {
              em.persist(entity);
              return entity;
          } else {
              return em.merge(entity);
          }
      }
      

      In the situation mentioned in this question, the username field, which is also the id of the user entity, would always contain data in order to create new users. Therefore, when it goes to isNew, id == null will always return false. Then save method will always perform a merge operation.

        Attachments

          Activity

            People

            • Assignee:
              olivergierke Oliver Drotbohm
              Reporter:
              ljzca Jianzhao Li
              Last updater:
              Jianzhao Li
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated: