如何使用Jackson和JaxB序列化构建我的RESTful Web服务
[英]How to architect my RESTful webservice with Jackson and JaxB serialization
问题描述
I have some sensitive domain objects that I would like to convert to json and xml. 
我有一些敏感的域对象,我想将其转换为json和xml。 I am using spring view resolution to do this, but that is beside the point. 我正在使用弹簧视图分辨率来做到这一点,但这不重要。
I'd like to add annotations to the domain objects to specify which fields should be converted to xml / json. 我想在域对象中添加注释,以指定应将哪些字段转换为xml / json。
Something like 就像是
@XmlRootElement
public class SensitiveDomainObject {
...
public String getPassword() {...}
@XmlAttribute
@JsonValue
public String getAccountName() {...}
@XmlAttribute
@JsonValue
public String getGoldMemberStatus() {...}
}
I want getAccountName() and getGoldMemberStatus() to be serialised to json and xml, but getPassword to never be serialised. 我希望将getAccountName()和getGoldMemberStatus()序列化为json和xml,但不要将getPassword序列化。
What I don't want is 我不想要的是
1) Separate 'annotation placement strategies' for json and xml as that gets confusing if one needs to markup different methods in different ways as standard. 1)分别将json和xml的“注释放置策略”分开,因为如果需要以不同的方式标记不同的方法作为标准,这会造成混淆。
2) To be explicitly ignoring fields. 2)要明确地忽略字段。 This is because if some programmer comes along in the future and adds a newly sensitive field without including for example the @JsonIgnore annotation, suddenly that sensitive field is shared. 这是因为,如果将来有一些程序员出现并添加一个新的敏感字段而不包含例如@JsonIgnore批注,则会突然共享该敏感字段。
3) To have to make methods like getPassword() private. 3)必须将诸如getPassword()之类的方法设为私有。 I still want to be able to call getPassword() internally. 我仍然希望能够在内部调用getPassword()。
Has anyone done this or have any thoughts? 有没有人这样做或有任何想法?
EDIT 编辑
Included a picture from IBM showing essentially the design I ran with, with explicit DTOs with annotations in the business logic layer. 包括来自IBM的一张图片,该图片实质上显示了我所使用的设计,并在业务逻辑层中带有带有注释的显式DTO。 The presentation layer figures out which DTO to request and serve based on the incoming URL. 表示层根据传入的URL确定要请求和服务的DTO。
1 个解决方案
解决方案1
1 已采纳 2015-02-01 12:40:21
If you care so much about differentiating what you your business classes are and what is transferred, you may consider implementing a separate package of DTO classes which will explicitly include only those properties you'd like to transfer. 如果您非常在意区分您的业务类和传输的类,则可以考虑实现一个单独的DTO类包,该包将显式仅包含您要传输的那些属性。
In this case you'll have to explicitly include the transfer properties, this can't happen because the programmer forgot it. 在这种情况下,您必须显式包括传输属性,因为程序员忘记了传递属性,所以不会发生这种情况。
There are other approaches to this like adding some validation rules that the property like password is ignored and enforce them on JAXB context level. 还有其他方法,例如添加一些验证规则,以忽略诸如password之类的属性,并在JAXB上下文级别上实施它们。 But this will only work until someone not knowing will name it kennwort or credentials or whatever may come in mind and your validation rules will be out of effect. 但这只有在不知道的人将其命名为kennwort或credentials或可能想到的任何东西并且您的验证规则将失效之前,该方法才起作用。
So I see two way: * Either you trust the programmer (and all the QA/QS process like code reviews etc.) to support her/him. 所以我看到两种方式:*您可以信任程序员(以及所有QA / QS流程,例如代码审查等)来支持他/他。 * Or you make your transfer classes explicit. *或者,您可以使传输类明确。
For important external interfaces I'd probably go with the second approach (explicit DTOs). 对于重要的外部接口,我可能会采用第二种方法(显式DTO)。 If password ends up there, it can't be by forgetting, it will only be on purpose. 如果password到此为止,那么就不能忘记它,它只会是故意的。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.