从RESTful Web服务发送JSON时是否需要DTO？

Question

I'm attempting to build a RESTful web service using Spring MVC. I'm using Jackson's fasterxml JSON parser for communication between the client and server side.

I'm trying to determine whether or not to implement DTO's (Data Transfer Objects) into my RESTful API. I'm currently utilizing Jackson's @JsonProperty(access = Access.WRITE_ONLY) and @JsonIgnore annotations to prevent sensitive fields (such as passwords) from being sent to the client side.

So, are DTO's necessary when using JSON for communication between the client and the server when omitting sensitive fields from the response body or are the annotations @JsonIgnore and @JsonProperty sufficient enough to prevent sensitive data leakage?

Answer 1

Assuming you talk about serializing entities to json instead of using DTOs which is not very clear, yes DTOs would be the proper choice from an architectural point of view. Underneath controllers there most commonly is the service layer which functions on some domain, let's say persistence entities or entities coming from a queuing system.

It is sane to isolate your REST API from your domain and map lower level domain entities to DTOs at service level, most commonly using a POJO mapper.

This would have some performance impact which you can optimize but has the benefit of structural isolation between layers.

The second benefit is that you can aggregate information from lower layers and manipulate your REST interface as serves you best,

If again we talk about entities it's wrong to add REST api attributes in persistence layer.

All this from a conceptual point of view. Another thing that should prevent you from serving entities of JPA2 is that the objects returned from queries are enhanced objects so using a mapper will again give you more control.

Choosing the mapper configuration is a bit tricky though since if you expose crud operations as in the persistence/domain level mapping becomes redundant. Exposing entities will only cause scaling problems