简体繁体 English

Spring Rest API验证应该在DTO还是在实体中？

[英]Spring Rest API validation should be in DTO or in entity?

原文 2017-02-16 17:04:34 6 2 java/ spring/ rest/ validation/ spring-mvc

In which tier should the validation be in a Spring Boot Rest API. 应该在Spring Boot Rest API中使用哪个层进行验证。 I have some models, endpoints and DTOs. 我有一些模型，端点和DTO。 I added some @NotNull and @Size annotations in the DTO. 我在DTO中添加了一些@NotNull和@Size注释。 I added the @Valid annotation in the endpoint along with the @RequestParam annotation. 我在端点中添加了@Valid注释以及@RequestParam注释。

But now I'm wondering if I should put validation in the @Entity classes as well? 但现在我想知道我是否应该在@Entity类中进行验证？ I feel like it would be a duplication of code. 我觉得这将是一个重复的代码。 But I read that a tier should never rely on another one. 但我读到一层不应该依赖另一层。

2 个解决方案

It's ironic how many people truly believe that validation should be something we partake upon in our controllers or the value objects which they exchange with business code and at no other place should there be concern for state validation. 具有讽刺意味的是，有多少人真正相信验证应该是我们在控制器中所参与的事情，或者是他们与业务代码交换的价值对象，如果有关于状态验证的话，其他任何地方都没有。

We should always strive to perform validation at multiple stages of any application. 我们应该始终努力在任何应用的多个阶段执行验证。

Consider for the moment a controller that accepts a value object that you intend to use to change a business entity in some service and that value object contains only a subset of fields that you intend to manipulate in a larger entity. 暂时考虑一个控制器，它接受您打算用来更改某个服务中的业务实体的值对象，并且该值对象仅包含您打算在更大的实体中操作的字段子集。 You validate the value object in your presentation tier and pass that to your service which fetches the entity, takes the values from the value object and sets them on the appropriate entity. 验证表示层中的值对象，并将其传递给提取实体的服务，从值对象中获取值并将其设置在适当的实体上。 Perhaps that service method manipulates other fields too. 也许该服务方法也操纵其他字段。

What guarantee do we have that the state of that entity is valid ? 我们有什么保证该实体的状态是有效的 ？

While we validated the value object was valid, we only validated those inputs within the context of the subset of fields which were supplied. 虽然我们验证了值对象是有效的，但我们只在提供的字段子集的上下文中验证了那些输入。 We didn't validate that those values in conjunction with the other existing state of the entity were still valid. 我们没有验证这些值与实体的其他现有状态一起仍然有效。

It's also important to try and guard against developer mistakes too. 尝试防范开发人员错误也很重要。 Test cases only get you so far and we all can agree we don't validate the validity of every combination of values in our tests. 测试用例只能让你到目前为止，我们都同意我们不会在测试中验证每个值组合的有效性。 We often target very specific cases and scenarios and draw conclusions from there. 我们经常针对非常具体的案例和情景，并从那里得出结论。

By applying validation not only to our presentation value objects but to our entities, you not only allow your test cases to focus on broad feature validation but you guarantee that your data store state is never compromised by the application. 通过不仅将验证应用于我们的表示值对象而且还应用于我们的实体，您不仅可以让测试用例专注于广泛的功能验证，还可以保证您的数据存储状态永远不会被应用程序破坏。

在实体中，您应该添加需要数据处于健康状态的constraints ，并且所有validation逻辑都应该在DTO因为您的RestController服务于DTOs ， controller负责在映射到实体之前检查验证。