Hibernate @Validator with Spring Boot

Question

I have a controller method that handles the POST request for a reset password form. The form has a hidden input field for the reset token and prompts the user for a new password.

I'd like to use the @Valid annotation in my code below, but not sure if I can use my existing User class.

Does Hibernate Validator require me to create an additional class specifically for the form?

Controller method

@RequestMapping(value = "/resetPassword", method = RequestMethod.POST)
public ModelAndView setNewPassword(@RequestParam Map<String,String> requestParams) {
  User user = userService.findUserByResetToken(requestParams.get("token"));

  ModelAndView modelAndView = new ModelAndView();
  modelAndView.addObject("message", "Form data is " + requestParams.get("token") + requestParams.get("password") + user.getEmail());
  modelAndView.setViewName("resetPassword");

  return modelAndView;
}

User class

@Entity
@Table(name = "user")
public class User {
  @Id
  @GeneratedValue(strategy = GenerationType.AUTO)
  @Column(name = "id")
  private int id;

  @Column(name = "email")
  @Email(message = "Please provide a valid e-mail")
  @NotEmpty(message = "Please provide an e-mail")
  private String email;

  @Column(name = "password")
  @Size(min = 8, max = 72, message = "Your password must be between 8 and 72 characters long")
  @NotEmpty(message = "Please provide a password")
  @Transient
  private String password;

  @Column(name = "first_name")
  @NotEmpty(message = "Please provide your first name")
  private String firstName;

  @Column(name = "last_name")
  @NotEmpty(message = "Please provide your last name")
  private String lastName;

  @Column(name = "enabled")
  private boolean enabled;

  @Column(name = "confirmation_token")
  private String confirmationToken;

  @Column(name = "created_on")
  private Date createdOn;

  @Column(name = "last_login")
  private Date lastLogin;

  @Column(name = "reset_token")
  private String resetToken;

  // Getters and setters omitted 
}

Answer 1

You ought to create a separate class, also better to use that class directly as your request body to be able to apply @Valid on it;

Controller Method

@RequestMapping(value = "/resetPassword", method = RequestMethod.POST)
public ModelAndView setNewPassword(@RequestBody @Valid PasswordUpdateRq passwordUpdateRq) {
  User user = userService.findUserByResetToken(passwordUpdateRq.getToken());

  ModelAndView modelAndView = new ModelAndView();
  modelAndView.addObject("message", "Form data is " + passwordUpdateRq.getToken() + passwordUpdateRq.getPassword() + user.getEmail());
  modelAndView.setViewName("resetPassword");

  return modelAndView;
}

New Request Bean

public class PasswordUpdateRq {
  @Size(min = 8, max = 72, message = "Your password must be between 8 and 72 characters long")
  @NotEmpty(message = "Please provide a password")
  private String password;
  private String token;

  // Getters and setters omitted 
}

This will make validation automatic as you've requested. The reason User class is not usable here is that there are other fields with @NotEmpty etc restrictions, which does not exist in your current form, and these would always fail the validation.

Extra comment: I think using the same object for controller layer validation & operations with database creates a high coupling between two, I'd recommend keeping table related classes under logic classes, and use interface beans that are endpoint specific in controller layer.