Seems that current implementation on spring-data-rest converts paths to SpEL to apply values directly on beans. See PatchOperation (v2.5.x).
Consider these options:
- Instead of json-patch use json-merge PATCH request to send partial updates (with "application/json" or "application/merge-patch+json" content type). This will respect
@JsonIgnoreand other Jackson annotations and also treat associations differently. - You can disable "json-patch+json" completely, for example by adding a security filter
- You can always create your custom json-patch implementation, if you still need it
- Use application-level joining not relying on JPA, i.e. only exposing IDs of the linked entities and providing custom links in your
ResourceProcessor.
Additionally, if you're using JPA and Comment.article is annotated with @ManyToOne make sure that there's no cascading on association. Even if the article object is modified with patch it won't be saved together with the comment.
Videos
Seems that current implementation on spring-data-rest converts paths to SpEL to apply values directly on beans. See PatchOperation (v2.5.x).
Consider these options:
- Instead of json-patch use json-merge PATCH request to send partial updates (with "application/json" or "application/merge-patch+json" content type). This will respect
@JsonIgnoreand other Jackson annotations and also treat associations differently. - You can disable "json-patch+json" completely, for example by adding a security filter
- You can always create your custom json-patch implementation, if you still need it
- Use application-level joining not relying on JPA, i.e. only exposing IDs of the linked entities and providing custom links in your
ResourceProcessor.
Additionally, if you're using JPA and Comment.article is annotated with @ManyToOne make sure that there's no cascading on association. Even if the article object is modified with patch it won't be saved together with the comment.
There's been a recent fix in Spring Data Rest:
https://github.com/spring-projects/spring-data-rest/issues/2177
The commit that resolves this issue is:
https://github.com/spring-projects/spring-data-rest/commit/5d0687d1a1bb9a84264ecb4cd088907837c382d3
From a quick read this seems to be checking that when applying a JSON patch to an entity a check is done with Jackson that the path should be accessible (read/write).
This should prevent users from being able to specify paths in the JSON patch that aren't normally exposed through POST/GET requests that are mapped directly onto entities through Jackson. I think that if you had marked the article as readable from the comment and the title attribute as writeable then the new code should allow it. Or that's I think what org.springframework.data.rest.webmvc.json.patch.JsonPointerMapping#verify is trying to do.
So if you marked the article on the comment as not being readable through Jackson (@JsonIgnore on the getter) then JSON patch shouldn't allow the title of the article to be set through a comment. The association would still exist, just not be exposed through JSON serialization, I'm not sure if this would cause problems for your application.
The change is released in Spring Data Rest 4.0.0 which is part of Spring Data 2022.0.1 which is in Spring Boot 3.0.2.
https://github.com/spring-projects/spring-data-rest/releases/tag/4.0.0 https://github.com/spring-projects/spring-data-bom/releases/tag/2022.0.1 https://github.com/spring-projects/spring-boot/releases/tag/v3.0.2