データバインド
データバインディングとは、文字列パラメーターを型変換を伴うオブジェクトグラフにバインドするメカニズムです。これは Spring Framework の中核となるメカニズムであり、アプリケーション構成に役立ちます。Web アプリケーションでは、文字列値のマップではなく、豊富な型を持つオブジェクトを介してクエリパラメーターやフォームデータに簡単にアクセスできるようになります。
データバインディングメカニズム(コンストラクターと setter のバインディング、プロパティ名の構文、型変換など)の詳細については、「コアテクノロジー」セクションのデータバインドを参照してください。
アノテーション付きコントローラーの場合、データバインディングは @ModelAttribute メソッドの引数に適用されます。関数エンドポイントの場合は、ServerRequest の bind メソッドを使用してください。
| For browser applications with annotated controllers, you can use @ModelAttribute メソッド to initialize additional model attributes for use in rendered views. |
Each request uses a separate WebDataBinder instance. For annotated controllers, this instance can be customized through @InitBinder メソッド within a controller, or across controllers through コントローラーのアドバイス . For functional endpoints, use overloaded ServerRequest.bind methods.
モデル設計
Data binding involves binding untrusted input onto application objects. For security reasons, it’s crucial to ensure that input is properly constrained to expected fields only. This section provides guidance for safe binding.
First, prefer immutable object design for web binding purposes. It is safe because a constructor naturally constrains binding to expected inputs. You can use a Java record or a class with a primary constructor, and either can have further nested objects. See コンストラクターのバインド for details.
Another option for safe binding is to use dedicated objects designed for the expected input. Such objects, even if mutable, are safe because they constrain binding to the expected inputs.
Domain objects such as JPA or Hibernate entities are generally not safe for web binding as they likely contain more properties than the expected inputs. For such cases, it’s crucial to declare the properties to expose for binding. For example:
@Controller
public class PersonController {
@InitBinder
void initBinder(WebDataBinder binder) {
// See Javadoc for supported pattern syntax
binder.setAllowedFields("firstName", "lastName", "*Address");
}
}It is also possible to configure disallowedFields, but that’s fragile, and due to be deprecated [GitHub] (英語) in Spring Framework 7.1. It is easy to overlook fields or introduce additional fields over time that should also be excluded. |
By default, DataBinder applies both constructor and setter binding. This is fine with immutable objects and dedicated objects, but for domain objects, you must remember to set allowedFields. To ensure data binding is only used in declarative style where expected inputs are explicitly declared, you can set declarativeBinding on DataBinder. That applies constructor binding always, and setter binding conditionally if allowedFields is set. The following shows how to set this flag globally, or you can also narrow it through attributes on ControllerAdvice:
@ControllerAdvice
public class ControllerConfig {
@InitBinder
void initBinder(WebDataBinder binder) {
binder.setDeclarativeBinding(true);
}
}
