Spring restController: how to error when unknown @RequestParam is in url

Question

I'm using spring 4.2 to create some restfull webservices. But we realized that when a user mistypes one of the not-mandatory @RequestParam, we do not get an error that the param he passed is unknown.

like we have @RequestParam(required=false, value="valueA") String value A and in the call he uses '?valuueA=AA' -> we want an error. But I do not seem to find a way to do this, the value is just ignored and the user is unaware of this.

Answer 1

One possible solution would be to create an implementation of HandlerInterceptor which will verify that all request parameters passed to the handler method are declared in its @RequestParam annotated parameters.

However you should consider the disadvantages of such solution. There might be situations where you want to allow certain parameters to be passed in and not be declared as request params. For instance if you have request like GET /foo?page=1&offset=0 and have handler with following signature:

@RequestMapping
public List<Foo> listFoos(PagingParams page);

and PagingParams is a class containing page and offset properties, it will normally be mapped from the request parameters. Implementation of a solution you want would interfere with this Spring MVC'c functionality.

---

That being said, here is a sample implementation I had in mind:

public class UndeclaredParamsHandlerInterceptor extends HandlerInterceptorAdapter {

    @Override
    public boolean preHandle(HttpServletRequest request, HttpServletResponse response,
                             Object handler) throws Exception {
        if (handler instanceof HandlerMethod) {
            HandlerMethod handlerMethod = (HandlerMethod) handler;
            checkParams(request, getDeclaredRequestParams(handlerMethod));
        }
        return true;
    }

    private void checkParams(HttpServletRequest request, Set<String> allowedParams) {
        request.getParameterMap().entrySet().forEach(entry -> {
            String param = entry.getKey();
            if (!allowedParams.contains(param)) {
                throw new UndeclaredRequestParamException(param, allowedParams);
            }
        });
    }

    private Set<String> getDeclaredRequestParams(HandlerMethod handlerMethod) {
        Set<String> declaredRequestParams = new HashSet<>();
        MethodParameter[] methodParameters = handlerMethod.getMethodParameters();
        ParameterNameDiscoverer parameterNameDiscoverer = new DefaultParameterNameDiscoverer();

        for (MethodParameter methodParameter : methodParameters) {
            if (methodParameter.hasParameterAnnotation(RequestParam.class)) {
                RequestParam requestParam = methodParameter.getParameterAnnotation(RequestParam.class);
                if (StringUtils.hasText(requestParam.value())) {
                    declaredRequestParams.add(requestParam.value());
                } else {
                    methodParameter.initParameterNameDiscovery(parameterNameDiscoverer);
                    declaredRequestParams.add(methodParameter.getParameterName());
                }
            }
        }
        return declaredRequestParams;
    }

}

Basically this will do what I described above. You can then add exception handler for the exception it throws and translate it to HTTP 400 response. I've put more of an complete sample on Github, which includes a way to selectively enable this behavior for individual handler methods via annotation.