Add method validation to Spring MVC

See gh-29825

Author: rstoyanchev

spring-context/src/main/java/org/springframework/validation/DataBinder.java

@@ -24,6 +24,7 @@
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
+import java.util.function.Predicate;
 
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
@@ -164,6 +165,9 @@ public class DataBinder implements PropertyEditorRegistry, TypeConverter {
 
 	private final List<Validator> validators = new ArrayList<>();
 
+	@Nullable
+	private Predicate<Validator> excludedValidators;
+
 
 	/**
 	 * Create a new DataBinder instance, with default object name.
@@ -580,6 +584,14 @@ private void assertValidators(Validator... validators) {
 		}
 	}
 
+	/**
+	 * Configure a predicate to exclude validators.
+	 * @since 6.1
+	 */
+	public void setExcludedValidators(Predicate<Validator> predicate) {
+		this.excludedValidators = predicate;
+	}
+
 	/**
 	 * Add Validators to apply after each binding step.
 	 * @see #setValidator(Validator)
@@ -616,6 +628,18 @@ public List<Validator> getValidators() {
 		return Collections.unmodifiableList(this.validators);
 	}
 
+	/**
+	 * Return the Validators to apply after data binding. This includes the
+	 * configured {@link #getValidators() validators} filtered by the
+	 * {@link #setExcludedValidators(Predicate) exclude predicate}.
+	 * @since 6.1
+	 */
+	public List<Validator> getValidatorsToApply() {
+		return (this.excludedValidators != null ?
+				this.validators.stream().filter(validator -> !this.excludedValidators.test(validator)).toList() :
+				Collections.unmodifiableList(this.validators));
+	}
+
 
 	//---------------------------------------------------------------------
 	// Implementation of PropertyEditorRegistry/TypeConverter interface
@@ -906,7 +930,7 @@ public void validate() {
 		Assert.state(target != null, "No target to validate");
 		BindingResult bindingResult = getBindingResult();
 		// Call each validator with the same binding result
-		for (Validator validator : getValidators()) {
+		for (Validator validator : getValidatorsToApply()) {
 			validator.validate(target, bindingResult);
 		}
 	}
@@ -924,7 +948,7 @@ public void validate(Object... validationHints) {
 		Assert.state(target != null, "No target to validate");
 		BindingResult bindingResult = getBindingResult();
 		// Call each validator with the same binding result
-		for (Validator validator : getValidators()) {
+		for (Validator validator : getValidatorsToApply()) {
 			if (!ObjectUtils.isEmpty(validationHints) && validator instanceof SmartValidator smartValidator) {
 				smartValidator.validate(target, bindingResult, validationHints);
 			}

spring-web/src/main/java/org/springframework/web/bind/support/DefaultDataBinderFactory.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2021 the original author or authors.
+ * Copyright 2002-2023 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -16,7 +16,11 @@
 
 package org.springframework.web.bind.support;
 
+import java.lang.annotation.Annotation;
+
+import org.springframework.core.MethodParameter;
 import org.springframework.lang.Nullable;
+import org.springframework.validation.DataBinder;
 import org.springframework.web.bind.WebDataBinder;
 import org.springframework.web.context.request.NativeWebRequest;
 
@@ -32,6 +36,8 @@ public class DefaultDataBinderFactory implements WebDataBinderFactory {
 	@Nullable
 	private final WebBindingInitializer initializer;
 
+	private boolean methodValidationApplicable;
+
 
 	/**
 	 * Create a new {@code DefaultDataBinderFactory} instance.
@@ -43,6 +49,17 @@ public DefaultDataBinderFactory(@Nullable WebBindingInitializer initializer) {
 	}
 
 
+	/**
+	 * Configure flag to signal whether validation will be applied to handler
+	 * method arguments, which is the case if Bean Validation is enabled in
+	 * Spring MVC, and method parameters have {@code @Constraint} annotations.
+	 * @since 6.1
+	 */
+	public void setMethodValidationApplicable(boolean methodValidationApplicable) {
+		this.methodValidationApplicable = methodValidationApplicable;
+	}
+
+
 	/**
 	 * Create a new {@link WebDataBinder} for the given target object and
 	 * initialize it through a {@link WebBindingInitializer}.
@@ -87,4 +104,36 @@ protected void initBinder(WebDataBinder dataBinder, NativeWebRequest webRequest)
 
 	}
 
+	/**
+	 * {@inheritDoc}.
+ 	 * <p>By default, if the parameter has {@code @Valid}, Bean Validation is
+	 * excluded, deferring to method validation.
+	 */
+	@Override
+	public WebDataBinder createBinder(
+			NativeWebRequest webRequest, @Nullable Object target, String objectName,
+			MethodParameter parameter) throws Exception {
+
+		WebDataBinder dataBinder = createBinder(webRequest, target, objectName);
+		if (this.methodValidationApplicable) {
+			MethodValidationInitializer.updateBinder(dataBinder, parameter);
+		}
+		return dataBinder;
+	}
+
+
+	/**
+	 * Excludes Bean Validation if the method parameter has {@code @Valid}.
+	 */
+	private static class MethodValidationInitializer {
+
+		public static void updateBinder(DataBinder binder, MethodParameter parameter) {
+			for (Annotation annotation : parameter.getParameterAnnotations()) {
+				if (annotation.annotationType().getName().equals("jakarta.validation.Valid")) {
+					binder.setExcludedValidators(validator -> validator instanceof jakarta.validation.Validator);
+				}
+			}
+		}
+	}
+
 }

spring-web/src/main/java/org/springframework/web/bind/support/WebDataBinderFactory.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2017 the original author or authors.
+ * Copyright 2002-2023 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -16,6 +16,7 @@
 
 package org.springframework.web.bind.support;
 
+import org.springframework.core.MethodParameter;
 import org.springframework.lang.Nullable;
 import org.springframework.web.bind.WebDataBinder;
 import org.springframework.web.context.request.NativeWebRequest;
@@ -24,6 +25,7 @@
  * A factory for creating a {@link WebDataBinder} instance for a named target object.
  *
  * @author Arjen Poutsma
+ * @author Rossen Stoyanchev
  * @since 3.1
  */
 public interface WebDataBinderFactory {
@@ -40,4 +42,18 @@ public interface WebDataBinderFactory {
 	WebDataBinder createBinder(NativeWebRequest webRequest, @Nullable Object target, String objectName)
 			throws Exception;
 
+	/**
+	 * Variant of {@link #createBinder(NativeWebRequest, Object, String)} with a
+	 * {@link MethodParameter} for which the {@code DataBinder} is created. This
+	 * may provide more insight to initialize the {@link WebDataBinder}.
+	 * @since 6.1
+	 */
+	default WebDataBinder createBinder(
+			NativeWebRequest webRequest, @Nullable Object target, String objectName,
+			MethodParameter parameter) throws Exception {
+
+		return createBinder(webRequest, target, objectName);
+	}
+
+
 }

spring-web/src/main/java/org/springframework/web/method/HandlerMethod.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2022 the original author or authors.
+ * Copyright 2002-2023 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -22,6 +22,7 @@
 import java.util.Arrays;
 import java.util.List;
 import java.util.StringJoiner;
+import java.util.function.Predicate;
 import java.util.stream.Collectors;
 import java.util.stream.IntStream;
 
@@ -35,6 +36,10 @@
 import org.springframework.core.MethodParameter;
 import org.springframework.core.ResolvableType;
 import org.springframework.core.annotation.AnnotatedElementUtils;
+import org.springframework.core.annotation.AnnotationUtils;
+import org.springframework.core.annotation.MergedAnnotation;
+import org.springframework.core.annotation.MergedAnnotationPredicates;
+import org.springframework.core.annotation.MergedAnnotations;
 import org.springframework.core.annotation.SynthesizingMethodParameter;
 import org.springframework.http.HttpStatusCode;
 import org.springframework.lang.NonNull;
@@ -44,6 +49,7 @@
 import org.springframework.util.ObjectUtils;
 import org.springframework.util.ReflectionUtils;
 import org.springframework.util.StringUtils;
+import org.springframework.validation.annotation.Validated;
 import org.springframework.web.bind.annotation.ResponseStatus;
 
 /**
@@ -84,6 +90,10 @@ public class HandlerMethod {
 
 	private final MethodParameter[] parameters;
 
+	private final boolean validateArguments;
+
+	private final boolean validateReturnValue;
+
 	@Nullable
 	private HttpStatusCode responseStatus;
 
@@ -122,6 +132,8 @@ protected HandlerMethod(Object bean, Method method, @Nullable MessageSource mess
 		this.bridgedMethod = BridgeMethodResolver.findBridgedMethod(method);
 		ReflectionUtils.makeAccessible(this.bridgedMethod);
 		this.parameters = initMethodParameters();
+		this.validateArguments = MethodValidationInitializer.checkArguments(this.beanType, this.parameters);
+		this.validateReturnValue = MethodValidationInitializer.checkReturnValue(this.beanType, this.bridgedMethod);
 		evaluateResponseStatus();
 		this.description = initDescription(this.beanType, this.method);
 	}
@@ -141,6 +153,8 @@ public HandlerMethod(Object bean, String methodName, Class<?>... parameterTypes)
 		this.bridgedMethod = BridgeMethodResolver.findBridgedMethod(this.method);
 		ReflectionUtils.makeAccessible(this.bridgedMethod);
 		this.parameters = initMethodParameters();
+		this.validateArguments = MethodValidationInitializer.checkArguments(this.beanType, this.parameters);
+		this.validateReturnValue = MethodValidationInitializer.checkReturnValue(this.beanType, this.bridgedMethod);
 		evaluateResponseStatus();
 		this.description = initDescription(this.beanType, this.method);
 	}
@@ -177,6 +191,8 @@ public HandlerMethod(
 		this.bridgedMethod = BridgeMethodResolver.findBridgedMethod(method);
 		ReflectionUtils.makeAccessible(this.bridgedMethod);
 		this.parameters = initMethodParameters();
+		this.validateArguments = MethodValidationInitializer.checkArguments(this.beanType, this.parameters);
+		this.validateReturnValue = MethodValidationInitializer.checkReturnValue(this.beanType, this.bridgedMethod);
 		evaluateResponseStatus();
 		this.description = initDescription(this.beanType, this.method);
 	}
@@ -193,6 +209,8 @@ protected HandlerMethod(HandlerMethod handlerMethod) {
 		this.method = handlerMethod.method;
 		this.bridgedMethod = handlerMethod.bridgedMethod;
 		this.parameters = handlerMethod.parameters;
+		this.validateArguments = handlerMethod.validateArguments;
+		this.validateReturnValue = handlerMethod.validateReturnValue;
 		this.responseStatus = handlerMethod.responseStatus;
 		this.responseStatusReason = handlerMethod.responseStatusReason;
 		this.description = handlerMethod.description;
@@ -212,6 +230,8 @@ private HandlerMethod(HandlerMethod handlerMethod, Object handler) {
 		this.method = handlerMethod.method;
 		this.bridgedMethod = handlerMethod.bridgedMethod;
 		this.parameters = handlerMethod.parameters;
+		this.validateArguments = handlerMethod.validateArguments;
+		this.validateReturnValue = handlerMethod.validateReturnValue;
 		this.responseStatus = handlerMethod.responseStatus;
 		this.responseStatusReason = handlerMethod.responseStatusReason;
 		this.resolvedFromHandlerMethod = handlerMethod;
@@ -290,6 +310,33 @@ public MethodParameter[] getMethodParameters() {
 		return this.parameters;
 	}
 
+	/**
+	 * Whether the method arguments are a candidate for method validation, which
+	 * is the case when there are parameter {@code jakarta.validation.Constraint}
+	 * annotations.
+	 * <p>The presence of {@code jakarta.validation.Valid} by itself does not
+	 * trigger method validation since such parameters are already validated at
+	 * the level of argument resolvers.
+	 * <p><strong>Note:</strong> if the class is annotated with {@link Validated},
+	 * this method returns false, deferring to method validation via AOP proxy.
+	 * @since 6.1
+	 */
+	public boolean shouldValidateArguments() {
+		return this.validateArguments;
+	}
+
+	/**
+	 * Whether the method return value is a candidate for method validation, which
+	 * is the case when there are method {@code jakarta.validation.Constraint}
+	 * or {@code jakarta.validation.Valid} annotations.
+	 * <p><strong>Note:</strong> if the class is annotated with {@link Validated},
+	 * this method returns false, deferring to method validation via AOP proxy.
+	 * @since 6.1
+	 */
+	public boolean shouldValidateReturnValue() {
+		return this.validateReturnValue;
+	}
+
 	/**
 	 * Return the specified response status, if any.
 	 * @since 4.3.8
@@ -603,4 +650,38 @@ public ReturnValueMethodParameter clone() {
 		}
 	}
 
+
+	/**
+	 * Checks for the presence of {@code @Constraint} and {@code @Valid}
+	 * annotations on the method and method parameters.
+	 */
+	private static class MethodValidationInitializer {
+
+		private static final Predicate<MergedAnnotation<? extends Annotation>> INPUT_PREDICATE =
+				MergedAnnotationPredicates.typeIn("jakarta.validation.Constraint");
+
+		private static final Predicate<MergedAnnotation<? extends Annotation>> OUTPUT_PREDICATE =
+				MergedAnnotationPredicates.typeIn("jakarta.validation.Valid", "jakarta.validation.Constraint");
+
+		public static boolean checkArguments(Class<?> beanType, MethodParameter[] parameters) {
+			if (AnnotationUtils.findAnnotation(beanType, Validated.class) == null) {
+				for (MethodParameter parameter : parameters) {
+					MergedAnnotations merged = MergedAnnotations.from(parameter.getParameterAnnotations());
+					if (merged.stream().anyMatch(INPUT_PREDICATE)) {
+						return true;
+					}
+				}
+			}
+			return false;
+		}
+
+		public static boolean checkReturnValue(Class<?> beanType, Method method) {
+			if (AnnotationUtils.findAnnotation(beanType, Validated.class) == null) {
+				MergedAnnotations merged = MergedAnnotations.from(method, MergedAnnotations.SearchStrategy.TYPE_HIERARCHY);
+				return merged.stream().anyMatch(OUTPUT_PREDICATE);
+			}
+			return false;
+		}
+	}
+
 }

spring-web/src/main/java/org/springframework/web/method/annotation/ModelAttributeMethodProcessor.java

@@ -164,7 +164,7 @@ public final Object resolveArgument(MethodParameter parameter, @Nullable ModelAn
 		if (bindingResult == null) {
 			// Bean property binding and validation;
 			// skipped in case of binding failure on construction.
-			WebDataBinder binder = binderFactory.createBinder(webRequest, attribute, name);
+			WebDataBinder binder = binderFactory.createBinder(webRequest, attribute, name, parameter);
 			if (binder.getTarget() != null) {
 				if (!mavContainer.isBindingDisabled(name)) {
 					bindRequestParameters(binder, webRequest);
@@ -251,7 +251,7 @@ protected Object constructAttribute(Constructor<?> ctor, String attributeName, M
 		String[] paramNames = BeanUtils.getParameterNames(ctor);
 		Class<?>[] paramTypes = ctor.getParameterTypes();
 		Object[] args = new Object[paramTypes.length];
-		WebDataBinder binder = binderFactory.createBinder(webRequest, null, attributeName);
+		WebDataBinder binder = binderFactory.createBinder(webRequest, null, attributeName, parameter);
 		String fieldDefaultPrefix = binder.getFieldDefaultPrefix();
 		String fieldMarkerPrefix = binder.getFieldMarkerPrefix();
 		boolean bindingFailure = false;