Security Input Validation

What You'll Learn

How to add middle-tier input validation to entity or form objects using JSR-303 annotations
How to add middle-tier input validation using a custom validator

You can add JSR-303 (or JSR-349) annotations to provide field validation to your form or data transfer object classes:
- The 1.1 spec shows the built-in annotations https://beanvalidation.org/1.1/spec/#builtinconstraints

public class Person {

	@NotNull
	@Size(min=1, max=40)
	private String firstName;

	@Pattern(regexp=".+@.+\\.[a-z]+")
	private String email;

	...
}

You can then enable spring-mvc validation of the values bound (from a HTTP POST request) to an instance of that class on execution of a controller method.

  ...

  @PostMapping("/")
	public String update(@Valid Person person, BindingResult bindingResult) {

		if (bindingResult.hasErrors()) {
			return "profile";
		}

		return "redirect:/profile-updated";
	}

Errors can be displayed in the returned HTML page using Thymeleaf, for example:

...
<form action="#" th:action="@{/}" th:object="${person}" method="post">
	<table>
			<tr>
					<td>Name:</td>
					<td><input type="text" th:field="*{firstName}" /></td>
					<td th:if="${#fields.hasErrors('firstName')}" th:errors="*{firstName}">Name Error</td>
			</tr>
			<tr>
					<td>Name:</td>
					<td><input type="text" th:field="*{email}" /></td>
					<td th:if="${#fields.hasErrors('email')}" th:errors="*{email}">Email Error</td>
			</tr>
			 ...
	</table>
</form>
...

If you wanted to use regex validation, OWASP has a list of useful regular expressions to help. Note, the password complexity regex they suggest would no longer be regarded as best practice (see the next section).
- https://owasp.org/www-community/OWASP_Validation_Regex_Repository

Given the following class:

public class Person {

	private String firstName;

	private String email;

	private String password;

	...
}

We will create a custom password validator.
First, create an annotation which can be applied to a class field:

@Documented
@Constraint(validatedBy = PasswordValidator.class)
@Target( { ElementType.METHOD, ElementType.FIELD })
@Retention(RetentionPolicy.RUNTIME)
public @interface Password {


    String message() default "Password does match the password policy";

    Class<?>[] groups() default {};

    Class<? extends Payload>[] payload() default {};

}

Next, create a custom validator:
- Which is referenced by the validatedBy attribute in the @Constraint annotation above.

public class PasswordValidator implements ConstraintValidator<Password, String> {

		@Override
		public void initialize(Password paramA) {
		}

    public boolean isValid(String password, ConstraintValidatorContext ctx) {
        if (password == null || password.length() < 9) {
            return false;
        }
				return true;
    }
}

The validator provides validation for any field annotated with @Password (although obviously it is meant for password fields).
The example above provides a simple password policy that says the password can not be empty or less than 9 characters.
There are many password policies. Try to follow modern guidance. For example, take a look at:
- https://www.ncsc.gov.uk/collection/passwords/updating-your-approach
- https://pages.nist.gov/800-63-3/sp800-63b.html (Appendix A)
You can then add the validator to the password field in the Person class as an annotation e.g.

...
 @Password
 private String password;
...

As with the previous section. You then enable spring-mvc validation of the values bound (from a HTTP POST request) to an instance of that class on execution of a controller method.

  ...

  @PostMapping("/")
	public String update(@Valid Person person, BindingResult bindingResult) {

		if (bindingResult.hasErrors()) {
			return "profile";
		}

		return "redirect:/profile-updated";
	}