What to do when REST POST provides an identifier?

Question

What to do when REST POST provides an identifier?

I am developing a JAX-RS API that includes a simple "Person" table with the "id" and "name" fields, where the "id" is bound to a caller in the mysql database. A typical use case would be POST to a new person.

POST JSON messages {"name":"Bob"}may return, for example {"id":101,"name":"Bob"}.

What if the caller requests a POST of the object that contains the identifier? It seems my options are:

Reject request as invalid
Remove ID from request and continue processing
Treat POST as UPSERT (if update fails, delete ID and paste)
Trying to create a new record using the provided id

The latter option seems dodgy in terms of security. If I use mysql, an attacker can break my offline number to the maximum value in one request.

How should I include an identifier in a POST request in a REST API?

+4

rest jax-rs

phatfingers Oct 31 '15 at 14:36

source share

2 answers

- @JSonIgnore. GET, PUT DELETE /user/ {id}, . POST , , , URL-, , .

0

Jeff Wang 04 . '15 4:44

Opal · Accepted Answer · 2015-11-02T08:13:02+0000

You must reject all requests that click the endpoint /users/. First of all, for security reasons (at the database level), and secondly, this is not a client task for generating / proposing identifiers.

So, the answer is to reject the request as invalid along with the corresponding status code ( 400) and a message explaining the reason for the rejection.

, , ID (, , ), , . , PUT , / - .

RESTful - upsert REST - POST . - .

What to do when REST POST provides an identifier?

More articles: