Have you ever come across a Sonar vulnerability issue such as:

Replace this persistence entity with a POJO or DTO object.

This happens when you pass a persistence entity into the @ResponseBody of a REST call instead of a DTO object.

This article will show you how to replace a persistence entity with a DTO object.

You can clone the Github repository using this link.

You'll use this application as a reference.

Let's start.

1. Add Model Mapper

The Model Mapper is an object mapping library. It makes it easy to convert one object model into another object model.

In the pom.xml, add the Model Mapper dependency:

 <dependency>
    <groupId>org.modelmapper</groupId>
    <artifactId>modelmapper</artifactId>
    <version>2.4.5</version>
</dependency>

P.S: if you ever get any problems after adding the above dependency, running the command mvn clean install usually helps.

2. Create a Data Transfer Object

Martin Fowler introduced the Data Transfer Object pattern in his book "Patterns of Enterprise Application Architecture".

A Data Transfer Object is an object which carries data between processes.

This object doesn't contain any business logic.

In the src/main/java/com/techwithmaddy/CustomerAPI directory:

1. Create a new package called dto (all lowercase).

2. Create a class called CustomerDTO in the dto package.

This class has the following content:

package com.techwithmaddy.CustomerAPI.dto;

import lombok.Data;

@Data
public class CustomerDTO {

    private String firstName;
    private String lastName;
    private String email;
    private String phoneNumber;

}

3. Create a Customer Converter class

This converter class is responsible for converting an entity into DTO and vice versa.

In the src/main/java/com/techwithmaddy/CustomerAPI directory:

1. Create another package called converter (all lowercase).

2. Create a class called CustomerConverter in the converter package.

This class has the following content:

package com.techwithmaddy.CustomerAPI.converter;

import com.techwithmaddy.CustomerAPI.dto.CustomerDTO;
import com.techwithmaddy.CustomerAPI.model.Customer;
import org.modelmapper.ModelMapper;
import org.springframework.stereotype.Component;

@Component
public class CustomerConverter {

    public CustomerDTO convertEntityToDto(Customer customer) {
        ModelMapper modelMapper = new ModelMapper();
        CustomerDTO customerDTO = modelMapper.map(customer, CustomerDTO.class);
        return customerDTO;
    }

    public Customer convertDtoToEntity(CustomerDTO customerDTO) {
        ModelMapper modelMapper = new ModelMapper();
        Customer customer = modelMapper.map(customerDTO, Customer.class);
        return customer;
    }
}

4. Refactor Customer Service class

Use the CustomerDTO instead of the Customer entity database object.

Refactor this class by importing the ModelMapper and the CustomerConverter, and auto-wiring them.

    @Autowired
    ModelMapper modelMapper;

    @Autowired
    CustomerConverter customerConverter;

The saveCustomer() method will now be like this:

    public CustomerDTO saveCustomer(CustomerDTO customerDTO) {
        Customer customer = customerConverter.convertDtoToEntity(customerDTO);
        customer = customerRepository.save(customer);
        return customerConverter.convertEntityToDto(customer);
    }

5. Refactor the Customer Controller class

Add this property to the Rest Controller:

    @Autowired
    private CustomerConverter customerConverter;

And refactor this saveCustomer() method to use the CustomerDTO instead of the Entity class:

    @RequestMapping(method = {POST}, path = "/save", produces = MediaType.APPLICATION_JSON_VALUE)
    public CustomerDTO saveCustomer(@Valid @RequestBody CustomerDTO customerDTO){
        return customerService.saveCustomer(customerDTO);
    }

6. Run the application

For the purpose of this tutorial, temporarily comment out:

1. The Rest Controller's GET, PUT, and PATCH requests.

2. The entire CustomerServiceTest class.

Now you can run the application.

• On Postman, create the following POST request and select the SEND button:

• On MySQL, you should see the new customer added to the table.

7. Why use a DTO instead of an entity?

Let's imagine the following scenario:

A school wants to save data about its students. A database stores student names, surnames, emails, and other sensitive information. Teachers only have access to some of the data stored in the database (such as name, surname, and email). The rest of the information won't be accessible and visible to teachers. Teachers can only see the data they need.

Data Transfer Objects store some of the data present in the database with no business logic.

The client communicates with the controller layer in the Spring Boot architecture.

If you didn't have Data Transfer Objects, you would have to use an Entity class in the controller class, creating a vulnerability risk in your application.

Related: Spring Boot Architecture

Key Takeaways

This article has shown you how to replace an entity with a DTO and use a DTO in the ResponseBody of a REST call.

I hope you've found this article helpful.

Do you know of any other approach? Please let me know in the comments.

Until next time! 🙋🏾‍♀️

ADDITIONAL RESOURCES

• StackExchange: What is the use of DTO instead of Entity?

• Viktoria Senuic, Stack Abuse: Data Transfer Object Pattern in Java - Implementation and Mapping

• Baeldung: The DTO Pattern (Data Transfer Object)