Summary
When validating HTTP headers in a controller method parameter, a ConstraintViolationException is thrown instead of a HandlerMethodValidationException. As a result, ResponseEntityExceptionHandler does not handle this exception, leading to a 500 Internal Server Error instead of a 400 Bad Request.
Expected Behavior
If validation fails for an HTTP header parameter, a HandlerMethodValidationException should be thrown, allowing ResponseEntityExceptionHandler to process it correctly and return a 400 Bad Request response.
Actual Behavior
When a validation constraint (e.g., @Size ) is applied to an HTTP header parameter, a ConstraintViolationException is thrown instead. Since ResponseEntityExceptionHandler does not handle ConstraintViolationException, the response defaults to a 500 Internal Server Error.
Environment
- Spring Boot: 3.4.3
- Spring Framework: 6.2.3
Steps to Reproduce
Enable Problem Details handling in application.properties
spring.mvc.problemdetails.enabled=true
Define a controller that accepts a header with validation
@RestController
public class TestController {
@GetMapping("/test")
public ResponseEntity<String> test(@NotNull @Size(min = 5, max = 5) @RequestHeader(value = "my-header", required = true) String myHeader) {
return new ResponseEntity<>(HttpStatus.OK);
}
}
Send a request with an invalid header value (e.g., my-header="123")
Observe that a 500 Internal Server Error is returned instead of 400 Bad Request.
Suggested Fix
Instead of throwing ConstraintViolationException, HandlerMethodValidationException should be thrown when validation fails for a method parameter, including HTTP headers.
This approach would ensure that ResponseEntityExceptionHandler properly handles validation errors consistently, aligning with RFC 9457.
Reference Issue
This issue is related to #33133, which discusses similar validation handling concerns.
I apologize if I missed any internal implementation details.
This issue is based on my observations of the current behavior.
Comment From: ijoeljohn
Hi @takashno ,
I’d like to work on resolving this issue where HTTP header validation throws ConstraintViolationException instead of HandlerMethodValidationException, leading to inconsistent error handling.
Problem Understanding:
- Validation failures on @RequestHeader parameters bypass Spring’s HandlerMethodValidationException mechanism.
- This violates RFC 9457 expectations and causes unhandled 500 errors instead of standardized 400 responses.
Proposed Fix:
1. Adjust the validation mechanism in MethodValidationAdapter or related components to ensure header parameter violations trigger HandlerMethodValidationException.
2. Align this behavior with how other method parameters (e.g., @RequestParam, @PathVariable) are validated.
3. Add test cases in WebMvcTest to verify the correct exception and HTTP status for header validation failures.
Related Work:
- I’ve reviewed #33133 and RFC 9457 to ensure consistency in error handling.
- Will follow Spring’s contribution guidelines and confirm compliance with the Apache 2.0 license.
Could this issue be assigned to me? I’ll submit a PR for review once the fix is ready.
Thanks!
Joel John
Comment From: takashno
Hi @ijoeljohn
Thank you for your response and for offering to work on this issue. I really appreciate your initiative and technical expertise.
At the moment, we are still awaiting a response from the Spring Framework team. I don't have the bandwidth to investigate and implement a fix myself, so I’m truly grateful to see skilled engineers like you stepping in. I believe that both my issue report and your PR will help accelerate the team's decision-making process, leading to a quicker resolution and release of the fix to the public.
Looking forward to your contribution!
Best regards, Takashno
Comment From: ngocnhan-tran1996
I write a test and it throws HandlerMethodValidationException with Spring Boot: 3.4.3 and Spring Framework: 6.2.3
Comment From: takashno
@ngocnhan-tran1996
Thank you for your response. Could you also show me the controller source code?
Comment From: ngocnhan-tran1996
@takashno i copied your snippet controller
And pom.xml
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-validation</artifactId>
</dependency>
</dependencies>
May I miss anything?
Comment From: takashno
@ngocnhan-tran1996
Apologies for my incomplete initial report.
I've committed a reproducible example here: https://github.com/takashno/for-issue-34556-demo
The issue seems to occur when a Controller interface is created with a default method, and a class implementing this interface is used.
The reason for structuring the code this way is that OpenAPI Generator produces such an implementation when enabling interface generation.
I initially assumed this was a more general issue, and I regret providing an incomplete example in my original report. I sincerely apologize for any confusion this may have caused.
Could you take a look at the repository and verify the issue?
Thanks, Takashno
Comment From: ngocnhan-tran1996
I am not a Spring member, so I can't confirm this issue.
But you can check it out
(1)
If a controller has a class level
@Validated, then method validation is applied through an AOP proxy. In order to take advantage of the Spring MVC built-in support for method validation added in Spring Framework 6.1, you need to remove the class level@Validatedannotation from the controller.
(2)
By default, jakarta.validation.ConstraintViolationException is raised with the set of ConstraintViolations
Reference
(1) https://docs.spring.io/spring-framework/reference/web/webflux/controller/ann-validation.html
(2) https://docs.spring.io/spring-framework/reference/core/validation/beanvalidation.html#validation-beanvalidation-spring-method-exceptions
Comment From: takashno
@ngocnhan-tran1996
Thank you! I now understand that the issue is caused by the @Validated annotation applied to the controller interface.
This annotation is automatically added when enabling the Bean Validation option in OpenAPI Generator. I checked the mustache template. api.mustache#L85
I will consider disabling this option as a possible solution.
Thanks again! Takashno
Comment From: takashno
This issue was not a problem with Spring Framework, so I will close it. Apologies for the confusion.