Ability to suppress "rejectedValue" in error responses [SPR-14771]

[spring-projects-issues]

James Howe opened SPR-14771 and commented

By default, validation errors on @Controller method parameters result in a response body detailing the specific FieldErrors.

Primarily for security purposes, it would be desirable to disable the echoing of the rejectedValue, both globally and perhaps with some kind of field annotation.
This would reduce the chance of sensitive data (passwords, PII, etc.) ending up in logs, for example.

I realise that the whole response can be fully customised anyway, but it seems like this sort of thing should be available by default, to help people secure their systems.

---

Issue Links:

• Addressing Mass Assignment vulnerabilities with @NoBind annotation for domain objects [SPR-13835] #18408 Addressing Mass Assignment vulnerabilities with @NoBind annotation for domain objects
• Quartz job bean can't have constructor with injected parameters [SPR-17323] #21857 Quartz job bean can't have constructor with injected parameters