javax.validation.constraints.Email matching invalid email address

Asked 25/5, 2018 at 18:47 Answered 10/3, 2022 at 18:21

I have a User entity having email property annotated with @Email

@Email
private String email;

I am using @Valid (javax.validation.Valid) annotation on my Controller class. The issue is that the controller validator is passing the invalid emails. Example:
pusp@1 - obviously this is an invalid email address
pusp@fake
The pattern I noticed is, the @Email only want sometext@text, it don't care for the extensions(.com/org etc). Is it the expected behaviour? Do I need to pass my own regex implementation for @Email(regex="")

Merkle answered 25/5, 2018 at 18:47 Comment(1)

Both of your "obviously invalid" addresses are in fact legal (if not generally very useful). – Ithaca 25/5, 2018 at 19:26

A email without . may be considered as valid according to the validators.
In a general way, validator implementations (here it is probably the Hibernate Validator) are not very restrictive about emails.
For example the org.hibernate.validator.internal.constraintvalidators.AbstractEmailValidator javadoc states :

The specification of a valid email can be found in RFC 2822 and one can come up with a regular expression matching all valid email addresses as per specification. However, as this article discusses it is not necessarily practical to implement a 100% compliant email validator. This implementation is a trade-off trying to match most email while ignoring for example emails with double quotes or comments.

And as a side note, I noticed similarly things with HTML Validator for emails.

So I think that the behavior that you encounter actually is which one expected.
And about your question :

Do I need to pass my own regex implementation for @Email(regex="")

Indeed. You don't have any other choice if you want to make the validation more restrictive.
As alternative, this answer creating its own validator via a constraints composition is really interesting as it is DRY (you can reuse your custom ConstraintValidator without specified at each time the pattern as it will be included in) and it reuses the "good part" of the @Email ConstraintValidator :

@Email(message="Please provide a valid email address")
@Pattern(regexp=".+@.+\\..+", message="Please provide a valid email address")
@Target( { METHOD, FIELD, ANNOTATION_TYPE })
@Retention(RUNTIME)
@Constraint(validatedBy = {})
@Documented
public @interface ExtendedEmailValidator {
    String message() default "Please provide a valid email address";
    Class<?>[] groups() default {};
    Class<? extends Payload>[] payload() default {};
}

Motch answered 25/5, 2018 at 19:19 Comment(3)

Just as a note, if you like to customize your error message when using ExtendedEmailValidator, you should add the @ReportAsSingleViolation annotation as explained here: docs.jboss.org/hibernate/stable/validator/reference/en-US/… – Car 23/8, 2021 at 15:31

@Car @ReportAsSingleViolation without this my default message didn't display. Now I have message for my REST API. This answer is approved ;) – Plagioclase 1/2, 2022 at 12:15

You could also create a validator using the InternetAddress class with strict parsing enabled. – Kagoshima 9/9, 2023 at 21:9

Or you can simply add

@Email(regexp = ".+[@].+[\\.].+")

to the column you want to be validated.

Allegorize answered 10/3, 2022 at 18:21 Comment(2)

That regexp is very forgiving f.e. it will match an email that starts and ends with a dot – Hasty 11/10, 2023 at 12:46

You are right, that's a very simple regex checking for any character followed by @ and . It can match very strange email addresses f.e. +@+.+ To write a specific regex we have to also define the rules for a valid email address. – Allegorize 18/10, 2023 at 12:52

Recommended topics

Hot tags