Merge pull request #50 from SalusaSecondus/tmpworking

Update documents to indicate that SaveBehavior.PUT is also safe

Author: bdonlan

README.md

@@ -4,8 +4,8 @@ The **[Amazon DynamoDB][ddb] Client-side Encryption in Java** supports encryptio
 
 A typical use of this library is when you are using [DynamoDBMapper][ddbmapper], where transparent protection of all objects serialized through the mapper can be enabled via configuring an [AttributeEncryptor][attrencryptor].
 
-**Important: Use `SaveBehavior.CLOBBER` with `AttributeEncryptor`. If you do not do so you risk corrupting your signatures and encrypted data.**
-When CLOBBER is not specified, fields that are present in the record may not be passed down to the encryptor, which results in fields being left out of the record signature. This in turn can result in records failing to decrypt.
+**Important: Use `SaveBehavior.PUT` or `SaveBehavior.CLOBBER` with `AttributeEncryptor`. If you do not do so you risk corrupting your signatures and encrypted data.**
+When PUT or CLOBBER is not specified, fields that are present in the record may not be passed down to the encryptor, which results in fields being left out of the record signature. This in turn can result in records failing to decrypt.
 
 For more advanced use cases where tighter control over the encryption and signing process is necessary, the low-level [DynamoDBEncryptor][ddbencryptor] can be used directly.
 
@@ -77,7 +77,7 @@ To enable transparent encryption and signing, simply specify the necessary encry
     SecretKey cek = ...;        // Content encrypting key
     SecretKey macKey =  ...;    // Signing key
     EncryptionMaterialsProvider provider = new SymmetricStaticProvider(cek, macKey);
-    mapper = new DynamoDBMapper(client, DynamoDBMapperConfig.builder().withSaveBehavior(SaveBehavior.CLOBBER).build(),
+    mapper = new DynamoDBMapper(client, DynamoDBMapperConfig.builder().withSaveBehavior(SaveBehavior.PUT).build(),
                 new AttributeEncryptor(provider));
     Book book = new Book();
     book.setId(123);

src/main/java/com/amazonaws/services/dynamodbv2/datamodeling/AttributeEncryptor.java

@@ -38,7 +38,7 @@
 
 /**
  * Encrypts all non-key fields prior to storing them in DynamoDB.
- * <em>This must be used with @{link SaveBehavior#CLOBBER}. Use of
+ * <em>This must be used with @{link SaveBehavior#PUT} or @{link SaveBehavior#CLOBBER}. Use of
  * any other @{code SaveBehavior} can result in data-corruption.</em>
  * 
  * @author Greg Rubin 
@@ -72,13 +72,14 @@ public Map<String, AttributeValue> transform(final Parameters<?> parameters) {
             return attributeValues;
         }
 
-        // When AttributeEncryptor is used without SaveBehavior.CLOBBER, it is trying to transform only a subset
+        // When AttributeEncryptor is used without SaveBehavior.PUT or CLOBBER, it is trying to transform only a subset
         // of the actual fields stored in DynamoDB. This means that the generated signature will not cover any
         // unmodified fields. Thus, upon untransform, the signature verification will fail as it won't cover all
         // expected fields.
         if (parameters.isPartialUpdate()) {
-            LOG.error("Use of AttributeEncryptor without SaveBehavior.CLOBBER is an error and can result in data-corruption. " +
-                    "This occured while trying to save " + parameters.getModelClass());
+            LOG.error("Use of AttributeEncryptor without SaveBehavior.PUT or SaveBehavior.CLOBBER is an error " +
+	        "and can result in data-corruption. This occured while trying to save " +
+	        parameters.getModelClass());
         }
 
         try {