I don't see a clear cut solution for this in the general case, overlaying the de-serialized request body with path variables. It's bound to lead to surprises. It seems to me however that the the UpdateValidator should be in sync with the expected input. In other words either expect the id to be in the body or don't validate it. Beyond that it's not very hard to create a custom argument resolver that combines the behaviors. As I said I just don't see that working out more generally.