This chapter covers
- Using prefiltering to restrict what a method receives as parameter values
- Using postfiltering to restrict what a method returns
- Integrating filtering with Spring Data
In chapter 11, you learned how to apply authorization rules using global method security. We worked on examples using the @PreAuthorize and @PostAuthorize annotations. When you use these annotations, the application either allows the method call, or it completely rejects it. Suppose you don’t want to forbid the call to a method, but you want to make sure that the parameters sent to it follow some rules. Or, in another scenario, you want to make sure that after the method is called, the method’s caller only receives an authorized part of the returned value. This functionality is called filtering, and it is classified into two categories:
- Prefiltering—The framework filters the values of the parameters before calling the method.
- Postfiltering—The framework filters the returned value after the method call.
Filtering works differently than call authorization (figure 12.1). With filtering, the framework executes the call and doesn’t throw an exception if a parameter or returned value doesn’t follow an authorization rule you define. Instead, it filters out elements that don’t follow the specified conditions.