In chapter 16, you learned how to apply authorization rules using global method security. We worked on examples using the @PreAuthorize
and @PostAuthorize
annotations. By using these annotations, you apply an approach in which the application either allows the method call or it completely rejects the call. Suppose you don’t want to forbid the call to a method, but you want to make sure that the parameters sent to it follow some rules. Or, in another scenario, you want to make sure that after someone calls the method, the method’s caller only receives an authorized part of the returned value. We name such a functionality filtering, and we classify it in two categories:
- Prefiltering--The framework filters the values of the parameters before calling the method.
- Postfiltering--The framework filters the returned value after the method call.