17 Global method security: Pre- and postfiltering

 

This chapter covers

  • Using prefiltering to restrict what a method receives as parameter values

  • Using postfiltering to restrict what a method returns

  • Integrating filtering with Spring Data

In chapter 16, you learned how to apply authorization rules using global method security. We worked on examples using the @PreAuthorize and @PostAuthorize annotations. By using these annotations, you apply an approach in which the application either allows the method call or it completely rejects the call. Suppose you don’t want to forbid the call to a method, but you want to make sure that the parameters sent to it follow some rules. Or, in another scenario, you want to make sure that after someone calls the method, the method’s caller only receives an authorized part of the returned value. We name such a functionality filtering, and we classify it in two categories:

  • Prefiltering--The framework filters the values of the parameters before calling the method.
  • Postfiltering--The framework filters the returned value after the method call.
Figure 17.1 The client calls the endpoint providing a value that doesn’t follow the authorization rule. With preauthorization, the method isn’t called at all and the caller receives an exception. With prefiltering, the aspect calls the method but only provides the values that follow the given rules.

17.1 Applying prefiltering for method authorization

17.2 Applying postfiltering for method authorization

17.3 Using filtering in Spring Data repositories

Summary

sitemap