17 Global method security: Pre/post filtering
This chapter covers
- Using pre-filtering to restrict what a method receives as parameter values.
- Using post-filtering to restrict what a method returns.
- Integrating filtering with Spring Data.
In chapter 16, you learned how to apply authorization rules using Global Method Security. We worked on examples using the @PreAuthorize end @PostAuthorize annotations. But using these annotations, you apply an approach in which the application either allows the method call or it completely rejects the call. Say you don't want to forbid the call to a method, but you want to make sure that the parameters sent to the method follow some rules. Or, in another scenario, you want to make sure that, after someone called the method, the method's caller only receives an authorized part of the returned value. We name such a functionality filtering, and we classify it into two categories:
- Pre-filtering – when the framework filters the values of the parameters before calling the method.
- Post-filtering – when the framework filters the returned value after the method call.
Observe how filtering works differently than call authorization (figure 17.1). With filtering, the framework executes the call and doesn't throw an exception if a parameter or returned value doesn't follow an authorization rule you define. Instead, it filters out the elements that don't follow the conditions you specify.