Spring Boot Filtering

In this tutorial, we will discuss about the filtering of properties in pojos and their implementation using spring boot. In some cases, we don't send the complete information to the client like confidential information such as passwords, licence etc in order to avoid any vulnerability of the system. Filtering of data is required in such cases. In spring boot, filtering can be of two types:

  • Static filtering
  • Dynamic filtering

Spring Boot - Static Filtering:

Let us create a class Airline under the package com.tutorial.studytonight.pojo

public class Airline {

    private String name;
    @JsonIgnore   //annotation used to ignore the field
    private String license;
    private LocalDate establishedDate;

    public Airline(String name,String license,LocalDate establishedDate){
        this.name = name;
        this.license = license;
        this.establishedDate = establishedDate;
    }

    //Setters and Getters
}

Let us change the ResourceController.java as follows:

@RestController
public class ResourceController {

    @GetMapping("/staticFiltering")
    public Airline staticFiltering() {

        LocalDate establishedDate=LocalDate.parse("1888-09-04"); 
        AirlineairLine = new Airline("Super Aviation","AS23OIP8", establishedDate );
        return airLine;
    }
}

We annotated the field license with @JsonIgnore in Airline.java so that the field gets ignored when sent to the client. Start the application to test this API.

The above figure displays the static filtering request sent and the response body has no field of "license" as it was annotated with @JsonIgnore in the pojo class.

Spring Boot - Dynamic Filtering:

We can implement dynamic level of filtering by modifying the Airline.java and ResourceController.java respectively as shown below:

@JsonFilter("dynamicfilter")
public class Airline {

    private String name;
    private String license;
    private LocalDate establishedDate;
    
    public Airline(String name, String license, LocalDate establishedDate){
        this.name = name;
        this.license = license;
        this.establishedDate = establishedDate;
    }

    //Setters and Getters
}

@RestController
public class ResourceController {
    
    @GetMapping("/dynamicFiltering")
    public MappingJacksonValue dynamicFiltering() {
        
        LocalDate date = LocalDate.parse("1888-09-04");

        SimpleBeanPropertyFilter propertyFilter = SimpleBeanPropertyFilter.filterOutAllExcept("license");
        // Adding filter using a id name
        FilterProvider filter = new SimpleFilterProvider().addFilter("dynamicfilter", propertyFilter);    
        
        Airline airLine = new Airline("Super Aviation", "AS23", date);
        // Setting a filter
        MappingJacksonValue value = new MappingJacksonValue(airLine);
value.setFilters(filter);    
        return value;    
    }
}

The SimpleBeanPropertFilter is the class which provides methods such as filterOutAllExcept which is used to filter the fields in the pojo. The field license was passed as the argument in the above method which means to filter all the fields except license.

The FilterProvider is another class which adds the SimpleBeanPropertyFilter with a unique id name naming dynamicfilter in the above code.

Notice that the above pojo is also annotated with @JsonFilter passing the same Id name as dynamicfilter.

The MappingJacksonValue will be deserialized to return the response to the client. Start the application to test.


The above figure displays the GET request sent for dynamic filtering. Observe that all the fields were filtered except license field as the SimpleBeanPropertyFilter method filterOutAllExcept was set on this field.

Conclusion: In this way, filtering of the confidential information can be done from sending to the client using spring boot.