🛡️ Dynamic Response Filtering

Updated on: 18 Nov 2024 - Vivek Singh

📑 Table of Contents

📑 Table of Contents
🚀 Introduction to Dynamic Response Filtering
🌟 Purpose, Use Case, Features, Benefits, and Drawbacks
🔒 Security Concerns
🏆 Best Practices and Suggestions
🔄 Alternative Approach
🛠️ Maven Dependency
- pom.xml
💻 Code Implementation
🔍 Observations and Insights
💡 Expert Advice: What Engineers Should Be Aware Of
🏗️ Architecture Diagram

🚀 Introduction to Dynamic Response Filtering

In modern microservices, Content Filtering is vital for security and performance. This technique, leveraging Jackson’s @JsonFilter in Spring Boot, allows you to dynamically control which properties of a Java Bean are included in the JSON response. By using the Spring utility MappingJacksonValue, we can apply specific filters per API endpoint at runtime. This approach is crucial for preventing data over-fetching and exposing sensitive internal fields.

🌟 Purpose, Use Case, Features, Benefits, and Drawbacks

Aspect	Description
Purpose / Feature	Content Filtering refers to dynamically selecting or removing specific properties from a JSON response object before sending it to the client. This is achieved using Jackson’s `@JsonFilter` mechanism.
Use Case	Ideal for APIs where different endpoints need to return the same Java Bean but with varying subsets of fields (e.g., an `/users` list endpoint needs name and ID, but a `/users/{id}` detail endpoint also needs address and roles).
Benefits	Security (Prevents exposure of sensitive internal fields), Performance (Reduces payload size, thus reducing network bandwidth and processing time), Flexibility (Allows filtering logic to be determined at runtime per API request).
Drawbacks	Code Complexity (Requires extra setup in the Controller using `MappingJacksonValue` and filter providers, making the controller code less clean), Maintainability (Requires diligent management of filter names and fields across multiple endpoints).
Prerequisite	This feature is part of `jackson-annotations-${version}.jar`, implicitly included via the `spring-boot-starter-web` dependency.

🔒 Security Concerns

Accidental Data Exposure: The primary risk is forgetting to apply a filter or applying an incorrect filter, leading to the unintentional exposure of sensitive fields (like passwords, internal IDs, or financial data) to an unauthorized client.
Filter Name Mismatch: A mismatch between the @JsonFilter name on the Bean and the name registered in the SimpleFilterProvider will result in the entire bean being serialized, potentially bypassing all filtering logic.
Security by Obscurity: Relying solely on filtering for security is discouraged. Response filtering should complement robust authentication and authorization mechanisms, and not to replace them.

🏆 Best Practices and Suggestions

Prioritize Static Filtering:
- For fields that should never be exposed (e.g., passwordHash), use Static Filtering (@JsonIgnore, @JsonIgnoreProperties). Dynamic filtering should only be used for fields whose inclusion depends on the specific API call.
Use Enums/Constants:
- Define the filter names (e.g., "dyna-filter-for-somebean") as public static final constants in a utility class or the Bean itself to prevent spelling mistakes.
Create a Utility Method:
- Encapsulate the filter creation and application logic (SimpleBeanPropertyFilter, SimpleFilterProvider, MappingJacksonValue) into a reusable utility method or a custom HttpMessageConverter to keep Controller methods cleaner.
Documentation:
- Clearly document which fields are returned by each API endpoint, especially when dynamic filtering is in use, for better API consumer understanding.

🔄 Alternative Approach

An alternative to dynamic Jackson filtering is to use Data Transfer Objects (DTOs).

DTO Approach: For each required subset of fields, create a separate, dedicated DTO class (e.g., UserSummaryDTO, UserDetailsDTO).
Mapping: The Controller maps the full JPA Entity/Service Bean to the appropriate DTO before returning the response.
Trade-off: This approach offers compile-time safety and cleaner controller code (no MappingJacksonValue logic) but involves more boilerplate code (creating and maintaining multiple DTO classes and mapping logic).

🛠️ Maven Dependency

The dynamic filtering feature is provided by Jackson, which is included by default with the spring-boot-starter-web.

`pom.xml`

<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-web</artifactId>
</dependency>

💻 Code Implementation

Data Bean (`@JsonFilter`)

The Java Bean is annotated with @JsonFilter to link it to a named filter.

`SomeBeanDynamicFilter.java`

package com.srvivek.sboot.mservices.bean;

import com.fasterxml.jackson.annotation.JsonFilter;

/** Dynamically exclude properties as per the specified filter set by the API. */
@JsonFilter("dyna-filter-for-somebean")
public class SomeBeanDynamicFilter {

    private String field1;
    private String field2;
    private String field3;
    private String field4;
    private String field5;
    private String field6;

    // constructors, setter-getters and utility methods
    // (Assuming public constructor SomeBeanDynamicFilter(String... fields) exists)
    public SomeBeanDynamicFilter(String field1, String field2, String field3, String field4, String field5, String field6) {
        this.field1 = field1;
        this.field2 = field2;
        this.field3 = field3;
        this.field4 = field4;
        this.field5 = field5;
        this.field6 = field6;
    }
    // ... Getters and Setters omitted for brevity
}

REST Controller (`MappingJacksonValue`)

The controller creates the filter, specifies the included/excluded fields, registers the filter by name, and applies it using MappingJacksonValue.

`DynamicFilteringController.java`

package com.srvivek.sboot.mservices.controller;

import java.util.Arrays;
import java.util.List;

import org.springframework.http.converter.json.MappingJacksonValue;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RestController;

import com.fasterxml.jackson.databind.ser.FilterProvider;
import com.fasterxml.jackson.databind.ser.impl.SimpleBeanPropertyFilter;
import com.fasterxml.jackson.databind.ser.impl.SimpleFilterProvider;
import com.srvivek.sboot.mservices.bean.SomeBeanDynamicFilter;

@RestController
public class DynamicFilteringController {

    private static final String FILTER_NAME = "dyna-filter-for-somebean";

    @GetMapping("/dyna-filtering")
    public MappingJacksonValue filtering() {

        // 1. Define fields to keep (filterOutAllExcept)
        final SimpleBeanPropertyFilter simpleBeanPropertyFilter = SimpleBeanPropertyFilter.filterOutAllExcept("field2",
                "field4", "field6");

        // 2. Register filter with the name defined in the Bean
        final SimpleFilterProvider simpleFilterProvider = new SimpleFilterProvider()
                .addFilter(FILTER_NAME, simpleBeanPropertyFilter);

        // 3. Construct response bean
        final SomeBeanDynamicFilter someBeanDynamicFilter = new SomeBeanDynamicFilter("Value-1", "Value-2", "Value-3",
                "Value-4", "Value-5", "Value-6");

        // 4. Apply the filter provider to the response bean
        final MappingJacksonValue mappingJacksonValue = new MappingJacksonValue(someBeanDynamicFilter);
        mappingJacksonValue.setFilters(simpleFilterProvider);

        return mappingJacksonValue; // Returns only field2, field4, field6
    }

    @GetMapping("/dyna-filtering-list")
    public MappingJacksonValue filteringList() {

        // 1. Define a different set of fields to keep for this API
        SimpleBeanPropertyFilter simpleBeanPropertyFilter = SimpleBeanPropertyFilter.filterOutAllExcept("field1",
                "field3", "field5", "field6");

        // 2. Register filter
        FilterProvider simpleFilterProvider = new SimpleFilterProvider().addFilter(FILTER_NAME,
                simpleBeanPropertyFilter);

        // 3. Construct list of response beans
        List<SomeBeanDynamicFilter> SomeBeanDynamicFilterList = Arrays.asList(
                new SomeBeanDynamicFilter("Value-1", "Value-2", "Value-3", "Value-4", "Value-5", "Value-6"),
                new SomeBeanDynamicFilter("Value-11", "Value-22", "Value-33", "Value-44", "Value-55", "Value-66"),
                new SomeBeanDynamicFilter("Value-111", "Value-222", "Value-333", "Value-444", "Value-555",
                        "Value-666"));

        // 4. Apply the filter provider to the list
        final MappingJacksonValue mappingJacksonValue = new MappingJacksonValue(SomeBeanDynamicFilterList);
        mappingJacksonValue.setFilters(simpleFilterProvider);

        return mappingJacksonValue; // Returns only field1, field3, field5, field6
    }
}

Project POC

You can refer to the following GitHub application for a practical demonstration of static content filtering: Spring Boot POC App - Static Filtering

🔍 Observations and Insights

Dynamic Filtering Defined: This approach is called Dynamic Filtering because the set of properties to include/exclude is determined at runtime within the controller method for the specific API call.
@JsonFilter Annotation: It serves as a marker on the Java Bean, defining a unique filter name ("dyna-filter-for-somebean"). Jackson will look for a FilterProvider registered with this exact name when serializing this bean.
MappingJacksonValue: This Spring utility class is essential. It wraps the response object (Bean/List) and allows the attachment of a FilterProvider to be used specifically for the serialization of that response, overriding the default serialization behavior.

💡 Expert Advice: What Engineers Should Be Aware Of

Engineers should consider request-based filtering as a better long-term solution. Allowing clients to specify which fields they need (e.g., using a fields query parameter like /api/users?fields=id,name) puts the burden of filtering on the client, which is ideal for high-traffic, generic APIs. This involves:

Reading the fields query parameter in the controller.
Dynamically creating the SimpleBeanPropertyFilter based on the requested fields.
Applying the filter via MappingJacksonValue, as shown above.

This makes your API more performant and allows consumers to prevent over-fetching data.

🏗️ Architecture Diagram

This sequence diagram illustrates how the dynamic filtering process works when a request is made to a filtered endpoint.

sequenceDiagram
    participant Client
    participant Controller
    participant JacksonMapper
    participant ResponseBean

    Client->>Controller: GET /dyna-filtering
    Controller->>Controller: 1. Create SimpleBeanPropertyFilter (e.g., keep field2, field4, field6)
    Controller->>Controller: 2. Create SimpleFilterProvider & register filter ("dyna-filter-for-somebean")
    Controller->>ResponseBean: 3. Instantiate SomeBeanDynamicFilter
    Controller->>Controller: 4. Wrap Bean in MappingJacksonValue & set Filters
    Controller->>JacksonMapper: Serialize(MappingJacksonValue)
    JacksonMapper->>JacksonMapper: Check @JsonFilter on ResponseBean
    JacksonMapper->>JacksonMapper: Retrieve filter from SimpleFilterProvider
    JacksonMapper->>Client: 5. Return Filtered JSON Response (only field2, field4, field6)