🛡️ Content Filtering (Static)

Updated on: 15 Nov 2024 - Vivek Singh

Table of Contents
🌟 Overview: What is Content Filtering?
🎯 Scope, Purpose, Use Case, Benefits, and Drawbacks
Key Technology
🛠️ Dependency Details
- Maven Dependency (Spring Boot Web Starter)
💻 Code Implementation (Static Filtering)
- 👩‍💻 Java Bean Annotations
- Project POC
💡 Observations and Static Filtering Notes
🖼️ Engineering Insights and Best Practices
🚀 Suggested Improvement

🌟 Overview: What is Content Filtering?

Content filtering, specifically Static Filtering in this context, refers to the process of removing or omitting certain properties from a Java Response Bean before it is serialized (converted) into the final response format (e.g., JSON or XML) and sent back to the requestor. This is a crucial step in securing and optimizing API responses.

💡 In short: It’s about ensuring only necessary and authorized data leaves your application and reaches the client.

🎯 Scope, Purpose, Use Case, Benefits, and Drawbacks

Aspect	Description
Scope	Applies to Response Beans (POJOs) used by Spring Controllers for serialization, primarily using the Jackson library.
Purpose	To control the data exposure to the client. This is essential for security and compliance.
Use Case	Hiding sensitive fields like passwords, internal IDs, or credit card numbers from non-administrative API consumers.
Benefits	Security: Reduces the risk of accidental data leakage. Performance: Smaller response payload size, leading to faster data transfer.
Drawbacks	Hardcoding: Filters are fixed on the bean itself, making them inflexible across different API endpoints (Static Filtering). Maintenance: Requires updates to the bean class for every property change.

Key Technology

This feature is provided by the Jackson library, specifically via jackson-annotations-${version}.jar, which is automatically included as a transitive dependency when you use the standard spring-boot-starter-web in your project.

🛠️ Dependency Details

The core functionality for content filtering is provided by the Jackson Annotations library.

Artifact ID:jackson-annotations-${version}.jar

Maven Dependency (Spring Boot Web Starter)

The necessary Jackson libraries, including jackson-annotations, are transitively brought in by the standard Spring Web Starter. No explicit addition of Jackson annotations is typically needed.

XML

<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-web</artifactId>
</dependency>

💻 Code Implementation (Static Filtering)

The implementation of static filtering is straightforward and only requires changes within the Java Bean (POJO) itself. No modifications are typically needed in the Controller layer.

👩‍💻 Java Bean Annotations

We use two primary Jackson annotations to enforce static filtering:

@JsonIgnore: Marks a single property to be ignored during serialization.
@JsonIgnoreProperties: Marks a list of properties (by name) within the class to be ignored.

import com.fasterxml.jackson.annotation.JsonIgnore;
import com.fasterxml.jackson.annotation.JsonIgnoreProperties;

/** * Ignore 'property4' and 'property5' for any API response using this bean. 
 */
@JsonIgnoreProperties(value = {"property4", "property5"})
public class SomeBean {

    private String property1;
    
    // Ignore the property property2
    @JsonIgnore
    private String property2;

    private String property3;
    
    // Ignored
    private String property4;
    private String property5;
    
    
    private String property6;

    // constructors, setter-getters and utility methods
}

Project POC

You can refer to the following GitHub application for a practical demonstration of static content filtering: Spring Boot POC App - Static Filtering

💡 Observations and Static Filtering Notes

Hardcoded Nature: The core takeaway is that this approach hardcodes the filtering logic directly onto the bean. Every API that returns this SomeBean will have the same properties filtered out.
Static Filtering: Due to this inflexible, bean-level hardcoding, this mechanism is explicitly termed Static Filtering.
@JsonIgnore annotation: Applied to a specific property (field/getter) to completely exclude it from both serialization (output) and deserialization (input).
@JsonIgnoreProperties annotation: Applied at the class level to specify a list of properties by name that should be ignored during serialization. It’s useful for ignoring multiple fields without cluttering the individual properties.
Response Effect: When the Spring Controller returns an instance of SomeBean, the Jackson serialization process will omit property2, property4, and property6 from the final JSON/XML output.

🖼️ Engineering Insights and Best Practices

While Static Filtering is simple, engineers should be aware of its limitations and the superior alternative: Dynamic Filtering.

1. The Need for Dynamic Filtering

The primary drawback of Static Filtering is its lack of flexibility. What if API-A needs property X exposed, but API-B (for a different user role) does not? Static filtering fails here because the rule is fixed on the bean.

Dynamic Filtering (using @JsonFilter and FilterProvider): Allows the developer to define runtime rules for filtering. The controller can specify which fields to include/exclude for a given request, providing fine-grained control for different use cases or user roles. This is the preferred approach for complex, multi-role APIs.
- For cases where different APIs need different fields from the same bean (e.g., an /admin/users API shows all fields, but a /users/self API only shows public fields)

2. Separation of Concerns (SoC)

A robust application adheres to SoC. Annotating a Domain Model (the object that represents data in the database) with @JsonIgnore couples the database structure with the API response format.

Best Practice:Always use DTOs (Data Transfer Objects) for API responses.
- Domain Model: Stays clean, focused on business logic and persistence.
- Response DTO: Used solely for the API response. Use Static Filtering on the DTO properties that are never needed by the client (e.g., version IDs). For fields that sometimes need filtering, use Dynamic Filtering on the DTO.
- Choose the Right Tool: Only use Static Filtering for properties that should NEVER be exposed by ANY API endpoint (e.g., the hashed password field in a User entity).

Static filtering is a simple and effective solution, but an experienced engineer must be aware of its limitations and alternatives:

3. Security Implications

Relying solely on filtering is not a complete security solution.

Always validate user roles/permissions in the controller/service layer before fetching or returning sensitive data, as filtering is merely a presentation layer safeguard.

🚀 Suggested Improvement

While static filtering is useful for absolute exclusion of sensitive fields, I strongly suggest you also create a separate note on Dynamic Filtering (@JsonFilter) and, ideally, a note on using DTOs (Data Transfer Objects). These approaches are more scalable and maintainable for enterprise-level applications where a single entity might need to be represented differently across various APIs.

Would you like me to generate a similar detailed note on Dynamic Content Filtering for your next post?