Over a million developers have joined DZone.
{{announcement.body}}
{{announcement.title}}

Data Hiding Using JsonIgnore and Spring Data JPA

DZone's Guide to

Data Hiding Using JsonIgnore and Spring Data JPA

Take a look at a couple of annotations you can use to hide fields from a Jackson parser. We cover how to do it and the security concerns involved.

· Java Zone
Free Resource

Managing a MongoDB deployment? Take a load off and live migrate to MongoDB Atlas, the official automated service, with little to no downtime.

Data hiding using JsonIgnore and Spring Data JPA is achieved using two approaches:

  • @JsonIgnore and @JsonIgnoreProperties
  • Repository Detection Strategies

This post considers @JsonIgnore and @JsonIgnoreProperties.

Code

The code is available at:

Code Changes

I’ve added an extra table to for this example:

@Entity
public class Secrets {
    @Id
    @GeneratedValue(strategy = GenerationType.IDENTITY)
    private long id;
    private String mySecrets;
    public String getMySecrets() {
        return mySecrets;
    }
    public void setMySecrets(String mySecrets) {
        this.mySecrets = mySecrets;
    }
}


With its associated repository:

@PreAuthorize("hasRole('ROLE_USER')")
    public interface SecretsRepository extends CrudRepository<Secrets, Long> {
}


Running the Code

I have left the security from the last tutorial, Securing Spring Data REST with PreAuthorize, in place – but we can run this code using:

mvnw spring-boot:run


We can then call rest/profile to see the two exposed repositories:

curl - u user: user - X GET http: //localhost:8080/rest/profile
    {
        "_links": {
            "self": {
                "href": "http://localhost:8080/rest/profile"
            },
            "secrets": {
                "href": "http://localhost:8080/rest/profile/secrets"
            },
            "parkrunCourses": {
                "href": "http://localhost:8080/rest/profile/parkrunCourses"
            }
        }
    }


And calling the secrets REST endpoint:

curl - u user: user - X GET http: //localhost:8080/rest/secrets/1
    {
        "mySecret": "I want to hide this",
        "_links": {
            "self": {
                "href": "http://localhost:8080/rest/secrets/1"
            },
            "secret": {
                "href": "http://localhost:8080/rest/secrets/1"
            }
        }
    }


This post looks at techniques I can use to not expose the SecretRepository

@JsonIgnore and @JsonIgnoreProperties

The purpose of @JsonIgnore and @JsonIgnoreProperties is to hide attributes from the Jackson parser by instructing it to ignore these fields.

Usage is simply a matter of tagging the attribute with the @JsonIgnore.

@Entity
public class Secret {
    //
    @JsonIgnore
    private String mySecret;
    //
}


Or we can achieve the same using @JsonIgnoreProperties annotation:

curl - u user: user - X GET http: //localhost:8080/rest/secrets/1
    {
        "_links": {
            "self": {
                "href": "http://localhost:8080/rest/secrets/1"
            },
            "secret": {
                "href": "http://localhost:8080/rest/secrets/1"
            }
        }
    }


With either of these changes, we can then call our secrets REST endpoint, and the mySecret field is no longer exposed:

curl - u user: user - X GET http: //localhost:8080/rest/secrets/1
    {
        "_links": {
            "self": {
                "href": "http://localhost:8080/rest/secrets/1"
            },
            "secret": {
                "href": "http://localhost:8080/rest/secrets/1"
            }
        }
    }

Conclusion

@JsonIgnore or @JsonIgnoreProperties simply hides the field from the Jackson parser. This is good for hiding small pieces of information. The downside is we still have an exposed endpoint due to the default Repository Detection Strategies.

MongoDB Atlas is the easiest way to run the fastest-growing database for modern applications — no installation, setup, or configuration required. Easily live migrate an existing workload or start with 512MB of storage for free.

Topics:
spring data rest ,jackson ,java ,data hiding ,tutorial

Published at DZone with permission of Martin Farrell, DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

THE DZONE NEWSLETTER

Dev Resources & Solutions Straight to Your Inbox

Thanks for subscribing!

Awesome! Check your inbox to verify your email so you can start receiving the latest in tech news and resources.

X

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}