24.11. Controlling what data is returned

⁠24.11. Controlling what data is returned

When a remote method is executed, the result is serialized into an XML response, which is returned to the client. This response is then unmarshaled by the client into a JavaScript object. For complex types (such as JavaBeans) that include references to other objects, all referenced objects are also serialized as part of the response. These objects can reference other objects, which can reference other objects, and so on — so, if left unchecked, this object "graph" can be enormous.

For this reason, and to prevent sensitive information being exposed to the client, Seam Remoting lets you constrain the object graph by specifying the exclude field of the remote method's @WebRemote annotation. This field accepts a String array containing one or more paths specified with dot notation. When invoking a remote method, the objects in the result's object graph that match these paths are excluded from the serialized result packet.

The examples that follow are all based on this Widget class:

@Name("widget")
public class Widget {
	private String value;
	private String secret;
	private Widget child;
	private Map<String,Widget> widgetMap;
	private List<Widget> widgetList;
		
	// getters and setters for all fields
}

⁠24.11.1. Constraining normal fields

If your remote method returns an instance of Widget, but you do not want to expose the secret field because it contains sensitive information, you would constrain it like so:

@WebRemote(exclude = {"secret"})
public Widget getWidget();

The value "secret" refers to the secret field of the returned object.

Now, note that the returned Widget value has a field child that is also a Widget. If we want to hide the child's secret value, rather than the field itself, we can use dot notation to specify this field's path within the result object's graph:

@WebRemote(exclude = {"child.secret"})
public Widget getWidget();

⁠24.11.2. Constraining Maps and Collections

Objects within an object graph can also exist in a Map or a Collection (that is, a List, a Set, an Array, etc.). Collections are treated like any other field — for example, if our Widget contained a list of other Widgets in its widgetList field, we would constrain the secret field of the Widgets in this list with the following notation:

@WebRemote(exclude = {"widgetList.secret"})
public Widget getWidget();

To constrain a Map's key or value, the notation is slightly different. Appending [key] after the Map's field name constrains the Map's key object values, while [value] constrains the value object values. The following example demonstrates how the values of the widgetMap field have their secret field constrained:

@WebRemote(exclude = {"widgetMap[value].secret"})
public Widget getWidget();

⁠24.11.3. Constraining objects of a specific type

You can use square brackets to constrain the fields of an object type regardless of its location in the object graph. If the object is a Seam component, use the name of the component; if not, use the fully-qualified class name, like so:

@WebRemote(exclude = {"[widget].secret"})
public Widget getWidget();

⁠24.11.4. Combining Constraints

Constraints can also be combined to filter objects from multiple paths within the object graph:

@WebRemote(exclude = {"widgetList.secret", "widgetMap[value].secret"})
public Widget getWidget();