24.11. Controlling what data is returned

When a remote method is executed, the result is serialized into an XML response, which is returned to the client. This response is then unmarshaled by the client into a JavaScript object. For complex types (such as JavaBeans) that include references to other objects, all referenced objects are also serialized as part of the response. These objects can reference other objects, which can reference other objects, and so on — so, if left unchecked, this object "graph" can be enormous.
For this reason, and to prevent sensitive information being exposed to the client, Seam Remoting lets you constrain the object graph by specifying the exclude field of the remote method's @WebRemote annotation. This field accepts a String array containing one or more paths specified with dot notation. When invoking a remote method, the objects in the result's object graph that match these paths are excluded from the serialized result packet.
The examples that follow are all based on this Widget class:
@Name("widget")
public class Widget {
    private String value;
    private String secret;
    private Widget child;
    private Map<String,Widget> widgetMap;
    private List<Widget> widgetList;
    
    // getters and setters for all fields

24.11.1. Constraining normal fields

If your remote method returns an instance of Widget, but you do not want to expose the secret field because it contains sensitive information, you would constrain it like so:
@WebRemote(exclude = {"secret"}) 
public Widget getWidget();
The value "secret" refers to the secret field of the returned object.
Now, note that the returned Widget value has a field child that is also a Widget. If we want to hide the child's secret value, rather than the field itself, we can use dot notation to specify this field's path within the result object's graph:
@WebRemote(exclude = {"child.secret"}) 
public Widget getWidget();