24.11. Controlling what data is returned
When a remote method is executed, the result is serialized into an XML response, which is returned to the client. This response is then unmarshaled by the client into a JavaScript object. For complex types (such as JavaBeans) that include references to other objects, all referenced objects are also serialized as part of the response. These objects can reference other objects, which can reference other objects, and so on — so, if left unchecked, this object "graph" can be enormous.
For this reason, and to prevent sensitive information being exposed to the client, Seam Remoting lets you constrain the object graph by specifying the
exclude
field of the remote method's @WebRemote
annotation. This field accepts a String array containing one or more paths specified with dot notation. When invoking a remote method, the objects in the result's object graph that match these paths are excluded from the serialized result packet.
The examples that follow are all based on this
Widget
class:
@Name("widget") public class Widget { private String value; private String secret; private Widget child; private Map<String,Widget> widgetMap; private List<Widget> widgetList; // getters and setters for all fields
24.11.1. Constraining normal fields
If your remote method returns an instance of
Widget
, but you do not want to expose the secret
field because it contains sensitive information, you would constrain it like so:
@WebRemote(exclude = {"secret"}) public Widget getWidget();
The value "secret" refers to the
secret
field of the returned object.
Now, note that the returned
Widget
value has a field child
that is also a Widget
. If we want to hide the child
's secret
value, rather than the field itself, we can use dot notation to specify this field's path within the result object's graph:
@WebRemote(exclude = {"child.secret"}) public Widget getWidget();