users@jersey.java.net

[Jersey] "Owned" Entity Filtering

From: Michael Krotscheck <krotscheck_at_gmail.com>
Date: Tue, 03 Mar 2015 03:46:40 +0000

Hey everyone-

I'm currently digging through Jersey 2.16 entity filtering, and have a
question about possible approaches to determine "owned" entity filtering.
Consider this use case:

I have a resource at /user/{0-9+} which supports JSON GET/POST/PUT/DELETE.
As a generic user, I can GET from /user/, however the result entities are
filtered so I cannot see private things like 'email', 'blacklisted', etc.
As an admin, however, I can see all these properties. All of this is
handled via the SecurityEntityFilteringFeature and standard java security
annotations, yay!

I would now like to add the ability for the user, identified by the
security context's getPrincipal(), to have a slightly elevated security
permission where they can see their own email address, however can't see
the 'role' property, but they can't see anyone else's.

I've already gotten to the point of implementing my own Entity Processor,
which is almost what I'm looking for, however it itself doesn't seem to
contain a way to access the entity under consideration to determine if it's
owned. My current thoughts are that I can somehow use a custom role
annotation, say 'owner', and decorate the entity before the processor gets
to it, however I'm not quite certain where to hook my code in.

Any suggestions would be welcome.

Michael