| Author |
How to obfuscate or mask returned data?
|
Michael Staszewski
Greenhorn
Joined: Oct 10, 2011
Posts: 16
|
|
I'd like to mask certain data that is returned by my web service. For example, suppose I have a routine to return a user profile having a specified email address. The user profile may contain information that is to be hidden from all other users other than the owner of the profile, birth date for instance.
If I have a routine defined as...
I'd like to do something like the following psuedocode.
if UserRequestingProfileIsNotUserOwningFoundProfile and UserProfile.HideBirthdate then
UserProfile.Birthdate = null;
I have logic already to determine whether or not the user requesting the resource is entitled to see all data so we can skip that part, but when I do UserProfile.Birthdate = SomeOtherValue the underlying database storing the userprofile data is updated. I'd like to modify the return value and not update the underlying data.
Any help is much appreciated.
Thanks,
Michael
|
 |
Ivan Krizsan
Bartender
Joined: Oct 04, 2006
Posts: 2193
|
|
Hi!
Have you tried to create a UserProfiles object that is not attached to any persistence context, copying the data from the UserProfiles object, make modifications and then return the new UserProfiles object?
Another approach is to encrypt, or obfuscate in some way, certain fields in a servlet filter or handler.
Handlers are for SOAP web services (JAX-WS).
Regretfully, JAX-RS does not seem to have any specification for interceptors, though there are work done in this area.
See: http://bill.burkecentral.com/2011/05/24/interceptors-in-jax-rs-2-0/
So I guess that a servlet filter is the only option with a RESTful web service. Do correct me if I am wrong!
Best wishes!
|
My free books and tutorials: http://www.slideshare.net/krizsan
|
|
Michael Staszewski
Greenhorn
Joined: Oct 10, 2011
Posts: 16
|
|
Have you tried to create a UserProfiles object that is not attached to any persistence context, copying the data from the UserProfiles object, make modifications and then return the new UserProfiles object?
I have not. At the moment I'm still learning this stuff and am unsure how to create a userprofile object in such a manner, but I'll look into it.
So I guess that a servlet filter is the only option with a RESTful web service.
Thanks. I'll look into this route as well.
Thanks,
Michael
|
|
Michael Staszewski
Greenhorn
Joined: Oct 10, 2011
Posts: 16
|
|
Have you tried to create a UserProfiles object that is not attached to any persistence context, copying the data from the UserProfiles object, make modifications and then return the new UserProfiles object?
I had actually moved away from this topic for a few days and intended on coming back to it, but I stumbled across something in my research that looks like it fits the bill... at least for my needs.
This will detach the specified object from the entity manager so that future changes to it are not persisted. In my use case I want to tweak the data returned via GET so I don't see any problems with first detaching the objects I wish to modify. If there are any best practices out there that suggest detachment is not the preferred method of obfuscation or hiding data then please correct me.
Thanks,
Michael
|
|
Ivan Krizsan
Bartender
Joined: Oct 04, 2006
Posts: 2193
|
|
Hi!
As far as I am concerned, this is a perfectly reasonable solution.
Interesting to hear about the follow-up on the problem!
Thanks for sharing.
|
|
 |
|
|
subject: How to obfuscate or mask returned data?
|
|
|
0
