About Security Entity Filtering Module

Filter out the entity properties from the output of Jackson serialization according to the DenyAll, RolesAllowed annotations.

How to use

Register the Jsr250Module to ObjectMapper:

ObjectMapper objectMapper = new ObjectMapper();
objectMapper.registerModule(new Jsr250Module());

Mark your properties with annotations @RolesAllowed, @DenyAll:

public class User {

	public String getUsername() {
		return username;

	public String getPassword() {
		return password;


and then the relevant properties would be filtered out from the serialized JSON, check Jsr250ModuleTest for details.

Note: the roles is read from SecurityContextHolder.getContext().getAuthentication().getAuthorities() of spring-security.