Squizy

Appearance

@SensitiveField

The @SensitiveField annotation marks a field as sensitive, restricting read access to authorized users. Unauthorized users see an obfuscated value instead of the actual data.

Basic Usage

java
@Entity
@SquizyEntity
public class Employee {

    @SensitiveField
    private String salary;

    @SensitiveField
    private String socialSecurityNumber;
}

Sensitive fields are always returned obfuscated in standard API responses and list views — regardless of the user's permissions. Users with the readSensitive authority for the entity (e.g., employee.readSensitive) can explicitly request the real value through a dedicated API call or through the reveal action in the UI. The value is never returned unmasked automatically.

To retrieve the unobfuscated value via API:

GET /api/{entity}/{id}/properties/{property}

For example, GET /api/employee/42/properties/salary returns the actual salary value if the user has the readSensitive authority.

Attributes

authorityName

Specifies a custom authority name instead of the default readSensitive:

java
@SensitiveField(authorityName = "readEmployeeSalary")
private String salary;

writeOnly

When true, the field can never be read — only written. No authority grants read access:

java
@SensitiveField(writeOnly = true)
private String apiKey;

storeEncoded

When true, the field value is encoded using a PasswordEncoder before being persisted to the database:

java
@SensitiveField(storeEncoded = true)
private String password;

WARNING

The storeEncoded feature uses Spring Security's PasswordEncoder. The behavior depends on which encoder is available in the application context. Verify that the encoder is properly configured for your use case.

encoderBeanName

When multiple PasswordEncoder beans are available, specifies which one to use:

java
@SensitiveField(storeEncoded = true, encoderBeanName = "bcryptEncoder")
private String password;

obfuscatorClass

Customizes how the value is masked when the user lacks read permission:

java
@SensitiveField(obfuscatorClass = CustomObfuscator.class)
private String creditCard;

The default obfuscator (DefaultObfuscator) replaces the entire value with ****:

"secret123"  →  "****"
"john@email" →  "****"

Interaction with Other Features

  • Sorting: Sensitive fields are not sortable by default. Override with @SquizyField(sortable = SortableMode.SORTABLE) if needed.
  • Export: Sensitive fields are not included in exports unless the user has the required authority.
  • Bulk Update: Sensitive fields cannot be bulk-updated.