Field security

Field security lets you redact or deny access to individual DTO fields based on roles.

Reading

Mark a property with @FieldSecurity(readRoles = "ADMIN,MANAGER"). When the current user lacks the role the field is removed from the response DTO.

Writing

Use writeRoles and writePolicy to control writes.

@FieldSecurity(writeRoles = "ADMIN", writePolicy = FieldWritePolicy.DENY)
String secret;

DENY rejects the request, while REDACT clears the value.

Tips

• Apply field security on DTO-facing properties rather than entity internals.
• Combine with row security for end-to-end protection.