Show HN: SCIM filters to parameterized Postgres SQL for modern Java

SCIM filter expression to parameterized SQL converter for PostgreSQL. Parses RFC 7644 filter strings and produces SQL WHERE clauses with named parameters — safe from injection by design.

The generated SQL uses PostgreSQL-specific syntax for typed values (CAST(… AS UUID), CAST(… AS timestamptz), CAST(… AS jsonb), @> for JSON containment). Standard comparisons (=, !=, LIKE, IN, IS NOT NULL) are portable across databases. The compareFilterBuilder extension point allows overriding SQL generation for other databases.

Add the dependency:

Parse a SCIM filter into SQL:

The prefix parameter namespaces all generated parameter keys, making it safe to combine multiple parsed filters in a single query.

Combine filters with and, or, not, and parentheses:

Values can carry type hints that produce SQL CAST expressions. Prefix the value inside the quotes:

JSON equality uses PostgreSQL's @> (contains) operator instead of =.

CamelCase attribute names are automatically converted to snake_case column names:

Dotted paths (e.g. name.familyName) are preserved as-is in the clause and flattened to underscores in parameter keys.

Context collects all parameter bindings as the filter tree is evaluated:

Use context().isValid(Set.of("name", "age")) to allowlist which attributes callers are permitted to filter on.

Override SQL generation for specific comparisons by passing a compareFilterBuilder function:

This lets you intercept ComparisonFilter instances and return a subclass with custom toClause() or paramKey() behavior.

Requires JDK 25+ and Maven.

Uses google-java-format via Spotless (2-space indentation, no tabs).

MIT