I have an User object, with login and password as properties.
I have mapped the class and when I save it, on the onSave method, I MD5 the password.

Ok. On my web interface, while updating the user, I can't show the password, it comes empty (since I can't decript MD5 encription). If the user fills in the password, then I assume he wants to change it. But if he leaves it empty, the password should remain the same.

How can I tell Hibernate to only update the password in certain circumstances? Do I have to persist those cahnges vis regular SQL through JDBC connections?

If I leave the property at null, does it sets null on the record or leaves it untouched?

Thx in advance.

Don't set the field to Null or Hibernate will see it as a changed field and set the value in the database to Null.

I would suggest that you store the result of the input field somewhere temporary where you can check it before setting it on your persistent object.

mmmm. That wouldn't work, I need to cripto the password for security reasons. How long do I have to keep the password cached? I can't tell. The user can change password after 1 year of use...

So... regular SQL statements?

I don't think you understood what I meant.

How are you displaying to the user? Are you using MVC?

All I meant was, on the display where the user can change the password, setup a "temp" variable for the user to enter (or not enter) a password into. If they enter one then encrypt it and set it on your persistent object before you call saveOrUpdate, other wise don't set it thereby preserving the original value.

I don't know what your architecture is but this is a common practice with something like Struts.

I think I figured it out.

My User class has an onSave() method where I encript my password.
Now, I must implement an onUpdate() method. When I load an object, it will come with the encrypted password from the DB.

If the form is sent with password empty, onUpdate() does nothing. That said, it will keep the password unchanged.

If the form comes with password set, then recrypt the password on the onUpdate() method.

Is that what u mean?

I can do that. It's quite clear to me now.

I think that will work.

Be careful. onUpdate is not called every time the object is persisted. It is only called when you update a transient object. I was using the same solution until I realized this was the behavior of onUpdate.

The new solution I came up with is to have 2 get/set pairs. One was named passwordInternal, was private, and was mapped in hibernate. The other was named password, was public, and was not mapped in hibernate. They both use the same private password field though. The passwordInternal was just a simple get/set for hibernate to use, which left the public setPassword to encrypt the password as necessary.

Joe

I need a similar functionality.

Except, I don't want to implement the encrypt/decrypt on the persisted object itself; I want to do it in a centralized place, like in an Interceptor.

The problem is identifying *which* columns to encrypt/decrypt. I could go with a separate configuration file that my Interceptor uses, but this seems like a waste, as it would duplicate a lot of the Hibernate configuration.

Is there any way to hook into the Hibernate configuration to add my own attributes to the <property> definitions, that would then be readable by my Interceptor?

(I'm using Hibernate 2.1.5)

I could use a UserType.

However, it is instantiated by Hibernate itself.

Why is this a problem? Because I need to give the UserType information to encrypt/decrypt the specific column it's attached to, such as the encryption key, which is specific to the currently-logged-in-user.

Any suggestions on how to do this with either Interceptor or UserType?

OK, what I did was:
1. Modified the dtd to allow a new 'encrypted' attribute on Property
2. Modified the Property class to get/set the encrypted property
3. Modified the Binder to set the encrypted attribute on Property (bindProperty method)
4. Rebuilt hibernate.jar

Then on the "client" side:
1. Changed my mapping file to specify the encrypted attribute on just the properties I wanted
2. Modified my custom Interceptor's onLoad and onSave methods to look up in the Configuration mapping if a property was encrypted or not.

Worked!

If the Hibernate team would like me to submit this, I'd be happy to.