Hi all.

Does anyone know a way or found a way of implementing read/search permissions on hibernate. At the moment I have a system of protecting the database against unauthorised update(), save(), delete() by implementing Lifecycle and using the functions there.

But I can't find a way of doing the same for find() and get(). I can implement my own checking for get() as I know the type of the object I am retrieving but for a find() where I'm doing



I could parse the HQL query but ideally I'd like hibernate to call back somehow after it parses the query with a list of objects/tables that will be accessed by the query. Presumably hibernate does have this information at some point during the execute of find(). Is there anyway of getting this data out, so I can run my security check?

Cheers.

Myk.

Did you look at interceptor ?

I've just tried using an Interceptor class but it doesn't appear to help me - although the onLoad() of the Interceptor class gets called when an HQL query returns an object, an HQL query returning one part of an object does not trigger the Interceptor.

e.g.

"select t from TestObject t" -> triggers onLoad()

"select t.Prop from TestObject t" -> NO trigger for onLoad()

Although this is probably expected behaviour, what I need is a way of trapping any access to an object table. Ultimately I'm trying to restrict select/update/delete/save access for each table in the database on a per user basis. find() must know which tables it is accessing - I somehow need to get to this information.

Currently, the only thing I can think of is to parse the HQL query itself an extract out the table names it is accessing for security checks.

Any other ideas?

Thanks in advance,

Myk.

In the 2.2 branch there is a work in process HQL parser implementation.

hy myk,
I have a similar problem and the only solution I can find is too parse the HQL like you sad. Have you solve all you problems? I'd like to write the query in the xml mappings file and than add hql to restrict the query, but I'd like to have a parser that permit to manage the queries in an object oriented way.
Do you know when the release 2.2 of hibernate will be release?

enqnck

It must be better to use native RDBMS security, if security is important for yor app.

session.connection().executeUpdate("DROP DATABASE");

Interceptor will not help to protect your db if, your app runs as privileged user.

I was not so clear in my questions.
My one is an application security problem no database security problem. The user connected to a system should not view some data, but the application that manage the security for the system can view that data. Than I'm looking to find a way to know inside a system when some data can't be viewed for an user than the system will decide what to do.