Parameterized filters and session.load

dparhomenko · **Joined:** Thu Jan 06, 2005 9:55 am **Posts:** 3

Hibernate version:3.0 beta

Mapping documents:
<class name="TestFilterEntity1" table="TEST_ENTITY_1">
<id name="id" type="string" column="ID">
<generator class="uuid.hex"/>
</id>
<property name="name" column="NAME" type="string"/>
<property name="userId" column="USER_ID" type="string"/>
<filter name="filter_1" condition=":userId = USER_ID">
</filter>
</class>
<filter-def name="filter_1">
<filter-param name="userId" type="string"/>
</filter-def>

Code between sessionFactory.openSession() and session.close():

Filter filter = session.enableFilter("filter_1");
filter.setParameter("userId", "user_1");
session.load(TestFilterEntity1.class,"1");

The generated SQL (show_sql=true):

select testfilter0_.id as id0_,
testfilter0_.name as name5_0_,
testfilter0_.user_id as user_id5_0_ from TEST_ENTITY_14 testfilter0_ where testfilter0_.id=?

dparhomenko · **Joined:** Thu Jan 06, 2005 9:55 am **Posts:** 3

contiute:

The proble is that Hibernate does not apply filter on session.load(), but apply filter on session.createFilter().list().

Is there any solution for this problem.

michael · **Posted:** Thu Jan 06, 2005 11:52 am

It's a load by id, it does not make much sense to filter there (there is just one object with a certain id) ... just use a find.

emmanuel · **Posted:** Thu Jan 06, 2005 3:25 pm

It may make sense for a security filter.

michael · **Posted:** Thu Jan 06, 2005 4:11 pm

Yes, kinda ... that issue already existed with class-level where attributes AFAIK. I guess you just have to stick to find ...

dparhomenko · **Joined:** Thu Jan 06, 2005 9:55 am **Posts:** 3

Hi all.

We want use filters as a security filters.
The main idea is to define filter only in Entity class, so hibernate use this filter on all operation: load, find, apply to inner collection inside entity.

We have a set of objects (Folder, Container …) which can contain collections of other object(Document). So in hibernate mapping we need define the same filter for each inner collection, and it inconvenient to define the same condition for all collection, may be it can be done on one place ?

For example we have entities Folder and Document. For Document entity defined filter, which restrict access based on userName. It would be nice to have some attribute in entity filter, that define that this filter must be apply to all operations with entity (loading single folder we receive only those documents, that allowed for current user).

Deniss.

max · **Posted:** Fri Jan 07, 2005 8:24 am

it actually also makes very much sense if we want to acheive being able to active a "historic session" that can go back in time...

Otherwise we have to tell users not to use load/get but always find or Criteria to allow easy "go back in time" features....kind'a limiting is it not ?

mmongrain · **Joined:** Mon Apr 18, 2005 11:57 am **Posts:** 2

I'm trying to use Hibernate filters as a security filter and I'd like to know if something is being done on that. The suggestion to use find instead of load seems a bit odd since find is deprecated. Any other ideas?
Thanks.

steve · **Posted:** Mon Apr 18, 2005 1:55 pm

find() itself has been deprecated because it is just a short-hand for createQuery().list(). Obviously querying has not bee deprecated...

mmongrain · **Joined:** Mon Apr 18, 2005 11:57 am **Posts:** 2

What I'd like to be able to do is use filters as a security enforcement (on get or load as well as on queries). I want to avoid running queries to load objects by id.

VampBoy · **Posted:** Mon Apr 18, 2005 5:07 pm

Yeah, we noticed the same thing with the load. We use filters extensively for 'go back in time', 'go ahead in time' and 'hell, go anywhere in time' functionality and have to be careful with loading by the primary key as a record may exist today but not tomorrow and then exist again the day after.

frankgrimes · **Joined:** Tue Mar 22, 2005 2:27 am **Posts:** 62

I agree that it would make sense to at least have the option to enable filters for load/get, especially for the above-mentioned security use-cases.

Could a JIRA task for this RFE be created to give users a chance to vote for and/or contribute to this effort?

thornett · **Joined:** Fri Oct 15, 2004 9:42 am **Posts:** 3

Have read this thread and am having a problem similar to that of the poster. (I would like all references to User objects in my application to load/find only ACTIVE users).

This discussion begs the question (which I don't think is answered in the documentation): What does it mean to apply a class-level filter? I assumed this meant that anywhere the class was referenced (load / find / query / criteria / associated collection / etc) it would be filtered (I'm working on a security app and this would be ideal). If I wanted something less global, then I could specify a filter at the association or query level.

Can the doc be updated to clarify the intent of class-level filters and list all the instances where such a filter is applied? I see createQuery().list() above - are there others? Thanks.

VampBoy · **Posted:** Thu May 26, 2005 5:07 pm

I'll answer that, class level only applies if you load that class. It does not apply to associations. Although, I kind of wish it did :D

dshen · **Joined:** Thu May 26, 2005 6:31 pm **Posts:** 19

We are also trying to use hibernate filter to implement security feature of our system. What we need is not only search/query, but also create, update and delete.

Based on my testing result and the information here, I think the idea is questionable. Just want to confirm here.

Hibernate filter only works for query action (session.createQuery(), query.list) and not working for search by primary key (session.load), update and delete.

Ideally, we need the filter also work for update and delete. For security purpose, u only allow user to udpate or delete entity belongs to him.

Am I right? If yes, is there a better workaround besids manually change the hql query (if possible)?

thanks!