-->
These old forums are deprecated now and set to read-only. We are waiting for you on our new forums!
More modern, Discourse-based and with GitHub/Google/Twitter authentication built-in.

View unanswered posts | View active topics


Board index » Hibernate & Java Persistence » Hibernate Users

All times are UTC - 5 hours [ DST ]


Forum locked This topic is locked, you cannot edit posts or make further replies.  Page 1 of 1
  [ 2 posts ] 
  Previous topic | Next topic 
Author Message
rebornspirit
 Post subject: HowTo: intercept finds, gets... + add extra sql statements
PostPosted: Thu Feb 23, 2006 10:58 am 
Newbie

Joined: Mon Dec 22, 2003 4:49 am
Posts: 16
What I'm trying to find is a transparant way to do instance level security.
I have some entities, let name them X, Y and Z, those entities are linked to a table called ROLES, this latter is an n-n table which refers to the actual permissions table, so you have something like:
- X <-- X,1 --> 1

I do NOT want to add an extra where or join clause, which contain the security statements, to each entity X, Y... lookup. So I'm trying to find a transparant way to achieve my goal.

I've looked at interceptors (onPrepareStatement(sql)), but as far a I know I can't really see what action or enity is being intercepted (and I don't want to scan the sql string for keywords). What I'm looking for is something like this:

- intercept database call
- check if it is the entity you want to adjust
- check if the event is an find, get ...
- add the extra statements to the sql statement

Is something achievable within Hibernate, can eventListener be used for this, if so how?

Grtz
Top
 Profile  
 
tenwit
 Post subject:
PostPosted: Mon Feb 27, 2006 6:32 pm 
Expert
Expert

Joined: Thu Dec 23, 2004 9:08 pm
Posts: 2008
You can use interceptors (3.1 ref docs section 12). I use event listeners for this: predelete, preinsert, preupdate and postload. That way I'm ensuring that I don't accidentally load something belonging to a different user, and I don't change the userid and save my data over a different user's. However, my technique assumes that all the queries have been written responsibly: the security stuff just throws a hissy fit and shuts down the session if someone is found to be violating security.

If all your tables (that are relevant to your permission stuff) follow a strict naming scheme (e.g. it's always the "OwnerId" column that specifies the owning user), then you can use filters on your mappings to ensure that an additional bit is added to your where clause. This would happen in memory, on the result set, after the query is run, but before the objects are returned to you. Check out section 17, Filters, in the 3.1 ref docs. You can also implement this in a more limited way using the where attribute of some elements (class, set, map, list, bag, idbag.. I think that's it).
Top
 Profile  
 
Display posts from previous:  Sort by  
Forum locked This topic is locked, you cannot edit posts or make further replies.  Page 1 of 1
  [ 2 posts ] 

Board index » Hibernate & Java Persistence » Hibernate Users

All times are UTC - 5 hours [ DST ]

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum

Search for:
© Copyright 2014, Red Hat Inc. All rights reserved. JBoss and Hibernate are registered trademarks and servicemarks of Red Hat, Inc.