-->
These old forums are deprecated now and set to read-only. We are waiting for you on our new forums!
More modern, Discourse-based and with GitHub/Google/Twitter authentication built-in.

All times are UTC - 5 hours [ DST ]



Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 2 posts ] 
Author Message
 Post subject: Hibernate Filters and retrieval by id
PostPosted: Sun Mar 23, 2008 6:41 pm 
Newbie

Joined: Sun Mar 23, 2008 6:23 pm
Posts: 3
Hello,

I am using Hibernate with Seam to build a prototype for a multi-tenant application.

Things are working well thanks to the integration of Hibernate filters within Seam.

Now, one drawback in the current set-up is that users can still fetch entities that do not correspond to their tenant filter criteria. This is wanted behaviour as discussed previously in this forum and stated in the book:

Quote:
Retrieval by identifier can’t be restricted with a dynamic data filter. It’s alsoconceptually wrong: If you know the identifier of an Item, why shouldn’t you beallowed to see it? The solution is to filter the identifiers—that is, not expose identifiers that are restricted in the first place


Filters actually do a good job in not exposing identifiers that are restricted, but what about simply guessing of identifiers in requests (e.g. to a Seam HomeObject that will return the entity). Guessing can be very simple if I look at the parameters that are exposed to me and change them according to common identifier logic... alternatively brute force guessing would also expose entities that schould be hidden.

So how can the access be restricted to Objects that fullfil my filter criteria, even if they are accessed "by identifier"?

I've found quite some discussions on this topic but no real solution for a secure implemetation! Any help appreciated!


Top
 Profile  
 
 Post subject:
PostPosted: Mon Mar 24, 2008 9:34 am 
Newbie

Joined: Sun Mar 23, 2008 6:23 pm
Posts: 3
Hi,

I now have a working solution based on EJB 3.0 entity listeners.

The entity class now has a method annotated @PostLoad:
Code:
@PostLoad
   public void securityCheck(){
      user = (MyUser) Contexts.getSessionContext().get("user");
      boolean owns= this.client_id.equals(user.getTenantID());
      if(!owns){
         // this entity does not exist for the logged-in user
         throw new EntityNotFoundException(this.id, this.getClass());
      }
   }


I would be glad if someone with more hibernate experience could comment on this as an appropriate design for the problem.

thx, Chris


Top
 Profile  
 
Display posts from previous:  Sort by  
Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 2 posts ] 

All times are UTC - 5 hours [ DST ]


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum

Search for:
© Copyright 2014, Red Hat Inc. All rights reserved. JBoss and Hibernate are registered trademarks and servicemarks of Red Hat, Inc.