Hibernate version:
2.1.7

I have been racking my brain trying to find a good way to create a criteria query from some dynamicaly stored values. i.e. from a database record.

I am trying to set up a piece of my application to allow the users to create 'views' of their data based on properties of the data they are attempting to view. These views can and will be dynamicaly created by means of exposing a sort of search definition page that will allow the user to define the criteria of their view based on said data's properties. The application would then be able to persist these view definitions into a database record for later retrieval by the user.

The security infrastructe the application is utilizing is based on criteria queries. Basicaly every query that has the possibility to return 'secure' data is passed as a parameter to a method on my DAO manager class that takes a CriteriaQuery and dynamicaly applies new Criteria or Expressions to the passed in CriteriaQuery to perform security filtration on the resulting collection of objects. This method allows the application to dynamicaly adjust security settings during runtime and allows for fine grained control of security on every domain object. It also provides an increase in performance when the application has to 'page' data since it does not have to perform more than one query. i.e. one query for the objects that match the criteria and another to filter out the objects that the current user does not have access rights to, then filter the resulting collection based on which page the user is on

My idea for a solution to this problem was to simply store the query as an hql string in the database and then 'hydrate' the string into a new CriteriaQuery every time I needed it. Well this turned out to be quite a task. Since there is currently no way that I know of to go from hql string to a new CriteriaQuery I started down the road of attempting to write a small parser that would handle only the few situations that I needed. Then I thought 'why write a new parser, one already exists in the hibernate core classes, I'll just use that one or at least pieces of it'. Well, I have been completly humbled. I know squat about writing parsers and even less about ANTLR and AST and Lexers and such. So I am wondering if anyone has tried to do something similar to this in the past and might have some ideas about how I could proceed. Or maybe someone who knows ANTLR very well might be enterprising enough to tackle this problem or at least give me some pointers on how I accomplish this task using ANTLR.

Thanks for your time,

Tim Pouyer

HQL != Criteria API

so building Criteria's from HQL is not the way to go....

a better (but almight also crazy) way could be to store the criteria as a beanshell scripts ?


i would though recommend using a less powerfull representation if at all possible ...

I thought about going that route as well. It seems like a fairly straight forward way to solve the problem, but my only concern would be security. If I were to build a string representation of the script that would be executed on the client side and then sent that script across the wire to the server side to be executed it could be hacked just the same as sql injection. i.e. anyone who was smart enough to figure out that I was using some form of scripting languagee on the sever side could possibly find a way to inject their own version of the script that, if I did not filter correctly, could open up a huge security hole.

This might be my best solution though. I just might have to spend the extra time to make sure that the above security hole would not be exposed.

Thanks for your reply, I appreciate the help.

Tim Pouyer