Hibernate listener

wSam · **Joined:** Fri Jun 23, 2006 6:28 am **Posts:** 22

Hi

I'm creating a hibernate plugin to encrypt and decrypt some hibernate objects. This plugin must be functional without to change code in an existing web application (only via some configuration changes).

I think that the listener concept is the right thing for me, so I decidec to implement own listeners wo extends the LoadEventListener and SaveOrUpdateEventListener from hibernate. Is this the right appendage?

The only problem with the listener is, that I must be able to pass a password to the encryption service for encrypting and decrypting the hibernate object.

How can I pass such a password to the listener?

Ananasi · **Posted:** Fri Apr 27, 2007 9:01 am

Listeners are singletons, not really going to suit your need out of the box. You might be better off with an interceptor, because you can pass data in the constructor (e.g. sessionFactory.openSession(new EncryptionInterceptor(myPasswordHash))) of a session scoped interceptor.

Unfortunately (and I just faced the same problem), you do have to refactor the way your application obtains sessions (cannot use getCurrentSession). Well, I did not like that solution much (I like contextual sessions), so I implemented a ThreadLocal Holder to store data in such a way as to be accessible to other classes during a servlet filter chain. If something like this would help you, I can post some code. It feels a little 'hacky' to do this and potentially breaks encapsulation, but I used it for a cross-cutting concern (security and auditing), so it was either that or AOP.

christian · **Posted:** Fri Apr 27, 2007 9:41 am

Quote:

Unfortunately (and I just faced the same problem), you do have to refactor the way your application obtains sessions (cannot use getCurrentSession)

Of course you can. The CurrentSessionContext is just an interface that comes with three implementations out of the box. You can replace or extend the existing implementations, e.g. to open an interceptor with some arguments when a "current Session" begins.

wSam · **Joined:** Fri Jun 23, 2006 6:28 am **Posts:** 22

The ThreadLocal holder sounds interesstig. I would be thankful when you could post some code yes :-).

Hmm, and why would this be a little hacky? (Im a noob ;-))

Greets and the credits are waiting ;-)

wSam · **Joined:** Fri Jun 23, 2006 6:28 am **Posts:** 22

christian wrote:

Of course you can. The CurrentSessionContext is just an interface that comes with three implementations out of the box. You can replace or extend the existing implementations, e.g. to open an interceptor with some arguments when a "current Session" begins.

Hmm. Have you an example, it sounds a little bit difficult. But if that works ....sounds good.

Ananasi · **Posted:** Fri Apr 27, 2007 10:16 am

christian wrote:

Of course you can. The CurrentSessionContext is just an interface that comes with three implementations out of the box. You can replace or extend the existing implementations, e.g. to open an interceptor with some arguments when a "current Session" begins.

I simplifed my example a bit, there were other considerations in my case. It still comes down to how to inject the interceptor (even in the contextual session handling) with prototype instances contained in another layer.

Ananasi · **Posted:** Fri Apr 27, 2007 10:33 am

wSam wrote:

The ThreadLocal holder sounds interesstig. I would be thankful when you could post some code yes :-).

Holder (static class, singleton):

Code:

public class EncryptionPasswordHolder {

   private static ThreadLocal<String> passwordHolder = new ThreadLocal<String>();
   
   public static void clearPassword() {
      passwordHolder.set(null);
   }
   
   public static String getPassword() {
      return passwordHolder.get();
   }
   
   public static void setPassword(String password) {
      if (password != null) {
         passwordHolder.set(password);
      }
   }
}

Usage in an servlet filter (note: the code is vastly simplified, I leave it to you to null-safe, type check and all the other ancilliary aspects):

Code:

   public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
         throws IOException, ServletException {
      HttpSession httpSession = ((HttpServletRequest) request).getSession();
      if (httpSession != null) {
         // Obtain your password here, this example retrieves from a session attribute
         String password = (String) httpSession.getAttribute(sessionAttribute);

         if (password != null) {
               EncryptionPasswordHolder.setPassword(password);
         }
      }
      try {
         // now the password is accessible to classes running inside of this filter via
         // EncryptionPasswordHolder.getPassword()
         chain.doFilter(request, response);
      } finally {
         // Clean up
         EncryptionPasswordHolder.clearPassword();
      }
   }

Ananasi · **Posted:** Fri Apr 27, 2007 10:57 am

Thinking on Christian's thoughts a bit more, there's no reason you cannot incorporate the ThreadLocal holder into the CurrentSessionContext implementation. Something like:

Code:

public class MyThreadLocalSessionContext extends ThreadLocalSessionContext {
   private static ThreadLocal<String> passwordHolder = new ThreadLocal<String>();

   public static void clearPassword() {
      passwordHolder.set(null);
   }

   public static String getPassword() {
      return passwordHolder.get();
   }

   public static void setPassword(String password) {
      if (password != null) {
         passwordHolder.set(password);
      }
   }

   @Override
   protected Session buildOrObtainSession() {
      return factory.openSession(new PasswordInterceptor(getPassword()));
   }

}

vamsee.priya · **Joined:** Mon Jun 08, 2009 2:33 am **Posts:** 5

Hi all

I am facing a problem while trying a to incorporate audit log.
I tried the above approach of having my own implementation of CurrentSessionContext

with that i get the following error

Quote:

org.hibernate.HibernateException: isConnected is not valid without active transaction

when i try to get the session object using the following code

Code:

   protected Session getSession() {
      if (session == null) {
         session = HibernateUtil.getSessionFactory().getCurrentSession();
      } else if (!session.isConnected()) {
         session = HibernateUtil.getSessionFactory().getCurrentSession();
      }
      return session;
   }

Posted my query at the below link
https://forum.hibernate.org/viewtopic.php?f=1&t=997455