Evolved security filter with Hibernate

MiniMontain · **Joined:** Wed Mar 10, 2010 10:38 am **Posts:** 9

Hello,

I'm trying to build a custom security filter to implement a row level access control with Hibernate Search.

In my case, we have an Entry table containing a group_id foreign key referencing another table associating members by group.
Is it possible to build a filter referencing data contained in another indexed table ?
For example, I would like to filter all entries related to a given user.

I've been searching for many hours, and I only found filters based on a field of the same table.

Thanks

hardy.ferentschik · **Posted:** Sat Mar 20, 2010 10:44 am

If your query returns Entry instances you need to index your filter criteria as part of Entry index. Think about it this way - your Lucene query will return Documents created for Entry instances. If you want to filter them you need to filter on something in these documents.
Don't you have a association between Entry and User? How does your model look like and how do you index it?

--Hardy

MiniMontain · **Joined:** Wed Mar 10, 2010 10:38 am **Posts:** 9

In this model I've got 4 tables :
Entity : id, title, body, group_id
Group : id, name
User : id, name
Member (association) : id, group_id, user_id

I would like to display results allowed by one user.

Do I have to flaten my database and create one Entity entry per user ?

Thanks

hardy.ferentschik · **Posted:** Sun Mar 21, 2010 5:32 pm

You are thinking very database centric. Hibernate and Hibernate Search is all about abstracting from the database structure and think about entities. How do they look in your case? Do you already have annotated entities? If so post them.

Generally, when you index an instance of Entity you want to index all user ids which have access to this entity as well. How you do that depends on your entity model. Depending on your associations you might be able to use @IndexedEmbedded. Alternatively you maybe could use a custom field or class bridge.

--Hardy

MiniMontain · **Joined:** Wed Mar 10, 2010 10:38 am **Posts:** 9

You're right I didn't see the @IndexedEmbedded part of the online documentation.

Now I can access [entity].group.users.name in my Lucene query.

Do you know if there is a "Max Level Limit" with using @IndexedEmbedded ?
I mean I'm trying to create a SubGroup class using the same template and it doesn't work.

Is this normal ?

Thanks

MiniMontain · **Joined:** Wed Mar 10, 2010 10:38 am **Posts:** 9

Sorry I didn't rebuild my Index :)

Now It works. Thank you Hardy !

sanne.grinovero · **Posted:** Tue Mar 23, 2010 6:30 am

glad you solved it, to answer your previous question:

Quote:

Do you know if there is a "Max Level Limit" with using @IndexedEmbedded ?

yes there is and look out for it on complex graphs:

Code:

@TooManyClauses(depth=N)

MiniMontain · **Joined:** Wed Mar 10, 2010 10:38 am **Posts:** 9

Thanks for the answer.

Actually I've almost what I wanted to do, but there's still something blocking me.

Here is my model :
Message: long id, String title, String body, Office offcie
Office: long id, String name, Set<Group> groups, Set<Message> messages
Group: long id, String name, Set<Person> members, Set<Domain> domains
Person : long id, String name

I would like to get all Messages for a Person X belonging to a Group Y.
My index seems to contain a sort of "Cross Join" and when I query it it shows me all Messages having linked to an Office containing X and having a group named Y.

Do you know how I avoid loosing this link ?

Thank you

hardy.ferentschik · **Posted:** Tue Mar 23, 2010 8:24 am

You really have to post the annotated entities and the query you are trying to run. Depending on how you map your entities to Lucene documents the query might differ.

MiniMontain · **Joined:** Wed Mar 10, 2010 10:38 am **Posts:** 9

Ok these are my entities :

Code:

@Entity
@Indexed
public class Message{

   @Id
   @DocumentId
   @GeneratedValue
   private long id;
   @IndexedEmbedded
   private MailOffice mailOfficeBySentTo;
   @IndexedEmbedded
   private MailOffice mailOfficeBySentBy;
   @Field
   private String subject;
   @Field
   private String body;
...
}

@Entity
public class MailOffice{

   @Id
   @DocumentId
   @GeneratedValue
   private long id;
   @Field
   private String name;
    @IndexedEmbedded
   private Set<Domain> domains = new HashSet<Domain>(0);
   @ContainedIn
   private Set<Message> messagesForSentBy = new HashSet<Message>(0);
   @ContainedIn
   private Set<Message> messagesForSentTo = new HashSet<Message>(0);
...
}

@Entity
public class Domain{

   @Id
   @DocumentId
   @GeneratedValue
   private long id;
   private MailOffice mailOffice;
   @Field
   private String name;
   @IndexedEmbedded
   private Set<Member> members = new HashSet<Member>(0);
   @ContainedIn
   private Set<Message> messages = new HashSet<Message>(0);
...
}

@Entity
public class Member {
   @Id
   @DocumentId
   @GeneratedValue
   @Field
   private long id;
   @ContainedIn
   private Domain domain;
   @IndexedEmbedded
   private Person person;
...
}

@Entity
public class Person{
   @Id
   @DocumentId
   @GeneratedValue
   private long id;
   private String dn;
   @Field(store=Store.YES)
   private String commonName;
   @ContainedIn
   private Set<Member> members = new HashSet<Member>(0);
...
}

My "Member" entity is just an association. I know it shouldn't be an object, I will correct it later :)

The request I'm doing is :

Code:

mailOfficeBySentBy.domains.members.person.commonName:X AND  mailOfficeBySentBy.domains.name:Y

It may be a noob stuff... Thanks again for your help