-
1. Re: Tricky Q on Hibernate filters and roles
mars1412 Jan 23, 2008 6:22 AM (in response to ericjava)maybe this helps: http://www.jboss.com/index.html?module=bb&op=viewtopic&t=127041
[/url] -
2. Re: Tricky Q on Hibernate filters and roles
ericjava Jan 23, 2008 6:28 AM (in response to ericjava)Thanks for the reference on that. In this case, I won't use filters. Instead, on my session beans, I'll modify the query: if the user doesn't have sysadmin role, then add the "domain = ..." to every query.
Btw I really hope that a future release of EJB spec adds something like the Hibernate Criteria stuff. This thing of putting together EJB-QL strings is a lot nicer than putting together SQL string, but it's still not object-oriented and Criteria queries are a lot more natural way to express many things. -
3. Re: Tricky Q on Hibernate filters and roles
nickarls Jan 23, 2008 6:36 AM (in response to ericjava)"EricJava" wrote:
Btw I really hope that a future release of EJB spec adds something like the Hibernate Criteria stuff. This thing of putting together EJB-QL strings is a lot nicer than putting together SQL string, but it's still not object-oriented and Criteria queries are a lot more natural way to express many things.
There is hope: http://jcp.org/en/jsr/detail?id=317 -
4. Re: Tricky Q on Hibernate filters and roles
ericjava Jan 23, 2008 6:45 AM (in response to ericjava)"nickarls" wrote:
There is hope: http://jcp.org/en/jsr/detail?id=317
That would be really nice. I can't wait. Criteria type queries and collections of embedded objects are the two things I want most. Why can't my entities have a boring old Set in them? Let's hope this comes out soon! -
5. Re: Tricky Q on Hibernate filters and roles
ericjava Jan 24, 2008 5:05 AM (in response to ericjava)I think I know what I should do.
1. Go ahead and use a filter if I want to, for my convenience, but not as a security mechanism.
2. Put a @Restrict annotation on the entities, and then use JBoss Rules to restrict various operations by roles, etc. So I could say, a sysadmin can look at any object in any domain, but only domain members could look at objects in their domain, and only domain members with write permissions can create, update or delete objects.
Does that sound right?