5 Replies Latest reply on Jan 24, 2008 5:05 AM by ericjava

    Tricky Q on Hibernate filters and roles

    ericjava Jan 23, 2008 5:53 AM

      Here's the situation:

      I'm creating a site where users can collaborate to work on data as a group. I'm calling a set of data for a set of users a "domain". Every user is a member of exactly one domain, and of course users can only access data within their own domain.

      On top of this, there are system administration level users who can look at any data.

      This sounds like a great case for using Hibernate style filters. Every object in the system is associated with a domain, so I can put in a filter that has key of "domain" and value of "#{currentUser.domain}". This will restrict users to viewing only their objects, and then I don't have to worry about it.

      The difficulty is that I want that filter to be turned off for the sysadmin type users. I'd like to have session beans that use a filtered EntityManager when the user is a "normal" user, but use the unfiltered EntityManager when the user s:hasRole('sysadmin').

      Is it possible to do this? Or is this even the right thing to do? I've never used Hibernate filters before (or at least, not in a Seam / EJB3 application).

      Thanks

      • 601 Views
      • Tags:
        • 1. Re: Tricky Q on Hibernate filters and roles
          mars1412 Jan 23, 2008 6:22 AM (in response to ericjava)

          maybe this helps: http://www.jboss.com/index.html?module=bb&op=viewtopic&t=127041
          [/url]

            • Actions
          • 2. Re: Tricky Q on Hibernate filters and roles
            ericjava Jan 23, 2008 6:28 AM (in response to ericjava)

            Thanks for the reference on that. In this case, I won't use filters. Instead, on my session beans, I'll modify the query: if the user doesn't have sysadmin role, then add the "domain = ..." to every query.

            Btw I really hope that a future release of EJB spec adds something like the Hibernate Criteria stuff. This thing of putting together EJB-QL strings is a lot nicer than putting together SQL string, but it's still not object-oriented and Criteria queries are a lot more natural way to express many things.

              • Actions
            • 3. Re: Tricky Q on Hibernate filters and roles
              nickarls
              nickarls Jan 23, 2008 6:36 AM (in response to ericjava)

               

              "EricJava" wrote:

              Btw I really hope that a future release of EJB spec adds something like the Hibernate Criteria stuff. This thing of putting together EJB-QL strings is a lot nicer than putting together SQL string, but it's still not object-oriented and Criteria queries are a lot more natural way to express many things.


              There is hope: http://jcp.org/en/jsr/detail?id=317

                • Actions
              • 4. Re: Tricky Q on Hibernate filters and roles
                ericjava Jan 23, 2008 6:45 AM (in response to ericjava)

                 

                "nickarls" wrote:
                There is hope: http://jcp.org/en/jsr/detail?id=317


                That would be really nice. I can't wait. Criteria type queries and collections of embedded objects are the two things I want most. Why can't my entities have a boring old Set in them? Let's hope this comes out soon!


                  • Actions
                • 5. Re: Tricky Q on Hibernate filters and roles
                  ericjava Jan 24, 2008 5:05 AM (in response to ericjava)

                  I think I know what I should do.

                  1. Go ahead and use a filter if I want to, for my convenience, but not as a security mechanism.

                  2. Put a @Restrict annotation on the entities, and then use JBoss Rules to restrict various operations by roles, etc. So I could say, a sysadmin can look at any object in any domain, but only domain members could look at objects in their domain, and only domain members with write permissions can create, update or delete objects.

                  Does that sound right?

                    • Actions