4 Replies Latest reply on Feb 22, 2005 4:30 AM by Magnus Sandberg

    Securing EJB3s with ACLs / CRUD

    Magnus Sandberg Novice


      I have earlier developed something that resembles Hibernate. In this framework I also added the possibility to use Secure Entites. Basically for an Entity a with database table A there is a table A_ACL with access information for A. The framework inserted SQL in all questions to the database so that only rows in A was returned that was permitted to be seen by the current user according to A_ACL.

      Since this code is getting old and bloated I'm looking to implement the same pattern on a standard framework. I have tried to figure out how to do this on EJB3 but I guess that some framework enhancements is needed for me to do this.

      Maybe all this will be possibly with CRUD-access? But sorting the allowed data from the data not allowed must usually be done in the database so having CRUDs as callbacks is not really good enough. My guess is that this is the way that CURDs will be handled but I might be wrong.

      Will there, in a J2EE/EJB3 way, to replace the EntityManager? This might be a way intercept the SQL/EJB-QL before it gets passed on to the database. If this is/will be possible will this also intercept calls from declared relations (@ManyToOne etc).

      I would really appreciate some ideas, thoughts or information about this. If this seems to be imposible I guess it would be better to avoid EJB3-Entitys and look somewhere else.



        • 1. Re: Securing EJB3s with ACLs / CRUD
          Max Rydahl Andersen Master

          This kind of mechanism is the perfect use case for Hibernate3 new filter mechanism.

          Probably not something that will be exposed at the EJB3 spec level, but something you can do with Hibernate3 which is the underlying engine for JBoss's EJB3 implementation.

          • 2. Re: Securing EJB3s with ACLs / CRUD
            Magnus Sandberg Novice

            I'll have a look at that - is it possible to combine this with EJB3 or will I have to use Hibernate Entittys/POJOs?
            Still it would be nice to do a pure EJB3 implementation.


            • 3. Re: Securing EJB3s with ACLs / CRUD
              Bill Burke Master

              EntityCallbackListeners may help and may be a standard way to do this.

              • 4. Re: Securing EJB3s with ACLs / CRUD
                Magnus Sandberg Novice

                As far as I can understand EntityCallbackListeners will not help. The callbacks, in this case @PostRead, is called when the data is already loaded into memory. This will not be good enough when handling large amount of data.

                There are solutions to most situations, where you basically can write your own EJB-QL and use the EntityManager for lookups but when it comes to relationsships I have found no way to do any filtering.

                One way would ofcource be to use EJB3 without any relationsships and handle this by hand, but that seems to be a waste of good code.

                A better way, IMHO, is if there was some why to add filter directives to the relationsships.
                Something like:

                @ManyToOne( ..., filter="status_col != \"DELETED\"")

                you could even put the complete EJB-QL used to fetch the data here or some EJB-QL to be 'hooked' into the overall query.
                This could also be applied to the @Entity statement, this might even be a better overall solution.

                Maybe I'm just to far out here, or this might not be a real issue to anyone but me ...