tags:

views:

823

answers:

2
+2  Q: 

data 'security' with java and hibernate

Hi there,

The system I am currently working on requires some role-based security, which is well catered for in the Java EE stack. The system intends to be a framework for business domain experts to write their code on top of.

However, there is also a requirement for data 'security'. That is, what information is visible to an end user.

This effectively means reducing visibility to rows (and perhaps even columns) in the database.

We are using Hibernate for our persistence. However, we are using our own annotations so as not to expose our persistence choice to the business domain experts.

For row based security this means we could add an annotation such as '@Secured' at the entity level, which would cause an extra column to be added to the underlying table to constrain our selects?

For column based security, we could perhaps have '@Secured' to either assist in query generation, or perhaps use an aspect to filter the information returned?

I'm curious to know how this might affect hibernate's caching mechanisms as well?

I'm sure a lot of others will have had the same issue, and I was wondering how you approached this?

Much appreciated...

+5  A: 

Hibernate has a filter mechanism that may work for you. The filters will rewrite the queries hibernate generates to include an additional clause to limit the rows returned. I'm not aware of anything in hibernate to mask/hide columns.

Your database may also have support for this functionality. Oracle, for example, has the Virtual Private Database (VPD) which will rewrite your queries at the database level. This solution has the added benefit that any external program (e.g. reporting tools) that goes against your db will have your security restrictions enforced. VPD also has support to mask restricted columns with NULLs.

Unfortunately, the above solutions have not been adequate to support the security requirements for the types projects I typically work on. There is usually some sort of context that cannot be easily expressed in the above solutions. For example, users can view data that they have created, or that have been been marked as public, or belong to a project which they manage.

We typically create query/finder/DAO objects where we pass in the values required to enforce the security and then create the query accordingly.

I hope this helps

JMM  2008-08-29 18:12:36
A: 

When using Hibernate filters you need to be aware that the additional restrictions will not be applied to SQL statements generted by the load() or get() methods.

bmatthews68  2008-09-01 11:13:42

related questions

Java Time Zone is messed up
Eclipse on win64
Automate builds for Java RCP for deployment with JNLP
Why are professors or schools picking Java over C++ to teach to students?
Is there a real benefit of using J#?
Public/Popular Websites using JavaServer Faces
Why can't I use a try block around my super() call?
Accessing post variables using Java Servlets
Personal Linux web server
Is this really widening vs autoboxing?
How can I Java webstart multiple, dependent, native libraries?
Why can't I call toString() on a Java primitive?
How do I use Java to read from a file that is actively being written?
What code analysis tools do you use for your Java projects?
IllegalArgumentException or NullPointerException for a null parameter?
How do I configure and communicate with a serial port?
What is the best way to parse strings in Java
Getting started with a custom JXTA PeerGroup
Creating a custom button in Java
How to get started "writing" a code coverage tool?
Which Build-/Configuration Management Tool?
What is the difference between an int and an Integer in Java/C#?
What is the meaning of the type safety warning in certain Java generics casts?
How would you access Object properties from within an object method?
Converting CSV File to XML in Java