[hibernate-dev] Authorization to limit Data access

[Amol Ghotankar]

Hello,

I am working on a web application which using Struts2, Spring & Hibernate.

I am working on authorization which I think is necessary corss cutting
feature of any application and needs to developed & kept very much isolated
from the business logic.

I am elaborating my requirement in detail as follows,

Assume a simple action which is authorized to be called by sales dept people
only. i.e showSales.action

When a user from purchase dept tries to call this action then, an
interceptors will check whether the user in role has the authorization to
access or not and deny access to purchase dept user to access this action
this is simple.

I have implemented this using before advice of Spring AOP rather than
interceptor. I hope i am not wrong?

But the bigger problem is

By how much, I mean for eg. if an *sales execute *logs in and clicks
showSales.action then he must be get view of his own sales list, but
when *sales
manager* logs in and calls same action i.e showSales.action then he must get
more* bigger n wider list, which can be union of data from all sales
executives.

Here authorization of some kind must be implemented which intercepts DAO's
and automatically sets the "where clause" in the sql query.

*I tried before advice of spring for DAO's also but problem is if where
clause is set somewhere within business logic then double where clause is
set which gives error and because I am using hibernate criteria's to set
restrictions on queries I have noticed this hibernate critera's are
immutable* (Is there anyway to change them?)
*

what should be the best way to solve this problem. Any Design Pattern
or s*omething
in hibernate that can help me here* or something other advice for it?


-- 


With Best Regards,

Amol Ghotankar
Cursive Technologies Pvt. Ltd.
www.cursivetech.com
___
hibernate-dev mailing list
hibernate-dev@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/hibernate-dev

Re: [hibernate-dev] Authorization to limit Data access

[Sanne Grinovero]

Hello,
please direct this type of questions to the forum:
https://forum.hibernate.org/viewforum.php?f=1

This mailing list is for developing Hibernate.
To answer your question - I shouldn't so I'll be very short - have a
look into "filters" on the reference documentation.
http://docs.jboss.org/hibernate/core/3.6/reference/en-US/html_single/#objectstate-filters

Sanne

2010/12/28 Amol Ghotankar :
> Hello,
>
> I am working on a web application which using Struts2, Spring & Hibernate.
>
> I am working on authorization which I think is necessary corss cutting
> feature of any application and needs to developed & kept very much isolated
> from the business logic.
>
> I am elaborating my requirement in detail as follows,
>
> Assume a simple action which is authorized to be called by sales dept people
> only. i.e showSales.action
>
> When a user from purchase dept tries to call this action then, an
> interceptors will check whether the user in role has the authorization to
> access or not and deny access to purchase dept user to access this action
> this is simple.
>
> I have implemented this using before advice of Spring AOP rather than
> interceptor. I hope i am not wrong?
>
> But the bigger problem is
>
> By how much, I mean for eg. if an *sales execute *logs in and clicks
> showSales.action then he must be get view of his own sales list, but
> when *sales
> manager* logs in and calls same action i.e showSales.action then he must get
> more* bigger n wider list, which can be union of data from all sales
> executives.
>
> Here authorization of some kind must be implemented which intercepts DAO's
> and automatically sets the "where clause" in the sql query.
>
> *I tried before advice of spring for DAO's also but problem is if where
> clause is set somewhere within business logic then double where clause is
> set which gives error and because I am using hibernate criteria's to set
> restrictions on queries I have noticed this hibernate critera's are
> immutable* (Is there anyway to change them?)
> *
>
> what should be the best way to solve this problem. Any Design Pattern
> or s*omething
> in hibernate that can help me here* or something other advice for it?
>
>
> --
>
>
> With Best Regards,
>
> Amol Ghotankar
> Cursive Technologies Pvt. Ltd.
> www.cursivetech.com
> ___
> hibernate-dev mailing list
> hibernate-dev@lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/hibernate-dev
>
___
hibernate-dev mailing list
hibernate-dev@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/hibernate-dev