Here's some code we started on to do this kind of thing. It never made it to production, but it was close. This just defines some methods that can be overridden to implement security based on your specific requirements.
https://www.dropbox.com/s/g247uxpalps5xse/AuthHessianService.java One thing I have found cumbersome is inspecting SelectQuery objects to figure out what they are - because SelectQuery.getRoot() returns plain Object you have to screw around to figure out what it really is. Also inspecting the qualifier is a little difficult, but generally that's not a great idea anyway - better to just add things to the qualifier even if it results in duplicate clauses. John On Wed, May 15, 2013 at 6:49 PM, Aristedes Maniatis <a...@ish.com.au> wrote: > We have a ROP Cayenne application we'd like to lock down a bit more > tightly. In particular, in a situation where we don't trust the client > application hasn't been hacked, we'd like to restrict certain activity from > the client. I'm thinking of: > > 1. preventing SQLTemplate/EJBQL queries completely > 2. adding entity listeners to catch certain write behaviour (we can't do a > lot about reading data since that's easy to do at the controller level, on > the client, but pretty hard to construct rules at the model level on the > server) > 3. creating 'partial' object entities which are missing some attributes. > Sort of hollow, but only hollow on some attributes. > > > Has anyone attempted anything similar to the above? (2) should be easy > enough, but not sure about the other requirements. > > > Cheers > Ari > > > > > -- > --------------------------> > Aristedes Maniatis > ish > http://www.ish.com.au > Level 1, 30 Wilson Street Newtown 2042 Australia > phone +61 2 9550 5001 fax +61 2 9550 4001 > GPG fingerprint CBFB 84B4 738D 4E87 5E5C 5EFA EF6A 7D2E 3E49 102A >
