Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [eclipselink-users] Suggestions for approaches to security and queries?
User doc link for additional criteria (sent you design doc link previously)

http://wiki.eclipse.org/EclipseLink/UserGuide/JPA/Basic_JPA_Development/Mapping/Additional_Criteria

Cheers,
Guy

On 30/06/2011 10:38 AM, Guy Pelletier wrote:
Hi Laird,

Have a look at @AdditionalCriteria or our @Multitenant solution.

http://wiki.eclipse.org/EclipseLink/Development/AdditionalCriteria

http://wiki.eclipse.org/EclipseLink/UserGuide/JPA/Advanced_JPA_Development/Single-Table_Multi-Tenancy.

Cheers,
Guy

On 30/06/2011 10:17 AM, Laird Nelson wrote:
Hello; thanks for a great product and congratulations on the 2.3 release.

I have a question around security and customization, and am looking for thoughts on how best to proceed.

In the higher education industry (and I'm sure many others), access control is paramount.  You don't want a work-study student being able to see the salaries or account balances of professors, for example.

My question is, what is the best way--or any way, really--to affect a query such that a subset of what is requested is actually delivered?

Suppose we have a JPQL query like this:

SELECT p.salary FROM Person p

But the security rules that should be in effect are: "Users in the 'workstudy' role may only retrieve salary information of other work-study students".  (I am making this silly rule up.)

So when a query is run from our app, we really want it to translate, as silently as possible, to:

SELECT p.salary FROM Person p WHERE some condition that determines whether p is a work-study student based off p and maybe other information

Loosely speaking, we'd like to inject a WHERE clause in there where none was there before.  Or, in the case where there was a WHERE clause, we want to add a condition to it.  And in the case of complicated joins, we might want to add additional conditions in there as well.

Leaving aside the problem of passing parameters for the moment, is there a single place where such a condition could be injected?  I'll come back to parameters if unparamaterized constraining is possible.

I should note that I am well aware that I could filter the List of query results, but I'm looking to push the constraining information down to the underlying database itself.  I'm also aware that what I'm asking about is more likely than not not possible.

Thanks,
Laird

_______________________________________________
eclipselink-users mailing list
eclipselink-users@xxxxxxxxxxx
https://dev.eclipse.org/mailman/listinfo/eclipselink-users

Back to the top