Hi Quayym,
you can create a */simplistic permission model/* like the following:
you can manage a generic table where you store the authorization
information; some thing like the one shown below will work:
Table : *Authorization_Information*
*
*
*I*/*D USER_ID BO_ID BO_TYPE ALLOWED_ACTIONS*/
For BO_ID, you would save the id of the business object irrespective of
whether the object is an audio or a video or another type; and you would
fill the type column with the type of business object; i.e. audio, or
video, etc. you can even store integer values in this column and map it
in a static Java class what integer value is for which business object type.
Here there will no referential integrity between
You need to reserve two fixed values, Long.MAX_VALUE and Long.MIN_VALUE
for BO_ID column to facilitate permission definitions, which I'll
explain below
you can use the standard Java model for actions, like:
view=2^0=1
edit=2^1=2
add=2^2=4
delete=2^3=8
if view and edit, then 1+2
if view edit and delete, then 1+2+8
if view add and edit, then 1+2+4
and so on....
when you are saving a business object, save also the authorization for
that object as given below:
/AuthorizationInfo authzInfo= new AuthzInfo();/
/authzInfo.setBusinessObjectId(businessObject.getId());/
/authzInfo.setBusinessObjectType(businessObject.getType());/
/
/
/for a user who created this object:/
/authzInfo.setAllowedActions(AuthorizableActions.VIEW+AuthorizableActions.EDIT+AuthorizableActions.DELETE);/
/
/
/for a user who subscribed to this object:/
/authzInfo.setAllowedActions(AuthorizableActions.VIEW);/
/
/
/for users who want to collaborate on a shared object:/
/authzInfo.setAllowedActions(AuthorizableActions.VIEW+AuthorizableActions.EDIT);/
/
/
/for 'add' permission, you need to use the reserved id values for BO_ID:/
/authzInfo.setId(Long.MAX_ID);/
/// when Long.MAX_VALUE is set for this column, then we can infer that
the below mentioned actions are given over every object of the BO_TYPE
specified in this record/
/// when Long.MIN_VALUE is set for this column, then we can infer that
the below mentioned actions are given over only the objects of the
BO_TYPE specified in this record that are explicitly created by the user
himself /
/
/
/authzInfo.setBusinessObjectType(businessObject.getType());/
/authzInfo.setActions(AuthorizableActions.ADD);/
/
/
/you can even give any combination of actions for all the objects of a
particular business object type./
/authzInfo.setAllowedActions(AuthorizableActions.VIEW+ AuthorizableActions.EDIT+ AuthorizableActions.ADD+ AuthorizableActions.DELETE);/
now, when you are checking whether a user has permission to view or edit
or delete a certain business object, then you can make the authorization
calls like:
/*Query 1: */
/String queryString="SELECT OBJECT(AI) FROM AuthorizationInfo AI WHERE
USER_ID=:loggedInUserId";/
/Query query query=em.createQuery(queryString);/
/query.setParameter("loggedInUserId", loggedInUserId);/
/List<AuthorizationInfo> authorizationData=query.getResultList();/
and check if the business object that you are validating is in the
return authorizationData ; and if not throw security exception.
You can even make a join with AUTHORIZATION_INFORMATION table in all
your queries that deal with business data objects to make sure that a
logged in user is always operating on the authorized business objects,
thus providing authorization checks in the database as well.
your queries for a business object audio may be like:
*/Query 2:/*
*/
/*
/String queryString="SELECT OBJECT(A) FROM Audio , AuthorizationInfo AI
WHERE AI.userId=:loggedInUserId AND AI.businessObjectId=A.id AND
AI.businessObjectType=:businessObjectType";/
/Query query=em.createQuery(queryString);/
/query.setParameter("loggedInUserId ", loggedInUserId );/
/query.setParameter("businessObjectType", Audio.getType());//type is a
static discriminating variable for every class that extends the base
BusinessObject class /
/List<Audio> authorizedAudioFilesForLoggedInUser=query.getResultList();/
*/Or/*,
If you want to */reuse /*the permissions defined, then you can achieve
that by modifying the above model a little to split the
AUTHORIATION_INFORMATION table in to three tables as shown below:
/Table/ : *Authorization_Information*
*
*
*I*/*D BO_ID BO_TYPE ALLOWED_ACTIONS ROLE_ID*/
*/
/*
*/
/*
*/Table : ROLE/*
*/ID NAME DESCRIPTION DEFAULT/*
*/
/*
*/
/*
*/
/Table/ : *USER_ROLE_ASSOCIATION*
*
*
/*USER_ID ROLE_ID*/
*/
/*
*/
/*
*/
/*
*/note: you can treat a default role as one that is assigned to every
user when the user is created, and that such role can not be deleted./*
*/
/*
/then you need to query these 3 tables for the authorization information./
/
/
/some thing like:/
/
/
/*Query 3:* /
/
/
/String queryString="SELECT AI.*,R.id,R.name,R.possedUsers.id
<http://R.possedUsers.id>,R.possessedUsers.name
<http://R.possessedUsers.name> FROM Role R JOIN AuthorizationInfo AI
WHERE R.possessedUsers.id <http://R.possessedUsers.id>=:loggedInUserId";/
Query query=em.createQuery(queryString);
/query.setParameter("loggedInUserId", loggedInUserId);/
/List<AuthorizationData> =query.getResultList();/
/
/
/where AuthorizationData is a utility object that is not a mapped
entity but can be used to represent a composition of data from a join
of the three authorization tables. In fact you can even create a view
based on the above query and just do a select * for the logged in user
on the view to get the authorization information for the user./
/
/
/
/
/If you want to do the authorization in your queries it self, then you
can change your query described in query 2 to :/
/
/
/*Query 4 :*/
/SELECT AI.*,R.id,R.name,R.possedUsers.id
<http://R.possedUsers.id>,R.possessedUsers.name
<http://R.possessedUsers.name> FROM Role R JOIN AuthorizationInfo AI
WHERE R.possessedUsers.id <http://R.possessedUsers.id>=:loggedInUserId/
/
String queryString="SELECT OBJECT(A) FROM Audio , AuthorizationInfo AI
/JOIN /Role R WHERE R.possessedUsers.id
<http://R.possessedUsers.id>=:loggedInUserId AND
AI.businessObjectId=A.id AND AI.businessObjectType=:businessObjectType";
Query query=em.createQuery(queryString);
query.setParameter("loggedInUserId ", loggedInUserId );
query.setParameter("businessObjectType", Audio.getType());//type is a
static discriminating variable for every class that extends the base
BusinessObject class
List<Audio> authorizedAudioFilesForLoggedInUser=query.getResultList();
/
/-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------/
/*
I hope this helps,
Regards,
Samba
On Tue, Dec 29, 2009 at 10:27 AM, jz <jehanzeb.qayyum@xxxxxxxxx
<mailto:jehanzeb.qayyum@xxxxxxxxx>> wrote:
Hi,
Thanks for your answers i will try and let you know.
Anything you have to say on instance based authorization using
eclipselink, please share?
Regards,
Jehanzeb Qayyum
On Tue, Dec 29, 2009 at 11:09 PM, Samba <saasira@xxxxxxxxx
<mailto:saasira@xxxxxxxxx>> wrote:
Hi Qayyum,
I can offer the below explanations for two of your questions:
1. for the delete use case, you can write a JPQL query to delete
the record, example:
String queryString= "DELETE OBJECT(BO) FROM " +
businessObject.getClass().getCanonicalName()+ " BO " + "WHERE
BO.id=:" + businessObject.getId();
Query query=em.createQuery(queryString);
int result= em.executeUpate(query);
return result==1?true:false;
however,there is a small downside to this; we don't get an
OptimisticLockException when we try to delete a record that has
been changed just before we executed this delete query. So we
may never see certain updates to the deleted objects; if it
crucial for your use case to always make sure that the object
being deleted is in a certain state then, you need to write
additional filter conditions n the where clause like :
BO.version=businessObject.getVersion, and depending on the
returned value, if zero, we have to assume that the deletion
failed because the record has been updated by some other
parallel transaction and that the version number might have
changed; and hence rollback the current activity and tell the
user to start the transaction afresh. ofcourse, this is all
required if you want to make sure that you always delete the
latest version of the object.
2. Yes, I too observed that eclipselink is generating an
uncessary join when all I want is a reference to the id that my
table-in-question already has as a foriegn key reference.
you can view the mail thread I posted earlier
at: http://www.nabble.com/unnecessary-join-made-in-case-of-Many%3C--%3EMany-relation-tp24679954p24703970.html
I did not raise a bug for this as suggested by James since I
myself am not convinced at that time that this is really an
issue with eclipselink and attributed to my data model design
where we have too many eagerly loaded objects.
Looking at your issue, I'm thinking to revisit this and verify
that the issue is infact produced by eclipselink, and if yes, I
will raise a bugzilla request.
Regards,
Samba
On Fri, Dec 25, 2009 at 1:47 PM, jz <jehanzeb.qayyum@xxxxxxxxx
<mailto:jehanzeb.qayyum@xxxxxxxxx>> wrote:
Hi Tom,
Yes you are right i can always run a native query to fine
tune, got your persistence context cache point but i am
using ejb method to do jpa work and my entity manager is
transaction demarcated not extended.
But since i am implementing a generic wrapper which should
work for all entities i do not want to do that. Currently in
my ejb i have an operation delete(BusinessObject bo); Now
what should be the best implementation of this ejb method
with following goals in mind:
1- Performance
2- Cascade delete relationships
3- Delete operation should require minimal possible data
best case only primary key of the record to remove
4- Validate if entity being removed does exist in db
//Note: All my jpa entities inherit from BusinessObject
interface
interface BusinessObject{
public Object getId();
}
I have following alternatives:
1- em.remove(em.merge(bo));
On transaction commit this is will first update in db and
then delete it. This breaks goal 1 and 3 because if i send a
BusinessObject instance with only id set it will generate
all sorts of errors on updating the record with nulls in
other properties / columns
2-
BusinessObject storedBo = em.read(bo.getId());
if(storedBo != null){
em.remove();
}
This defeats goal 1 of performance. But is still better than
first case as it achieves goal 3.
I do not know how to achieve goal 2 using JPA apart from
manually specifying ON CASCADE DELTE on fk relationships. I
wonder why EclipseLink does not generate cascade constraints
in schema script.
Secondly the question about manytoone relationship joins was
a separate question. Most of my jpa entities have a
manytoone relationship with a User entity. Whenever i do any
operation on any entity i want to restrict that logged in
user can perform operation on its own data (instance based
authorization). For example one such operation is querying
for data. User sends a query
SELECT o FROM Audio o
i will modify this query to make it
SELECT o FROM Audio o WHERE o.user.id <http://o.user.id> =
?logged_in_userid
The above jpa query translates to a join with User table,
even when Audio table has a foreign key user id. This is a
performance hit and i want to avoid it. To add a such a
condition to jpa string query is also an interesting part.
You may want to hear it and give comments. I researched on
it and found out that JPA 1.0 do not have support for
manipulating queries dynamically, it is however provided in
JPA 2.0 with Criteria API. So i have to write a little
JpqlWrapper class. I searched EclipseLink sourced code to
find a jpql parser that can make my code more robust and
error free but failed. I know below case miss a lot from
jpql BNF but it worked for my scenario. Any suggestion on
this one are highly appreciated.
public class JpqlWrapper {
Log log = LogFactory.getLog(this.getClass());
StringBuilder query;
public JpqlWrapper(String query) {
this.query = new StringBuilder(query);
}
public void and(String condition) {
String lowercase = query.toString().toLowerCase();
if (!lowercase.isEmpty()) {
int appendAt = lowercase.lastIndexOf(" order by");
if (appendAt == -1) {
appendAt = lowercase.length();
}
if (lowercase.indexOf(" where ") == -1) {
query.insert(appendAt, " where " + condition + " ");
} else {
query.insert(appendAt, " and " + condition + " ");
}
}
}
public String getFirstIdentificationVariable() {
Pattern pattern = Pattern.compile("from +\\w+ +\\w+",
Pattern.CASE_INSENSITIVE);
Matcher matcher = pattern.matcher(query);
if (matcher.find()) {
return matcher.group().substring(
matcher.group().lastIndexOf(" ") + 1);
}
throw new IllegalArgumentException("Unexpected query: "
+ query.toString());
}
public String getFromObject() {
Pattern pattern = Pattern
.compile("from +\\w+", Pattern.CASE_INSENSITIVE);
Matcher matcher = pattern.matcher(query);
if (matcher.find()) {
log.debug("Match: " + matcher.group());
return
matcher.group().substring(matcher.group().lastIndexOf(" ") + 1);
}
throw new IllegalArgumentException("Unexpected query: "
+ query.toString());
}
public String toString() {
return query.toString();
}
}
In my query ejb method i do something like.
if (entity instanceof UserAssociation) {
UserAssociation userAssociated = (UserAssociation) entity;
userAssociated.setAssociatedUser(getCallingUser());
jpql.and(jpql.getFirstIdentificationVariable() + "."+
userAssociated.getUserAssociation() + ".id = "+
userAssociated.getAssociatedUser().getId());
}
em.query(jpql.toString())
Note in my ejb i get the executing user id from jaas
principals collections using weblogic specific code (bad i
know but isCallerInRole and getCallerPrincipal were not
working):
Set<Principal> principals =
weblogic.security.Security.getCurrentSubject().getPrincipals();
So moving on i had to do the same instance based
authorization in case of create, update, delete and read
operations.
For create i create a new User instance and set it on the
entity.
For update i have to read the entity, verify that if belongs
to executing user and then set it on the instance,
For delete i again have to read the entity, verify if it
belongs to executing user
For read i have to query instead of em.find() as i have to
insert and condition for user.
To enable all of above, my entities inherit an interface
interface UserAssociation{
User getAssociatedUser();
void setAssociatedUser();
String getUserAssociation(); //return user association in
form of string that i can concatenate
//in jpql e.g."user",
"group.user" etc
}
If you have a better way to do this instance based
authorization, please share.
Thanks for your time.
Regards,
Jehanzeb Qayyum
On Thu, Dec 24, 2009 at 7:09 PM, Tom Ware
<tom.ware@xxxxxxxxxx <mailto:tom.ware@xxxxxxxxxx>> wrote:
Hi jz,
You should be able to use a native query to run any
pure SQL you want to run. If you are deleting with a
native query, you will want to be careful that you
definitely have not read the object yet since a native
query will not remove objects from the persistence
context or the cache.
Can you give an example of the query you are running
and the SQL that is produced that causes your issue with
m-1 relationships?
-Tom
jz wrote:
Hi,
How can i delete a detached entity without reading
it first?
Why eclipselink creates a join sql in case of
manytoone relationships if query contains only FK?
Regards,
Jehanzeb Qayyum
------------------------------------------------------------------------
_______________________________________________
eclipselink-users mailing list
eclipselink-users@xxxxxxxxxxx
<mailto:eclipselink-users@xxxxxxxxxxx>
https://dev.eclipse.org/mailman/listinfo/eclipselink-users
_______________________________________________
eclipselink-users mailing list
eclipselink-users@xxxxxxxxxxx
<mailto:eclipselink-users@xxxxxxxxxxx>
https://dev.eclipse.org/mailman/listinfo/eclipselink-users
_______________________________________________
eclipselink-users mailing list
eclipselink-users@xxxxxxxxxxx
<mailto:eclipselink-users@xxxxxxxxxxx>
https://dev.eclipse.org/mailman/listinfo/eclipselink-users
_______________________________________________
eclipselink-users mailing list
eclipselink-users@xxxxxxxxxxx <mailto:eclipselink-users@xxxxxxxxxxx>
https://dev.eclipse.org/mailman/listinfo/eclipselink-users
_______________________________________________
eclipselink-users mailing list
eclipselink-users@xxxxxxxxxxx <mailto:eclipselink-users@xxxxxxxxxxx>
https://dev.eclipse.org/mailman/listinfo/eclipselink-users
------------------------------------------------------------------------
_______________________________________________
eclipselink-users mailing list
eclipselink-users@xxxxxxxxxxx
https://dev.eclipse.org/mailman/listinfo/eclipselink-users