Databases
StackOverflow2013
Postsdbo
POHow to limit user access at database level in Hibernate
Body
 

Note that there are some explanatory texts on larger screens.

plurals
  1. POHow to limit user access at database level in Hibernate
    text
    copied!<h3>The App</h3> <p>I need to implement a web app that will be used by different users. Each user has different privileges on various tables, e.g. </p> <p><li> User A can see fields 'name' and 'address' from the table <code>Student</code> </li> <li> User B can see fields 'name' and 'phone number', but not 'address' from the table <code>Student</code> </li> <li> User C can see and modify all fields mentioned above</li></p> <p><br/> I will have something at the UI level to limit certain access, e.g. hide the "edit" button for users that don't have permission to modify entries. However, I think I should have something at a lower level (at a database level maybe?) just to ensure data security. </p> <hr> <h3>The Problem</h3> <p>I am using Hibernate, JBoss, DB2 and Struts for my app. I think I should use a JBoss LoginModule of some sort, which authenticates the user against a database with user/password/roles (but I may be wrong(?)). I have done some research and came up with the following options, but none seems to fit my case. I would think this is a very common data access problem in multi-user web apps. Could somebody please point me to the right direction? <em>Thank you in advance!</em></p> <ol> <li><p>Use the 'grant' tag in <code>hibernate.cfg.xml</code> with JACC event listeners. This can set "insert" "update" "read" permissions on all hibernate entities. However, what if I need finer controls? I need to set permissions on certain fields instead of the entire object. <a href="http://www.hibernate.org/hib_docs/v3/reference/en-US/html/objectstate-decl-security.html" rel="nofollow noreferrer">http://www.hibernate.org/hib_docs/v3/reference/en-US/html/objectstate-decl-security.html</a> </p></li> <li><p>Limit permissions on getter/setter method of each ejb. If I understood this correctly, this requires manual configuration of every single bean for every user profile, which seems unrealistic for me. <a href="http://www.jboss.org/file-access/default/members/jbossas/freezone/docs/Server_Configuration_Guide/4/html/J2EE_Declarative_Security_Overview-EJB_method_permissions.html" rel="nofollow noreferrer">EJB Method Permissions</a> </p></li> <li><p>Code the DAO's to check for user permissions. Roll my own utility function that checks a giant permission table everytime a particular DAO method is called to determine if the logged in user can perform the action or not. </p></li> <li><p>Use 'interceptor' and 'events' in Hibernate. Define specific "onLoad", "onSaveorUpdate" etc. events and interceptors for each class. Can I specify permission level for individual fields in this case? <a href="http://www.hibernate.org/hib_docs/v3/reference/en-US/html/objectstate-events.html" rel="nofollow noreferrer">http://www.hibernate.org/hib_docs/v3/reference/en-US/html/objectstate-events.html</a></p></li> </ol> <p>I might be barking at the wrong tree. All of the above seem to be labour-intensive and not very intelligent. None of the above options give me programmatic ways to change user permissions at runtime, which would be useful when an admin-level user want to give another user more control in this app. </p> <p><br/> What is a good way of doing data-access control here?</p>
 

Querying!

 
Guidance
An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload