You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@cayenne.apache.org by Malcolm Edgar <ma...@gmail.com> on 2008/03/06 06:31:38 UTC
Data Access Filters
Hi All,
Does anyone have any good Cayenne patterns for applying data security
in queries. The scenario I am talking about is where you have a
client which only has access to certain records in a table, so when
the query the table they should only see their records. Similar
concept to Oracles Find Grained Access Control (FGAC).
http://www.unix.org.ua/orelly/oracle/guide8i/ch08_01.htm
I know this can be done via WHERE clauses with custom code, however I
wanted to know if anyone have a more generic approach and whether
Cayenne provides any support for this.
Hibernate provides something similar with Filters:
http://www.hibernate.org/hib_docs/reference/en/html/filters.html
regards Malcolm Edgar
Re: Data Access Filters
Posted by Malcolm Edgar <ma...@gmail.com>.
Hi Adrian,
thanks for the feedback.
regards Malcolm Edgar
On Thu, Mar 6, 2008 at 6:14 PM, Adrian Wiesmann <aw...@somap.org> wrote:
> Hello Malcolm, hello list
>
>
> > Does anyone have any good Cayenne patterns for applying data security
> > in queries. The scenario I am talking about is where you have a
> > client which only has access to certain records in a table, so when
> > the query the table they should only see their records. Similar
> > concept to Oracles Find Grained Access Control (FGAC).
>
> I am implementing something very similar to the Oracle FGAC way. But I
> added the table model pattern to Cayenne to do so.
>
> So in my architecture I renamed the Cayenne DataObject to DataRow. I then
> introduced a DataTable to every DataRow. DataTables contain all logic
> related to retrieving and persisting data of one table in the database.
> DataRows are therefor "dumbed down" as they just contain logic related to
> one record.
>
> Let's say I have a Painting table. Then I generate a PaintingDataRow and a
> PaintingDataTable class. In my PaintingDataTable I then implement the
> logic to retrieve Painting records:
>
> PaintingDataTable.getAllPaintings();
> PaintingDataTable.getByForeignKey(keyArtist);
>
> within these methods I then implement the access logic based on the
> Session information. Based on the role information of the currently logged
> in user I add some Where statements to the standard select statements.
> Pseudo code:
>
> PaintingDataTable.getAllPaintings()
> {
> select = "SELECT * FROM PAINTING";
> if(!user.isAdmin())
> {
> select += "WHERE USER IS ALLOWED TO SEE PAINTING";
> }
> }
>
> This architecture works quite good since all data retrieval is done via
> the DataTables. And the DataTables enforce the access logic. It even has
> the added value of having all retrieve logic in one place and not
> everywhere in the code.
>
> Actually the architecture is a little bit more complex (DataContainer,
> Session, etc adding to the mess). But you should get the point. :)
>
> Cheers,
> Adrian
>
Re: Data Access Filters
Posted by Adrian Wiesmann <aw...@somap.org>.
Hello Malcolm, hello list
> Does anyone have any good Cayenne patterns for applying data security
> in queries. The scenario I am talking about is where you have a
> client which only has access to certain records in a table, so when
> the query the table they should only see their records. Similar
> concept to Oracles Find Grained Access Control (FGAC).
I am implementing something very similar to the Oracle FGAC way. But I
added the table model pattern to Cayenne to do so.
So in my architecture I renamed the Cayenne DataObject to DataRow. I then
introduced a DataTable to every DataRow. DataTables contain all logic
related to retrieving and persisting data of one table in the database.
DataRows are therefor "dumbed down" as they just contain logic related to
one record.
Let's say I have a Painting table. Then I generate a PaintingDataRow and a
PaintingDataTable class. In my PaintingDataTable I then implement the
logic to retrieve Painting records:
PaintingDataTable.getAllPaintings();
PaintingDataTable.getByForeignKey(keyArtist);
within these methods I then implement the access logic based on the
Session information. Based on the role information of the currently logged
in user I add some Where statements to the standard select statements.
Pseudo code:
PaintingDataTable.getAllPaintings()
{
select = "SELECT * FROM PAINTING";
if(!user.isAdmin())
{
select += "WHERE USER IS ALLOWED TO SEE PAINTING";
}
}
This architecture works quite good since all data retrieval is done via
the DataTables. And the DataTables enforce the access logic. It even has
the added value of having all retrieve logic in one place and not
everywhere in the code.
Actually the architecture is a little bit more complex (DataContainer,
Session, etc adding to the mess). But you should get the point. :)
Cheers,
Adrian
Re: Data Access Filters
Posted by Ahmed Mohombe <am...@yahoo.com>.
> The scenario I am talking about is where you have a
> client which only has access to certain records in a table, so when
> the query the table they should only see their records.
This scenario is so common that I wonder why aren't there many out of the
box generic solutions.
> I know this can be done via WHERE clauses with custom code, however I
> wanted to know if anyone have a more generic approach and whether
> Cayenne provides any support for this.
>
> Hibernate provides something similar with Filters:
>
> http://www.hibernate.org/hib_docs/reference/en/html/filters.html
IMHO Filters are a simple and elegant solution for this problem (even if
involve a little work).
I wish there were at least something like Hibernate Filters in Cayenne too.
Thanks in advance,
Ahmed.