Geek Answers Handbook

How to implement row level security in Java?

I am currently evaluating the scope of authentication / authorization.

Apache Shiro seems to be very nice, but I am missing the row level security features .

eg. the database may have special rows that should be visible and accessible only to users with special privileges. To avoid unnecessary round trips, we are currently modifying SQL queries to join our authorization data to only get visible rows for the current user.

But this concept does not seem to me to be “correct,” because we mix business code with a security code that should be orthogonal and independent of each other.

  • What solutions are available / possible?
  • How do you implement row-level security (especially when combined with jpa) ?

UPDATE:

The target database is basically Oracle 10g / 11g
- but a database independent solution would be preferable if there are no big flaws

+8
java security sql shiro row-level-security
source share
3 answers

Row level security is really best done in the database itself. The database should indicate what your user context is when you get the connection. This user is associated with one or more security groups. Then the database automatically adds filters to user requests in order to filter out what is not visible from security groups. This, of course, means that it is a solution for each type of database.

Oracle has pretty good line-level security support, see http://www.orafusion.com/art_fgac.htm for an example.

+7
source share

We implemented it as a JDBC shell. This shell simply parses and converts SQL. Hibernate filter is a good idea, but we have a lot of reports and special requests, Hibernate is not the only tool for accessing data in our applications. jsqlparser is an excellent open-source SQL parser, but we need to develop it to fix some problems and add support for some advanced SQL functions, for example. ROLLUP for reporting purposes https://github.com/jbaliuka/sql-analytic This reporting tool is also available on github, but there is no dependency on the line level security infrastructure https://github.com/jbaliuka/x4j-analytic

+2
source share

There is a useful article: http://mattfleming.com/node/243

The idea is that you can implement row-level functionality in two ways: directly set restrictions in your repository, or bind restrictions using AOP. The latter is preferable, since the level of security should be separated from the business logic (orthogonal problems).

In Hibernate, you can use the concept of filters that are applied transparently, and the repository does not know about them. You can add such filters through AOP. Another way is to intercept session.createCriteria () and add restrictions to the criteria transparently using AOP.

0
source share

More articles:


All Articles