Hibernate / Spring: is there row-level security?

Question

Hibernate / Spring: is there row-level security?

I'm not sure if I understood correctly what Spring is capable of.

What is my problem: I want to prevent a registered user from sending arbitrary identifiers to my server and, therefore, access data that does not belong to him . But every tutorial I can find concerns a simple registration procedure. But how can I use this to get rid of

if(item .getStore().getId() == store.getId()) { /* .. */ }

in this example:

// StoreService.java

@Transactional
public ItemDTO deleteItem(String sessionId, Long storeId, ItemDTO itemDto) {

    // sessionId is the cookie I have placed in my database
    // This way I want to ensure that I am only accessing a store
    // that is associated with the logged in store owner (the user basically)
    Store store = this.storeOwnerRepository.getStore(sessionId, storeId);

    Item item = ConvertDTO.convertItem(store, itemDto);

    // THIS CHECK IS WHAT I WANT TO GET RID OF:
    // Check if the store ID that I got using the cookie is the
    // same ID as the store ID from the item that should be deleted
    if(item.getStore().getId() == store.getId()) {
        item = this.storeOwnerRepository.deleteItem(item);
    } else {
        // If this didn't work we have a potentially hostile user:
        throw new RuntimeException("Is somebody trying to delete items from a store he doesn't own?");
    }

    itemDto = ConvertEntity.convertItem(item);
    return itemDto;
}

using Spring Annotations? Is this possible with Spring Security?

Another thing that might work is Hibernate Filters , but I'm not sure if I want my database to be aware of the security aspects of my data.

, , . ?

+4

java spring-security access-control hibernate

Stefan Falk 18 . '15 16:59

3

, Spring , , , ( @Secured("ROLE_SOMEROLE")), , .

Spring

, . , // , .

, .

http://slackspace.de/articles/roles-permissions-with-spring-security-3/

http://springinpractice.com/2010/10/27/quick-tip-spring-security-role-based-authorization-and-permissions

-1

jpganz18 18 . '15 17:32

, , , , .

/ , , ( ) .

- - , .

-1

Jin Kim 18 . '15 18:45

Eric R. Rath · Accepted Answer · 2015-09-18T18:54:23+0000

Spring API ACL. :

Spring org.springframework.security.acls.model.AclService, , , . . foo , READ WRITE; , READ, WRITE DELETE .
, , org.springframework.security.access.prepost.PreAuthorize org.springframework.security.access.prepost.PreAuthorize, , . . , "WRITE" X, , "READ" . - , AccessDeniedException.
Spring . global-method-security Spring XML.

, , - . who-gets-what-permissions-on-which-objects "-----", .

, , . " ", " ", . Spring ACL API - , .

-, :

@PostAuthorize("hasPermission(returnObject, 'READ')")
public MyItem getMyItem(Long id) {
    return dao.getMyItem(id);
}

@PreAuthorize("hasPermission(#toDelete, 'DELETE')")
public void deleteMyItem(MyItem toDelete) {
    dao.delete(toDelete);
}

AclService , :

public Acl readAclById(ObjectIdentity objectIdentity, List<Sid> sids) throws NotFoundException {
    /*
examines objectIdentity which identifies domain object in question, and sids which identifies the principal who wants permissions on the domain object, then returns an ACL instance with permission grants on that domain object for that/those principals
    */
    return new AclImpl(...);
}

applicationContext-security.xml:

<beans:bean id="permissionEvaluator"
    class="org.springframework.security.acls.AclPermissionEvaluator">
    <beans:constructor-arg ref="aclServiceImpl" />
</beans:bean>
<beans:bean id="expressionHandler"
    class="org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler">
    <beans:property name="permissionEvaluator" ref="permissionEvaluator" />
</beans:bean>
<global-method-security pre-post-annotations="enabled">
    <expression-handler ref="expressionHandler" />
</global-method-security>

Hibernate / Spring: is there row-level security?

More articles: