春季/冬眠-按当前用户ID过滤 [英] spring / hibernate - filter by current user id

问题描述

我的Oracle数据库中有一个表CompanyList:

I have a table CompanyList in my Oracle database :

CMP_ID INTEGER -- ID of company
CMP_NAME VARCHAR2 -- name of company
USR_ID INTEGER -- Foreign key to the USERS table

我的Spring 3 MVC应用程序全部使用注释进行配置，我的POJO也进行配置，我的DAO对象(CompanyDao)使用hibernate来检索示例公司列表.

i have my Spring 3 MVC app all configured using annotations, my POJOs as well , my DAO objects (CompanyDao) using hibernate to retrieve for exemple a list of companies.

CompanyDao:

CompanyDao :

@Transactional
    public Set<Company> findAllCompanys() throws DataAccessException {

        return findAllCompanies(-1, -1);
    }

    @SuppressWarnings("unchecked")
    @Transactional
    public Set<Company> findAllCompanies(int startResult, int maxRows) throws DataAccessException {
        Query query = createNamedQuery("findAllCompanies", startResult, maxRows);
        return new LinkedHashSet<Company>(query.getResultList());
    }

还有我的公司域名:

@Entity
@NamedQueries( {
        @NamedQuery(name = "findAllCompanies", query = "select myCompany from Company myCompany")})
...
public class Company implements Serializable {
...

然后，我设置了spring安全性，因此我的所有页面都需要标识.

Then I setup spring security, so all my pages require identification.

使用当前已登录用户会话的USER ID来筛选CompanyDao返回的行的最佳方法是什么?

What is the best way to filter the rows returned by CompanyDao, using the USER ID of the current logged in user session ?

推荐答案

简短答案:SecurityContextHolder.

Short answer: SecurityContextHolder.

答案略长: 如果作为user_id外键关系的父级的User实体也实现了UserDetails接口，则可以在Spring的安全上下文中直接使用User实体.

Slightly longer answer: If the User entity that is the parent side of the user_id foreign key relationship also implements the UserDetails interface, then the User entity can be used directly in Spring's security context.

您可以从DAO层或其上一层调用SecurityContextHolder.getContext()方法，这没什么关系，因为返回的实例的作用域是请求的本地线程.

You can call the SecurityContextHolder.getContext() method from either your DAO layer or a layer above it...doesn't really matter because the instance returned will be scoped to the thread local of the request.

然后您可以从上下文实例中获取UserDetails，将其强制转换为User实体，并将其作为命名参数传递给DAO调用.

You can then get the UserDetails from the context instance, cast it to your User entity and pass it as a named parameter to a DAO call.

作为快速跟进，我意识到您的原始问题暗示您将运行命名查询(因为它当前存在)，然后过滤掉不匹配的公司.您仍然可以通过将与您公司关联的用户与安全上下文中的用户进行比较来使用该方法，但是总的来说，我不建议您使用该方法.询问数据库到底需要什么.

As a quick followup, I realize that your original question implied that you'd run the named query as it currently exists and then filter out the non-matching companies. You can still use that approach by comparing the users associated with your company with the user from the security context, but in general I wouldn't recommend that approach; ask the database for exactly what you need.

这篇关于春季/冬眠-按当前用户ID过滤的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！