动态禁用hibernate抓取 [英] Disable hibernate fetching dynamically

问题描述

我目前已经实现了行级别安全性，其中需要安全的表具有拥有Owner，Group和Unix样式权限的列。

现在发生的事情是每当我们通过hibernate请求一个实体时，我们添加一个自定义标准来验证用户是否可以访问数据。这个自定义标准也被添加到每个create.Alias（）以确保与其他表的联系也是安全的。

问题是我们的模型有多个实体， manyToOne关系，因为这些实体是自动获取的，所以无法保护嵌套实体。

我在寻找的是一种方法：

$ b

1. 使它只有通过create.Alias（）添加的实体被获取

   
   
   


$ b




2. 获得对hibernate获取内容的动态控制>那些似乎是两种方式，并不意味着我们的项目重构
   的巨大代码。
   
   
   

   这是可以完成的或者是否有任何其他的方式来贯彻执行我们的安全？

   
   
   

   PS：永远不会返回嵌套实体，因为它是客户端所需要的。此外，我们尝试使用max_fetch_depth 0，但即使在我们的初始查询中没有请求嵌套实体，hibernate似乎会让多个后续查询来完成实体。

   解决方案

   我在本质上是研究但未使用的阶段，对于我自己的项目，我相信过滤器是你想要的。如果我正确理解文档，您可以定义一个过滤器以及您的模式，启用它并在打开会话时以编程方式给出参数，并且在会话持续期间，Hibernate会假装没有通过过滤器的对象不存在。除了确保基于关系的提取之外，这还将消除手动为每个查询添加安全检查的需求。

   
   

   I have currently implemented a row level security, where tables that need to be secure have columns for a Owner, Group and Unix-style permissions.

   What is currently happening is every time we request an entity through hibernate, we add a custom criterion verifying if the user has access to the data. This custom criterion is also added on every create.Alias() to make sure that contact with other tables is also secured.

   The problem is our model has multiple entities with @manyToOne relationships and since those entities are fetched automatically, there is no way to secure the nested entities.

   What I am looking for is a way to either:

   1. Make it so that only the entities added through a create.Alias() are fetched

      OR

   2. Gain dynamic control over what is fetched by hibernate

   Those seem to be the two ways that would not imply a huge code refactoring of our project.

   Is this something that can be done or is there any other way to enforce our security throughout?

   P.S: Never returning nested entities is unfortunately impossible as it is needed client side. Also we tried using max_fetch_depth 0, but even though the nested entities were not requested in our initial queries, hibernate seems to make multiple subsequent queries to complete the entity.

   解决方案

   I'm at the researched-but-not-used stage of essentially this for my own project, and I believe filters are what you want. If I'm understanding the documentation correctly, you define a filter along with your schema, enable it and give it parameters programmatically when you open the session, and for the duration of the session Hibernate will pretend objects that don't pass the filter don't exist. In addition to securing the relationship-based fetches, this will also remove the need to manually add security checks to every query.

   这篇关于动态禁用hibernate抓取的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！