@PostFilter

**BurnedToast** · Feb 23rd, 2011, 12:18 AM

Hi,

I have a Problem using the @Pre and @Post Annotations. They work on any Object expect the Domain Objects.

I use an custom PermissionEvaluator, because i dont wont to use ACL right now. The strange thing is if i enter @PostFilter("strange ... there is not even a error") on any domain object i do not even get a error message. And the Permission Evaluator will not be called.

When i use it on any Service, Controller or DAO the PermissionEvaluator works!

By the way: Iam using Hibernate, and its configured to scan the domain-package! Maybe thats the Problem?

If u need any additional information let me know

PS: as i see .. i forgot to edit the Topic ... and now i cant change em ... sry its not very meaningful

Thx for any Help!

Sry for my bad english!

**pmularien** · Feb 23rd, 2011, 05:42 AM

Spring annotations won't work on beans that are not Spring-managed beans, so if you put it on a domain object, odds are that it will not work. These annotations are intended to be used on service methods, for service beans that are Spring-managed.

Hope that helps!

**BurnedToast** · Feb 23rd, 2011, 06:36 AM

Thx for ur help! In retrospect ... it seams logic

But in that case i have a Problem:

I have a Bean "Order" with an List of "Positions". When my Controller needs the Order for an View it just calles an Service OrderManager.getOrder(nr) wich calles the HiberateDAO. Than the Order will be returned.
At this moment the Positions arnt loaded by Hybernate. The controller adds the Order to the Model and in the View itself getPositions is called on the order object ... so i cant filter the Value if not on the bean itself!

Or did i misunderstood u? The Spring managed "Service Bean" is in my case the "OrderManager" right!?

Thx so much for ur help

**skram** · Feb 23rd, 2011, 08:40 PM

If your OrderManager is a service and managed by Spring, then it will work. But if it's a service and not managed by Spring, it will not work.

For example

Code:

@Service("orderManager ")
public class OrderManager {

@PreAuthorize("hasPermission(#order, 'WRITE')")
 public Boolean add(Order order)  {
  ...
 }

// filterObject refers to the current object in the collection
 @PostFilter("hasPermission(filterObject, 'READ')")
 public List<Order> getAll() {
  // Return our new list
...
 }

...
}

OrderManager is managed by Spring. So in this scenario it will work. Order is not managed by Spring. It's your domain.

**BurnedToast** · Feb 24th, 2011, 12:15 AM

Ok i see

,

But if i Wont to filter the List of Positions in the Order when the user calls the following:

Code:

Order o = OrderManager.getOrder(1);
List<Position> positions = o.getPositions();

Since my Order is a Hibernate Bean the User will get all of the Positions when he calls getPositions().

Even if there is an option to do something like that:

Code:

@Service("orderManager ")
public class OrderManager {

// filterObject refers to the current object in the collection
 @PostFilter("hasPermission(returnValue.getPositions().filterObject, 'READ')")
 public Order getOrder() {
  // Return our new list
...
 }
...
}

But I think something like that is not possible. (I wonted to filter a Collection inside the returnObject!

But I found a alternative solution: I can use Hibernate Filters. I hope this will do the trick, and the good thing is, the filtering will be done in the SQL statement! The Bad thing is, it will just work, when i use Hibernate!

Thx for the help!

**pmularien** · Feb 24th, 2011, 07:56 AM

It sounds like logic like this should be applied either at the DB level (as you plan), or with post-filtering internal to the service method, or on the method-level annotation (as you also suggested). The domain object shouldn't have knowledge of the business rules around access to data, IMO.

**BurnedToast** · Feb 25th, 2011, 09:16 AM

After thinking a lot about this problem i came to a point where iam not sure how its meant to be done:

In my current situation the DomainObject, wich is returned by the HibernateDAOs is percistent all over its Livecycle ... so even in the view!
Is that the right handling? Shouldnt the Object be evicted (detached) from the Session when it leaves the DAO-Layer?
If yes ... how should that be solved? (I dont use the HibernateTemplate, since iam working directly on the Hibernate API via AnnotationSessionFactory).

If it should be detached from the percictance context the security in the service-layer would be no problem anymore

.

Thx for any Help!

Thread: @PostFilter

Thread Tools

Display

@PostFilter

Posting Permissions