Mar 23rd, 2012, 11:36 AM
@PreFilter and paging
I have a method that calls Oracle db to return a subset of data - for example row 41-51 of a list of users. everytime I click next, the class calls oracle with for the next ten users. Basically oracle is providing the paging. I would like to return only the rows which the user has access to, so it is not rows 41-50 that I am returning, but rows 41-50 of the data that the user can see. since oracle does not know who is authorized or not, I need to filter the list returned by oracle. If I use @PostFilter, then oracle returns rows 41-50, and Postfilter removes the rows that the user is not authorized for. Unfortunately, the user sees less than 10 rows he is expecting.
My question is, does @PreFilter work for me, where the user gets back exactly 10 rows of the data he is allowed to view everytime he clicks next.
Mar 26th, 2012, 08:54 AM
Spring Security is not a ORM, so it does not have the ability to dynamically modify your queries to ensure you get the proper results back. You should update your query to obtain only the allowed attributes. Spring Security's access control is useful to double check that the current user has access to the returned results (defense in depth).
Mar 26th, 2012, 03:47 PM
Thanks for replying. I ended up using a decorator pattern to implement paging. Let's say I have the following:
BaseServiceImpl implements BaseServiceInterface (this contains the actual paging code that relies on the db to return the paged data)
I created the following:
myNewServiceInterface extends BaseServiceInterface
myNewService implements myNewServiceInterface (calls the BaseServiceImpl paging code from within
myNewServiceImpl until I have the exact number of rows I want that authenticated user has rights to view).
I hope this makes sense.
Tags for this Thread