Hibernate, Spring and row level security

Description of the problem

Spring Security is a mature and flexible framework to secure desktop as well as web applications. It provides different authentication and authorizations mechanisms. It allows protecting web requests with filters and is using Spring's standard AOP to wrap around and thus protect service methods. The problem with this that occurs in the cdm library is that we also need to protect data at the rowlevel, that is in the DAO layer (cdmlib-persitence) and in hibernate search (Lucene). Post filtering would break the paging mechanism and it is unclear how we can filter out cdm entities which are returned by the getters of other cdm instances.

see also:


Hibernate, Spring Security and paging

  1., Solution: "pulling out all the data on each page request is acceptable (we have a query cache enabled, so it’s not as bad as it may sound)."

  2. hibernate fiteringCollections [m.cherian] ==> good hint, using these terms in a search reveals some good information:

  3. Row level security using Spring and Hibernate": (* excellent! *) based on "Using Spring AOP and Hibernate Filters to add row level security (3rd Update working impl and conf)

  4. another description of the problem and summary of some possible solutions : Security decorator for Hibernate collection

  5. more links:

Hibernate Seach (Lucene) with Paging and Spring Security ACLs


a. you have to load the documents and resolve the ACL for each result and then do your own paging. => performance problems ?

b. alternative is to push this work to the indexing side and index your ACL in Lucene. => complicated

c. use and BitSets. If your ACL is not too complex, that is you have a small, finite number of levels. And here you'll find additional examples ACL implementation with Filters ==> sounds good

Updated by Katja Luther almost 2 years ago · 12 revisions