I'm using seam 2.1.2 security and I create a role using identitymanager by jsf richfaces GUI. in creation process I would add a "description" to role created in database , the creation of role is ok but the description field is not added, I must update the role (in other operation by GUI) to see the description field stored in database. the question is what have I to do to store the "description" filed in creation operation?
bellow is my code:
public boolean createRole(Role role) {
IdentityManager identityManager = IdentityManager.instance();
logger.info("creating role:" + role.getRoleName());
if (identityManager.roleExists(role.getRoleName())) {
return false;
}
if (identityManager.createRole(role.getRoleName())) {
completeRolePersistence(role);
return true;
}
return false;
}
and the completeRolePersistence method:
public void completeRolePersistence(Role role) {
logger.info("setting additional info to role...");
Query query = em.createNamedQuery("UPDT_ADDITIONALS");
query.setParameter("name", role.getRoleName())
.setParameter("description", role.getDescription())
.setParameter("level", role.getRoleLevel());
int updated = query.executeUpdate();
logger.info("roles updated with desc : " + updated);
}
it seem that the query is not executed , i print in log
roles updated with desc : 0
The reason your code does not work is because your update query is executing BEFORE the role is actually inserted into the database, thus it updates nothing.
My advice is to not use the role/user creation methods in IdentityManager. You're better off creating Home components to create/edit your roles and users than having IdentityManager do it for you.
If you however want to pursue this, you need to overwrite JpaIdentityStore, customize the createRole method and have it populate the entity as needed.
Related
I'm looking for a way to authorize access based on ROLES and DATA CONTENT (table row) using Spring Boot & JPA
The use case is the following:
Given a User with a Role 'ROLE_AAA'
When user fetches data from table 'REPORT'
Then only reports with specific 'REPORT_ROLE' association will be returned
ER
Table: role
ID
ROLE
1
ROLE_AAA
2
ROLE_BBB
Table: report
ID
CONTENT
1
...
2
...
3
...
4
...
5
...
Table: report_roles
REPORT_ID
ROLE_ID
1
1
2
1
3
2
4
2
5
1
In this case a user with role ROLE_AAA will get reports with ID 1,2 & 5 only.
SELECT re.*
FROM report re
JOIN report_role rr
ON re.id = rr.report_id
JOIN role ro
ON ro.id = rr.role_id
WHERE ro.name = 'ROLE_AAA'
I could easily write queries (#org.springframework.data.jpa.repository.Query) joining on table I want to get data from, with the association role table, but I feel I'm missing a JPA or Spring Security feature that might offer it out off the box.
Any design/implementation suggestion will be very appreciated.
UPDATE
Since returns will be paginated (retuning Page<Object> from JPARepository), I believe PostFiltering is not an option here.
Here is an older article I wrote on the subject of using #Pre/Post annotations with a custom PermissionEvaluator. It seems your best bet here, and allows you to purely use annotations instead of custom queries. Of course, it only works if there aren't too many reports being returned from your query (without a ro.name = 'ROLE_AAA' filter).
In your case however, you aren't really trying to use the hasPermission(filterObject, 'xyz') syntax because your use case is role-based, meaning permissions are roles and are already in the authentication object (e.g. authorities) and the database (e.g. report_roles). With a M:N relationship between user roles and report roles, you can implement a helper to do the check for you, like this:
#RestController
public class ReportsController {
#GetMapping("/reports")
#PostFilter("#reportExpressions.hasAnyRole(filterObject, authentication)")
public List<Report> getReports() {
return new ArrayList<>(List.of(
new Report("Report #1", Set.of("ROLE_AAA", "ROLE_BBB")),
new Report("Report #2", Set.of("ROLE_AAA", "ROLE_CCC"))
));
}
#Component("reportExpressions")
public static class ReportExpressions {
public boolean hasAnyRole(Report report, Authentication authentication) {
Set<String> authorities = AuthorityUtils.authorityListToSet(
authentication.getAuthorities());
return report.getRoles().stream().anyMatch(authorities::contains);
}
}
public static class Report {
private final String name;
private final Set<String> roles;
public Report(String name, Set<String> roles) {
this.name = name;
this.roles = roles;
}
public String getName() {
return name;
}
public Set<String> getRoles() {
return roles;
}
}
}
If the current user has ROLE_AAA, they will see both reports, etc. My example uses a controller, but you can apply the same annotation to a JPA repository.
Previously, when I was adding a entity to database with Hibernate I used to check that it hadn't already been added. But in an effort to improve performance I forgot this check and just tried to add without checking, as I was using saveOrUpdate() it was my understanding that if Hibernate found it was already added it would just update with and changes made by my save.
But instead it fails with
18/08/2018 21.58.34:BST:Errors:addError:SEVERE: Adding Error:Database Error:Row was updated or deleted by another transaction (or unsaved-value mapping was incorrect) : [com.jthink.songlayer.MusicBrainzReleaseWrapper#95f6f584-407f-4b26-9572-bb8c6e9c580a]
java.lang.Exception
at com.jthink.songkong.analyse.general.Errors.addError(Errors.java:28)
at com.jthink.songkong.exception.ExceptionHandling.handleHibernateException(ExceptionHandling.java:209)
at com.jthink.songkong.db.ReleaseCache.addToDatabase(ReleaseCache.java:394)
at com.jthink.songkong.db.ReleaseCache.add(ReleaseCache.java:65)
#Entity
public class MusicBrainzReleaseWrapper
{
#Id
private String guid;
#Version
private int version;
#org.hibernate.annotations.Index(name = "IDX__MUSICBRAINZ_RELEASE_WRAPPER_NAME")
#Column(length = 1000)
private String name;
#Lob
#Column(length = 512000)
private String xmldata;
public String getGuid()
{
return guid;
}
public void setGuid(String guid)
{
this.guid = guid;
}
public String getName()
{
return name;
}
public void setName(String name)
{
this.name = name;
}
public String getXmldata()
{
return xmldata;
}
public void setXmldata(String xmldata)
{
this.xmldata = xmldata;
}
}
private static boolean addToDatabase(Release release)
{
Session session = null;
try
{
session = HibernateUtil.beginTransaction();
//Marshall to String
StringWriter sw = new StringWriter();
Marshaller m = jc.createMarshaller();
m.marshal(release, sw);
sw.flush();
MusicBrainzReleaseWrapper wrapper = new MusicBrainzReleaseWrapper();
wrapper.setGuid(release.getId());
wrapper.setName(release.getTitle().toLowerCase(Locale.UK));
wrapper.setXmldata(sw.toString());
session.saveOrUpdate(wrapper);
session.getTransaction().commit();
MainWindow.logger.info("Added to db release:" + release.getId() + ":" + release.getTitle());
return true;
}
catch (ConstraintViolationException ce)
{
MainWindow.logger.warning("Release already exists in db:"+release.getId()+":"+release.getTitle());
return true;
}
catch(GenericJDBCException jde)
{
MainWindow.logger.log(Level.SEVERE, "Failed:" +jde.getMessage());
ExceptionHandling.handleDatabaseException(jde);
}
catch(HibernateException he)
{
MainWindow.logger.log(Level.SEVERE, "Failed:" +he.getMessage());
ExceptionHandling.handleHibernateException(he);
}
catch(Exception e)
{
MainWindow.logger.log(Level.WARNING,"Failed AddReleaseToDatabase:"+release.getId()+ ':' +e.getMessage(),e);
throw new RuntimeException(e);
}
finally
{
HibernateUtil.closeSession(session);
}
return false;
}
Used to check first before call to addToDatabase
if(ReleaseCache.get(release.getId())==null)
{
addToDatabase(release)
}
Hiberante object has 3 states for an Entity. They are:
- Transient Or New
- Detached (Objects are fetched from DB and hibernate session is closed)
- Persistent (Object are fetched from DB and hibernate session is open)
In saveOrUpdate method, it either save the transient object or update the detached/ persistent object.
In your code, you are trying to create Transient/New object and setting the old id in it. That's the reason you are getting above error. The correct way to fetch the object first using id and then update it.
The problem you are hitting is directly related to the Optimistic locking you have enabled through the #Version annotation on the MusicBrainzReleaseWrapper. saveOrUpdate really can either add or update an entity but this is only if the entity version is the same as the one of the detached object you are trying to add or merge.
In your particular example your detached object has a version previous to the last version in the database therefore the operation can not be executed on a stale data.
UPDATE:
MusicBrainzReleaseWrapper wrapper = session.get(release.getId()):
//the wrapper is managed object
if (wrapper == null) {
//initilize wrapper with the values from release
.......
session.save(wrapper)
}
else {
// do not set ID here. ID is aready present!!!
// never manuay set the version field here
wrapper.setName(release.getTitle().toLowerCase(Locale.UK));
wrapper.setXmldata(sw.toString());
session.saveOrUpdate(wrapper);
//In case you don't need update logic at all
// remove the #Version field from the entity
// and do othing in the else clause , or throw exception
// or log error or anything you see fit
}
No. saveOrUpdate method is used either to persist or merge an entity with the current session. It doesn't do what you expect. Either save or update entity is application's specific logic. Hibernate doesn't do any application's specific logic.
Session.merge() can directly save a previously unknown instance, but note it won't necessarily avoid the extra select against the database.
#Pavan is right about the entity being transient or detached in Hibernate (or JPA) terminology. Both of these states mean that Hibernate has not yet got a reference to this instance of the entity in its session (in the StatefulPersistenceContext), but detached clearly means it is known to the database.
merge() instructs Hibernate to stop and check for a detached instance. The first check is for the #Id value in the session, but if it's not already there, it must hit the database.
saveOrUpdate() instructs Hibernate that the caller knows it is safe to only check the StatefulPersistenceContext for the #Id. If it's not there, the entity is assumed to be transient (i.e. new), and Hibernate will proceed to the insert operation.
saveOrUpdate() is good for instances (with or without an #Id value) that are known to the session already.
In your case clearly Hibernate is unaware of the detached instance, so you would need to use merge(). But that also means Hibernate has to check the database for the instance it hasn't seen before - if the entity has an #Id value.
To come back to the original intent in your question, update without select is harder ...
For an update, Hibernate likes to know the prior state of the entity. This makes sense if it's using dynamic updates (so not updating all columns), but otherwise you would think it could go straight for the update. The only option I know of for this is a direct update query (via HQL or JPQL), but this is hardly convenient if you have an entity instance. Maybe someone else knows how to do this.
I did this simple Spring Security tutorial. https://www.boraji.com/spring-mvc-5-spring-security-5-hibernate-5-example
Now I want to create a user in my database.
The problem is that I need to create 2 objects dependent on each other and I get
org.hibernate.TransientObjectException: object references an unsaved transient instance - save the transient instance beforeQuery flushing:
So What's the solution for this??
public static boolean createUser(byte[] image, String name, String username, String password, String permissions) {
String hashedPassword = new BCryptPasswordEncoder().encode(password);
//check if user already exists
boolean exists = User.checkIfUserExists(username);
//if it doesn't add to database
if(!exists) {
UserRole userRole = new UserRole();
User user = new User();
userRole.setRole(permissions);
userRole.setUser(user);
Database.addToDatabase(userRole);
//user table
user = new User(image, name, username, true, hashedPassword, userRole);
Database.addToDatabase(user);
//user role table
userRole.setUser(user);
Database.updateObject(userRole);
return true;
}
else
return false;
}
//Save the object to the database
public static void addToDatabase(Object object) {
SessionFactory factory = HibernateUtil.GetSessionFactory();
Session session = factory.openSession();
Transaction tx = null;
try{
tx = session.beginTransaction();
session.save(object);
tx.commit();
}catch (HibernateException e) {
if (tx!=null) tx.rollback();
e.printStackTrace();
}finally {
session.close();
}
}
Basically UserRole already needs to be in db to save User and User needs to be in db to save UserRole.
That exception means exactly what is written. You have a relationship between two objects. For example UserRole has a linked User. But when you are trying to save the UserRole into the database the User object you have attached to it is not yet saved (it is in transient state) so Hibernate's problem is how to save that user role in the database when the user might not exist (it still doesn't have valid ID in the database ).
There are different ways you can deal with that. One of them is to mark the list as Cascade=ALL (or Cascade=SAVE_UPDATE). This way you will bind these two objects and when you save the user it will automatically save the user role. There are pros and cons with that. The "+" is that it is easier and you will have just one save. The "-" is that you have these objects connected and you might save/update an object by mistake if you are not careful.
Another solution would be to first save the User (without the roles). Then save the roles with the user set to the newly saved user (it should have a real ID in the database). Then add the roles to the user and update it. This way you will not save anything with transient values and you will go around that problem. Also do it in a transaction so you don't have bad data if something breaks.
Stack searched but did not find the answer. I have subpages with several textfield's and when I editing the data field a plugin sends a reply to my controller:
#RequestMapping(value = "/myAcc", method = RequestMethod.POST)
public String getValues(#ModelAttribute XEditableForm form){
userService.update(form.getPk(), form.getValue());
return "myAcc";
}
where userService make a user update in db
#Transactional
public void update(long id, String firstName){
User user= userRepository.findOne(id);
user.setFirstName(firstName);
userRepository.save(user);
}
The problem is that every time in this method I would check what was returned from xeditable plugin and update specific user field i.e. surname etc. In my opinion this is not the best solution.
XEditableForm returns:
pk - primary key of record to be updated (ID in db)
name - name of field to be updated (column in db)
value - new value
Question for you. How can I do this better?
I will answer for himself. In this situation we could use
org.springframework.utilClass ReflectionUtils
Exmaple of use:
User user = userRepository.findOne(id);
Field name = ReflectionUtils.findField(User.class, "name");
ReflectionUtils.makeAccessible(true);
name.set(user, "Admin");
In this way, you can edit the fields in the class knowing their names . And that's what I mean.
I have a simple User Account application in which the user is able to change his details.
Updating the Database
The Managed Bean's method which takes the form parameters and calls the Service method:
public String changeDetails(){
Date date = DateUtil.getDate(birthDate);
Integer id = getAuthUser().getId();
UserDetail newDetails = new UserDetail(id, occupation, date, originCity, residenceCity, description);
EntityTransaction transaction = getTransaction();
userService.updateDetail(newDetails);
transaction.commit();
return null;
}
The Service Method:
public boolean updateDetail(UserDetail newDetails) {
boolean ok = true;
if (newDetails != null) {
UserDetail user = readDetail(newDetails.getId());
user.setOccupation(newDetails.getOccupation());
user.setOriginCity(newDetails.getOriginCity());
user.setResidenceCity(newDetails.getResidenceCity());
user.setBirth(newDetails.getBirth());
user.setDescription(newDetails.getDescription());
}
return ok;
}
Fetching data from DB
#PostConstruct
public void init(){
userService = new UserService();
sessionController.setAuthUser(userService.read(getAuthUser().getId()));
originCity = getAuthUser().getUserDetail().getOriginCity();
residenceCity = getAuthUser().getUserDetail().getResidenceCity();
occupation = getAuthUser().getUserDetail().getOccupation();
birthDate = DateUtil.getStringDate(getAuthUser().getUserDetail().getBirth());
description = getAuthUser().getUserDetail().getDescription();
}
The problem is that the behavior of this code is different. Sometimes I obtain the desired result: once I submit the new details and call the #PostConstruct init () the new details are printed. Some other times the old details are printed even though the DB entry is updated.
Conclusion: Sometimes the JPA brings me different result from what is in the DB. I guess that this results consist of data from the Persistance Context, data which isn't updated. Is there a way in which I can be sure that the JPA always brings the data directly from the DB? Or is there something I'm missing?
If you are using JPA 2 then #Cacheable(false) on your entity definition should make it read from the DB every time.
You mean is there a way to turn the cache off or empty it before an operation ?
emf.getCache().evictAll();