Data Segregation

In the Jmine platform entities may be configured to be segregated by users. This means that same database query will return different results depending on which user is making the request. This feature is often known as chinese wall.

Configuration

The chinese wall feature requires a few configuration steps. You will need to:

  • Define a hibernate filter
  • Register it as a chinese wall filter
  • Setup the user’s chinese wall context
  • Define the hibernate filter

The first step is to define the hibernate filter that will effectively seggregate the data. Just add a @FilterDef to the entity that should be filtered:

@FilterDef(name = FILTER_NAME,
                defaultCondition = CONDITION,
                parameters = { @ParamDef(name = PARAM_NAME, type = "long") })
public class MyFilteredClass extends PersistableBusinessObject {
         public static final String FILTER_NAME = ...;
         public static final String CONDITION = ...;
         public static final String PARAM_NAME = ...;
}

Give your filter some name (FILTER_NAME). Then define the condition (CONDITION) that will effectively filter the entities. It should be a valid SQL query. Parameters to be passed to the condition query should be declared as well as their types (PARAM_NAME).

Registering the filter

The created filter must be registered within the platform to be activated by default on queries. This is done in your Spring configuration:

<bean id="myChineseWallFilterDefinition" class="org.springframework.orm.hibernate3.FilterDefinitionFactoryBean">
  <property name="filterName" value="the filter name" />
  <property name="defaultFilterCondition" value="the filter condition" />
  <property name="parameterTypes">
         <props>
           <prop key="the parameter">the type</prop>
         </props>
  </property>
</bean>

<bean id="myChineseWallFilterDefinitionRegistry" class="jmine.tec.utils.register.Registrar" lazy-init="false">
  <property name="receiver" ref="chineseWallFilterRegistry" />
  <property name="registers">
         <list>
           <ref bean="myChineseWallFilterDefinition" />
         </list>
  </property>
</bean>

Preparing the Chinese Wall Context

At some point in the application the current user’s chinese wall context must be constructed. A typical scenario would be upon login. This chinese wall context should then be stored on the jmine.tec.security.api.chinesewall.ChineseWallContextHolder for each thread used by that user. On a web application this can be achieved by creating a javax.servlet.Filter that always retrieves the user’s chinese wall context and stores it on the ChineseWallContextHolder. The chinese wall context is just an instance of jmine.tec.security.api.chinesewall.ChineseWallContext. This instance should hold the name of disabled filters (if any) and the parameters for the enabled filters. The parameters for a given filter should be stored in an instance of jmine.tec.security.api.chinesewall.ChineseWallFilterProperties.

Example of ChineseWallContext creation:

private void userLogged(User user) {
         // retrieves which of some entity
         // this user is allowed to access
         List<Long> allowedIds = ...

         ChineseWallContext cwc = new ChineseWallContext();
         cwc.addParameter(MyFilteredClass.FILTER_NAME, MyFilteredClass.PARAM_NAME, allowedIds);
}