Securing Entity Access with Hibernate or Spring Security

Posted on by

DAO Methods

Spring Security 3.0 introduced the ability to use Spring EL expressions as an authorization mechanism in addition to the simple use of configuration attributes and access-decision voters which have seen before. Expression-based access control is built on the same architecture but allows complicated boolean logic to be encapsulated in a single expression.

With Spring Security you can use an EL statement to limit accessibility via some property of the method parameter.

@PreAuthorize("#contact.name == authentication.name")
public void doSomething(Contact contact);

Here we are accessing another built-in expression, “authentication”, which is the Authentication stored in the security context.

Another option is to filter the Method’s returned List and only return object that meet ACL criteria.

This is done using the @PostFilter annotation, Spring Security iterates through the returned collection and removes any elements for which the supplied expression is false. The name filterObject refers to the current object in the collection.

@PostFilter("filterObject.owners.email == principal.username or hasRole('ROLE_ADMIN')")
List findAll();

The downside to this is the query to the database will return all the Account objects so the DB performance will be impacted.

Hibernate Filters

Filters are a way to combat this potential Database performance issue.

A filter criteria allows you to define a restriction clause similar to the existing “where” attribute available on the class and various collection elements.

You define a filter with @FilterDef giving it a name and named parameters with @ParamDef. Then you can specify usage of that filter on fields of an Entity to limit the returned values.

So to limit entity access you could have a filter like this -

// Define a filter
@FilterDef(name="restrictToUserIdFilter", parameters={@ParamDef(name="userId", type="String")}

// Add a filter to an Entity
@Filter(
name = "restrictToUserIdFilter",
condition="userId = :currentUserId"
)

// Then you enable the filter on the session you make the Criteria query in

Session session = sessionFactory.getCurrentSession();
Filter filter = session.enableFilter("restrictToUserIdFilter");
filter.setParameter("currentUserId", SecurityContextHolder.getContext().getAuthentication().getPrincipal().getUsername());

List results = session.createQuery("from Employee as e where e.salary > :targetSalary")
.setLong("targetSalary", new Long(1000000))
.list();

This will basically wrap your Hibernate generated SQL in a WHERE clause so that only Employee entities with userId = the logged in user will be shown.

Social Politics

Posted on by

What would a Social Politics application look like?

  • Remove the importance of money in politics.
  • Allow people to evangelize issues and candidates to their connections.
  • Promote “real world” actions by motivated groups of people to affect their representative government at all levels.
  • Make Government more responsive to the wishes of their real constituents. Not the narrow interest groups.

Here are some interesting startups working on Socializing Politics. I think there is still much work and opportunity to be explored in this area.

Votizen is an online network of real voters who have expressed their commitment to be engaged citizens. A free service, Votizen allows you to see your real voting history, learn the issues, endorse candidates, write open letters, and take collective action.

Yatterbox is a political social media website that presents and archives all the social media output of MPs (UK version) and Senators, Representatives, Governors and Congressional Committees (US version). This includes updates from Twitter, Facebook, Flickr, YouTube, RSS feeds.

Courage in the face of doubters

Posted on by

A startup life can be very lonely and isolating. When you think about how many business ventures fail and the fact that to be successful you have to beat a new path to customers; It should be no surprise that you will not have many cheerleaders during your hardest moments.

We all are conditioned to the mythology of the “instant success” story. The kid with the idea on a Monday and the IPO in a couple short months. But deep down we all know that is never the case.

Courage

“Instant success takes time” is one of my favorite truisms. New startups, amazing polished products, or ideas that just rocket to success out of nowhere and have often been preceded by a long period of preparation, rehearsal, and trial-and-error experimentation.

Matt Hendrick has a poignant post titled On Perseverance that speaks to the attitude needed to make it in a new venture.

“It won’t be easy. Taking this path requires sacrifice. Humble yourself. We all need money to survive in this world. Do you think you’re “above” being a waiter, or working a pizza delivery job on the side to keep the lights on? Just how badly do you want to succeed? There’s a famous saying that my friends and I latched onto some years ago: “Successful people do what unsuccessful people won’t do, even when they don’t want to do it.” You might not want to get up at 5:30 in the morning to work a second job, but your situation may require it. Are you up to the challenge?”

Winning and the courage to see your dreams through is no mystery. Successful people have invested in three underpinnings of their confidence.

First is responsibility.

They’ve already confronted facts truthfully and taken accountability for his or her personal decisions.

Next is collaboration.

They’ve created allies and associates, not adversaries in all their relationships.

Finally there is initiative thinking.

They try to make continuous small-scale improvements instead of counting only on the periodic smash hit success.

SEO defined.

Posted on by
Reply

Search engine optimization is the procedure having your site a greater rank within the internet search engine listing. Search engine optimization Friendly Web addresses approximately known as static Web addresses represent an URL structure where links on the website have the symptoms of a static structure like “/category/sub-category/page-name” as opposed to dynamic structure.

During the last decade, Online marketing has observed a superb growth when it comes to its growth and from numerous techniques it’s banner ad campaigns that is in the best position.

Keyword focusing on happens when you produce a specific page or pages to become a fitting response for any internet search engine query. It’s crafting your page to ensure that search engines like Google can certainly discern the page matches a particular search query. Keyword focusing on is really a popular term among online marketer’s. The following factor to see in keyword focusing on is when frequently phrase seems in your body in comparison with other words in your body. You would like top listing about the search engines like Google, and you have to target key phrases, so you receive a #1 listing.

Actually, determining which technique to choose is really a complex problem and is dependent on the keyword and who’s searching for this.

The need for Search Engine Marketing

Posted on by

Internet Marketing has lately gained enormous relevance in recent times as the strength of Search engines is continuing to grow and expand. Managed search engine optimization is a great idea to get started on as early as possible when you want to launch some new websites.

SEO can target contextual search, local search, and industry-specific vertical search engines. But extensive practical knowledge and businesslike approach to SEO is rare in the industry.

On page SEO is so important for a directory that you need to be very sure your knowledge is current. Until recently search engine optimization was considered a niche-marketing challenge, possibly even regarded by some as a field of limited value. Not anymore. This stuff is almost mandatory these days. If you are just putting your head down and building a good web based business without an equal amount of effort promoting it you are likely wasting your time.

But really you have to beware, SEO is actually a overloaded sector with quite a number of frauds within it.

Here are a couple quick basic definitions…

  • Off-site optimisation is actually a link-building method aimed at delivering authority for the target website.
  • Search engine marketing could require A couple of months to see success.
  • Pay-per-click promotion and Seo are two crucial components of an internet Advertising and marketing Strategy.
Posted in SEO

Hibernate/JPA Naming Strategy Issue

Posted on by

Boy I hate when it comes time to “learn” about a technology framework when all I want to do is push out a release to the testing server.

So I’ve started transitioning from generating hibernate xml config files to using Entity annotations with Spring Roo which is a very nice and productive framework for building webapps and domain objects.

I’ve spent a couple frustrated hours understanding why even if you specify a static name for your @Table hibernate will not use it and will instead use the NameingStratagy object to generate the table name with toLowerCase() method.

This makes it hard to use the JPA annotations with an existing database on a *NIX system where the tables are case sensitive.

After an embarrassing amount of time with Google searches and investigations I finally decided to read through the Hibernate source code and figured out that I need to extend ImprovedNamingStrategy and @Override tableName method. This method is only called when the Table name is explicitly set.

So far it seems to work ok…

public class MyImprovedNamingStrategy extends ImprovedNamingStrategy {

@Override
public String tableName(String name){
return name;
}

}

User Controlled Social Network

Posted on by

The EEF has an interesting article about the possible evolution of Social Networks into a more open architecture.

Is it possible for the Social Network ecosystem to evolve to allow the users to gain more control over their activity online?

Right now, when you sign up for Facebook, you get a Facebook profile, which is a collection of data about you that lives on Facebook’s servers. You can add words and pictures to your Facebook profile, and your Facebook profile can have a variety of relationships – it can be friends with other Facebook profiles, it can be a “fan” of another Facebook page, or “like” a web page containing a Facebook widget. Crucially, if you want to interact meaningfully with anyone else’s Facebook profile or any application offered on the Facebook platform, you have to sign up with Facebook and conduct your online social networking on Facebook’s servers, and according to Facebook’s rules and preferences.

The emergence of federated social networks will make a difference here by allowing users to control their data and privacy. This would be similar to how the current software agnostic email system works today. The user on one email server can communicate seamlessly with anyone else with an email server account.

In the spirit of the “open” Internet we need to put as much control as possible in the hands of individual users not large companies or governments. Distributed social networks represent a model that can return control and choice to the hands of the Internet user. Think about how citizens worldwide are using online tools to share vital information about how to improve their communities and their governments. Now imagine if that communication was more tightly controlled and managed?

Firefox 4 Review

Posted on by

The new Firefox browser is out and so far it’s looking awesome. I love a good browser war to push the state of the web forward. Firefox 4 puts Mozilla right back in the game. I like the new UI it’s clean and focused.

Here is some of the best innovations…

Tab Groups

You can have a whole bunch of tabs open and easily segment them into groups. For example one group for work stuff and another for fun. Switching between Tab Groups is easy and quick.
You can create a new group by clicking in the empty space between current groups. You can also close a group to remove multiple tabs at once.

Add-on Manager

The new interface for the add-on manager is truly an innovation in the user experience. This will help move the browser more towards an application hosting environment. The trend that started with the iTunes app store can make it’s logical transition to the web experience.

Global Synch

The new synchronization functionality doesn’t just sync your bookmarks it will also take your history and even your open tabs and copy them across all your machines. If you’re constantly moving from device to device this is a lifesaver.
Most of the sync functionality has been in the Weave add-on since version 3.5, but now having it integrated directly into the browser makes it so much more usable.
One of the greatest things about it is the open protocol that will encourage third-party implementations. This means that developers can create their own client and server software that can interoperate with Firefox’s synchronization features.

Performance

Of course with a new release comes the inevitable performance increase and war of numbers between Microsoft, Google and Mozilla. Let’s just say that all modern browsers are in the game when it comes to performance. You won’t be disappointed.

Tool Review: Internet Data Extraction

Posted on by
1

There are a bunch of very usable powerful data extraction software for web scraping, web harvesting and automatically content extraction out these days.

Developers have long been excited by the mashup possibilities made available by the API’s that popular sites and the large search engines have created. Another tool open to mashup developers is Data Hacking or Web Data Extraction. This is the process of walking over some web accessible resources and pulling out specific pieces of data to be used in a different presentation or combined with another data source for a novel data insight.

Developers can use the following tools to aggregate data from multiple sources to create something totally new.

Here are some popular tools for screen scraping I’ve found.
I’ve put them in the order of most simple to use to most customizable and developer friendly.

Dapper

Dapper is a tool that enables users to create update feeds for their favorite sites and website owners to optimize and distribute their content in new ways.

Extractiv

Semantic Web Crawling service lets you crawl millions of web pages and convert any structured content found on web pages into semantic data.

After the limited personal edition the cost starts at $99 a month.

And newly released Needlebase

Needle uses advanced machine-learning techniques to extract data from a wide range of web-pages and other data sources quickly, reliably and robustly, without requiring any specialized knowledge of programming concepts, HTML structure, or regular expressions.

After the limited personal usage edition the cost starts at $400 a month.

As a Java developer my favorite is Web Harvest

Web-Harvest is Open Source Web Data Extraction tool written in Java. It offers a way to collect desired Web pages and extract useful data from them. In order to do that, it leverages well established techniques and technologies for text/xml manipulation such as XSLT, XQuery and Regular Expressions. Web-Harvest mainly focuses on HTML/XML based web sites which still make vast majority of the Web content. On the other hand, it could be easily supplemented by custom Java libraries in order to augment its extraction capabilities.

Since this is an open-source project it is distributed under BSD License it is free to use. The trick here is since it is a developer tool you will either have to be a developer or hire one to build the data extraction work flow.

Are there others you’ve found? Have you used any of these tools?