Applying database access control by wrapping the EntityManager

Discussions

J2EE patterns: Applying database access control by wrapping the EntityManager

  1. In my JEE5 apps, I use 3rd party ejb3 modules that don't know anything about my applications database access control constraints. Normally I would have to modify the module's source in order to weave it properly into my application, but this gives me quite a job each time I want to upgrade the component, so I have to find a better way. I also hire developers external to my company to make ejb3 components that I later weave into my application. They don't know anything about my application and security constraints. Instructing them into all my applications details, I would probably be better off doing the job myself - but then I end up as the development capacity bottleneck. How could they build me a useful component, by focusing on what this component should do, and not having to relate to my application's rules and constraints? E.g. I use a 3rd party module that maintains customer report definitions, but this module doesn't know anything about my user/customer tables, and that report definitions should be listed/maintained per user/customer. They should not see each others report definitions. Furthermore my application doesn't delete reports when the user hits the delete button - but rather marks them with a "deleted" flag. So how do I apply my own applications rules/constraints to 3rd party code without modifying it? My approach so far has been to wrap the EJB3 EntityManager and its related interfaces. By modifying my persistence.xml to use my own EntityManager which then wraps the one provided by the JEE5 implementation (e.g. Hibernate or Toplink) - I can rewrite the queries created by the 3rd party module and apply my own application rules. This method gives me the flexibility and efficiency I'm looking for when working with external developers, and plugging in external components. For myself I can work with my application in layers, so that code can be written to perform a specific task, and the layers below (in my wrapped entitymanager) directs the boundaries according to the current security context. Now I wonder, could this be a framework? Is it already a framework? I've read about qi4j, which they call "Composite Oriented Programming", and I believe this approach is related. Could it be implemented in a generic way using qi4j? I've already created a EntityManager wrapper, but now I need to find a generic way of applying my application rules/constraints (the list of if's and else's is growing :)... Is qi4j maybe the answer? Anyone know or done something similar with EJB3 persistence?
  2. I guess my answer is a little late, but you may take a look at the project I started some time ago: JPA Security (http://jpasecurity.sf.net) It does exactly what you want to have.