Group items tagged

FIELD

PROPERTY

Either all annotations must be on the fields, or all annotations on the get methods, but not both (unless the @AccessType annotation is used)

if placed on a get method, then the class is using PROPERTY access

For FIELD access the class field value will be accessed directly to store and load the value from the database

field can be private or any other access type

For PROPERTY access the class get and set methods will be used to store and load the value from the database

PROPERTY has the advantage of allowing the application to perform conversion of the database value when storing it in the object

be careful to not put any side-affects in the get/set methods that could interfere with persistence

Common Problems

Odd behavior

One common issue that can cause odd behavior is

For this reason it is generally recommended to

causing duplicate inserts, missed updates, or a corrupt object model

if you are going to use property access, ensure your property methods are free of side effects

Merge

When the transaction is committed, or if the persistence context is flushed, then the object will be inserted into the database

used to merge the changes made to a detached object into the persistence context

it merges the changes into the persistence context (transaction)

When the transaction is committed, or if the persistence context is flushed, then the object will be updated in the database.

Setting the SESSION variable affects only the current client. Any client can change its own session sql_mode value at any time

STRICT_TRANS_TABLES

Strict mode does not affect whether foreign key constraints are checked

map multiple properties as @Id properties

annotated the property as

map multiple properties as @Id properties and declare an external class to be the identifier type

declared on the entity via the @IdClass annotation

The identifier type must contain the same properties as the identifier properties of the entity: each property name must be the same, its type must be the same as well if the entity property is of a

last case is far from obvious

not responsible for the relationship

mappedBy

To use one of the target entity property as a key of the map, use

if the map key type is another entity

Changes for Hibernate 3.5 applications

if your application uses Hibernate 3 classes that are not available in Hibernate 4, for example, some of the validator or search classes, you may see ClassNotFoundExceptions when you deploy your application. If you encounter this problem, you can try one of two approaches: You may be able to resolve the issue by copying the specific Hibernate 3 JARs containing those classes into the application "/lib" directory or by adding them to the classpath using some other method. In some cases this may result in ClassCastExceptions or other class loading issues due to the mixed use of the Hibernate versions, so you will need to use the second approach. You need to tell the server to use only the Hibernate 3 libraries and you will need to add exclusions for the Hibernate 4 libraries. Details on how to do this are described here: JPA Reference Guide.

In previous versions of the application server, the JCA data source configuration was defined in a file with a suffix of *-ds.xml. This file was then deployed in the server's deploy directory. The JDBC driver was copied to the server lib/ directory or packaged in the application's WEB-INF/lib/ directory. In AS7, this has all changed. You will no longer package the JDBC driver with the application or in the server/lib directory. The *-ds.xml file is now obsolete and the datasource configuration information is now defined in the standalone/configuration/standalone.xml or in the domain/configuration/domain.xml file. A JDBC 4-compliant driver can be installed as a deployment or as a core module. A driver that is JDBC 4-compliant contains a META-INF/services/java.sql.Driver file that specifies the driver class name. A driver that is not JDBC 4-compliant requires additional steps, as noted below.

DataSource Configuration

domain mode, the configuration file is the domain/configuration/domain.xml

standalone mode, you will configure the datasource in the standalone/configuration/standalone.xml

MySQL datasource element:

        <connection-url>jdbc:mysql://localhost:3306/YourApplicationURL</connection-url>        <driver-class> com.mysql.jdbc.Driver </driver-class>        <driver> mysql-connector-java-5.1.15.jar </driver>

       <security>            <user-name> USERID </user-name>            <password> PASSWORD</password>        </security>

example of the driver element for driver that is not JDBC 4-compliant. The driver-class must be specified since it there is no META-INF/services/java.sql.Driver file that specifies the driver class name.

 <driver-class>com.mysql.jdbc.Driver</driver-class>

JDBC driver can be installed into the container in one of two ways: either as a deployment or as a core module

Install the JDBC driver

Install the JDBC driver as a deployment

In AS7 standalone mode, you simply copy the JDBC 4-compliant JAR into the AS7_HOME/standalone/deployments directory

example of a MySQL JDBC driver installed as a deployment:     AS7_HOME/standalone/deployments/mysql-connector-java-5.1.15.jar

Win7 64-bit driver 15.17.16 2302

E6500

- Improved DisplayPort monitor behavior (including non-Dell monitors)

- Fixed issue where system LCD defaults to Max brightness on Standby/resume, Hibernate/resume or reboot

- Improved DisplayPort monitor behavior (including non-Dell monitors)

- Improved mode persistence after

with a DVI monitor attaced

When the application inserts or updates an object, it will set these fields and they will be stored in the database. JPA events could also be used to record the audit information, or to write to a separate audit table.

Example AuditedObject class

@MappedSuperclass public Class AuditedObject {

@Column("AUDIT_USER"); protected String auditUser; @Column("AUDIT_TIMESTAMP"); protected Calendar auditTimestamp;

@PrePersist @PreUpdate public void updateAuditInfo() { setAuditUser((String)AuditedObject.currentUser.get()); setAuditTimestamp(Calendar.getInstance()); }

do not at all describe "who" is able to perform the action(s)

Multiple Parts

Wildcard Permissions support the concept of multiple levels or parts. For example, you could restructure the previous simple example by granting a user the permission printer:query

Multiple Values Each part can contain multiple values. So instead of granting the user both the "printer:print" and "printer:query" permissions, you could simply grant them one: printer:print,query

All Values What if you wanted to grant a user all values in a particular part? It would be more convenient to do this than to have to manually list every value. Again, based on the wildcard character, we can do this. If the printer domain had 3 possible actions (query, print, and manage), this: printer:query,print,manage

simply becomes this: printer:*

Using the wildcard in this way scales better than explicitly listing actions since, if you added a new action to the application later, you don't need to update the permissions that use the wildcard character in that part.

Finally, it is also possible to use the wildcard token in any part of a wildcard permission string. For example, if you wanted to grant a user the "view" action across all domains (not just printers), you could grant this: *:view Then any permission check for "foo:view" would return true

Instance-Level Access Control

instance-level Access Control Lists

Checking Permissions

SecurityUtils.getSubject().isPermitted("printer:print:lp7200")

printer:*:*

all actions on a single printer

printer:*:lp7200

missing parts imply that the user has access to all values corresponding to that part

printer:print is equivalent to printer:print:*

Missing Parts

rule of thumb is to

when performing permission checks

first part is the

that is being operated on (printer)

second part is the

(query) being performed

three parts - the first is the

the second is the

third is the

allow access to

can only leave off parts from the end of the string

Performance Considerations

runtime implication logic must execute for

implicitly using Shiro's default

which executes the necessary implication logic

When using permission strings like the ones shown above, you're

Shiro's default behavior for Realm

for every permission check

need to be checked individually for implication

as the number of permissions assigned to a user or their roles or groups increase, the time to perform the check will necessarily increase

If a Realm implementor has a

more efficient way of checking permissions and performing this implication logic

should implement that as part of their

implies

user:*:12345

user:update:12345

printer

implies

printer:print

Implication, not Equality

permission

are evaluated by

logic - not equality checks

the former implies the latter

superset of functionality

implication logic can be executed at runtime

information than the model you use to

Log date and time

Event date and time

Application identifier

Application address

User identity

Type of event

Severity of event

Description

Action

original intended purpose of the request

Object

affected component

Result status

Reason

Extended details

Data to exclude

Access tokens

Session identification values

Sensitive personal data

passwords

Database connection strings

Encryption keys

payment

Information a user has opted out of collection

Synchronize time across all servers and devices

Input validation failures

Which events to log

proportional to the information security risks

Always log:

Authentication successes and failures

Authorization failures

Session management failures

Application errors and system events

Application and related systems start-ups and shut-downs

Use of higher-risk functionality

for the application

Parameterized Queries with Bound Parameters

keep the

separate through the use of placeholders known as "bound" parameters

how to Review Code for SQL Injection Vulnerabilities.

Guide to SQL Injection

"injection" of a SQL query via the input data from the client to the application