HibernateSecurityInterceptor.java

package org.jboss.seam.security;

import static org.jboss.seam.security.EntityAction.DELETE;
import static org.jboss.seam.security.EntityAction.INSERT;
import static org.jboss.seam.security.EntityAction.READ;
import static org.jboss.seam.security.EntityAction.UPDATE;

import java.io.Serializable;

import org.hibernate.EmptyInterceptor;
import org.hibernate.Interceptor;
import org.hibernate.type.Type;
import org.jboss.seam.Entity.NotEntityException;

/**
 * Facilitates security checks for Hibernate entities
 * 
 * @author Shane Bryzak
 *
 */
public class HibernateSecurityInterceptor extends EmptyInterceptor
{
   private Interceptor wrappedInterceptor;
   
   public HibernateSecurityInterceptor(Interceptor wrappedInterceptor)
   {
      this.wrappedInterceptor = wrappedInterceptor;
   }
   
   @Override
   public boolean onLoad(Object entity, Serializable id, Object[] state,
                      String[] propertyNames, Type[] types)
   {
      try
      {
         EntityPermissionChecker.instance().checkEntityPermission(entity, READ);
      }
      catch (NotEntityException e) 
      {
         // Not a JPA entity
      }
      
      return wrappedInterceptor != null ? 
               wrappedInterceptor.onLoad(entity, id, state, propertyNames, types) : 
               false;
   }
   
   @Override
   public void onDelete(Object entity, Serializable id, Object[] state, 
                        String[] propertyNames, Type[] types)
   {
      try
      {
         EntityPermissionChecker.instance().checkEntityPermission(entity, DELETE);
      }
      catch (NotEntityException e) 
      {
         // Not a JPA entity
      }
      
      if (wrappedInterceptor != null)
         wrappedInterceptor.onDelete(entity, id, state, propertyNames, types);
   }
   
   @Override
   public boolean onFlushDirty(Object entity, Serializable id, Object[] currentState,
                   Object[] previousState, String[] propertyNames, Type[] types)
   {
      try
      {
         EntityPermissionChecker.instance().checkEntityPermission(entity, UPDATE);
      }
      catch (NotEntityException e) 
      {
         // Not a JPA entity
      }
      
      return wrappedInterceptor != null ? 
               wrappedInterceptor.onFlushDirty(entity, id, currentState, 
                        previousState, propertyNames, types) : false;
   }
   
   @Override
   public boolean onSave(Object entity, Serializable id, Object[] state,
                      String[] propertyNames, Type[] types)
   {
      try
      {
         EntityPermissionChecker.instance().checkEntityPermission(entity, INSERT);
      }
      catch (NotEntityException e) 
      {
         // Not a JPA entity
      }
      
      return wrappedInterceptor != null ? 
               wrappedInterceptor.onSave(entity, id, state, propertyNames, types) : 
               false;
   }       
}