[jbossseam-issues] [JBoss JIRA] Commented: (JBSEAM-3838) Permission check fails on collections that contain lazily initialized entities

Stuart Douglas (JIRA) jira-events at lists.jboss.org
Sun Dec 14 19:05:36 EST 2008 

    [ https://jira.jboss.org/jira/browse/JBSEAM-3838?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12442453#action_12442453 ] 

Stuart Douglas commented on JBSEAM-3838:
----------------------------------------

A potential workaround that does not involve eagerly fetching everything could be to use hibernate bytecode instrumentation and the @LazyToOne(LazyToOneOption.NO_PROXY)

> Permission check fails on collections that contain lazily initialized entities
> ------------------------------------------------------------------------------
>
>                 Key: JBSEAM-3838
>                 URL: https://jira.jboss.org/jira/browse/JBSEAM-3838
>             Project: Seam
>          Issue Type: Bug
>          Components: Security
>    Affects Versions: 2.1.0.SP1
>            Reporter: Georges Berscheid
>            Assignee: Shane Bryzak
>             Fix For: 2.1.2.CR1
>
>
> org.jboss.seam.security.permission.PermissionMapper.filterByPermission:94
> The permission filter checks if the target of the check is of the same class as the target of the permission. If the collection-parameter is the result of a javax.persistence.Query.getResultList() (using Hibernate), and one of the entities returned in that List had previously been lazily fetched (e.g. as part of an entity relationship) this check will fail.
> Hibernate probably does some optimization and knows that it had fetched this entity before, and hence puts the lazy proxy into the result list. The proxy's class name is something like Entity_$$_javassist_12 which won't match the class name of the permission target (Entity).
> The only work-around I could find for this is to eagerly fetch all entity relationships that are affected by this behavior, which kills the performance of the application.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the seam-issues mailing list