Lately i’ve been rambling and ranting a lot on twitter about the Grails framework.
To my surprise, many other developers actually read this tweets and helped me out on some problems. Thanks a lot gals and guys, i really appreciate that. Me rambling isn’t meant to be personal at any time, i guess you know how easily one gets frustrated with too less time and too much stuff to do.
Anyway, here are some shortcuts that could eventually be helpful. I’m gonna add more to this list the next days:
Enabling hibernate filters in the grails session
Took me a little digging through the source code, but i came up with the following idea:
import org.springframework.transaction.support.TransactionSynchronizationManager;
class SecurityFilters {
def sessionFactory
def filters = {
login(controller:'*', action:'*') {
before = {
// get your user id somewhere
def whatsoeveruserId = 0
def sessionHolder = TransactionSynchronizationManager.getResource(sessionFactory);
sessionHolder.getSession().enableFilter("filterByOwner").setParameter("currentUserId", whatsoeveruserId);
}
}
}
} |
import org.springframework.transaction.support.TransactionSynchronizationManager;
class SecurityFilters {
def sessionFactory
def filters = {
login(controller:'*', action:'*') {
before = {
// get your user id somewhere
def whatsoeveruserId = 0
def sessionHolder = TransactionSynchronizationManager.getResource(sessionFactory);
sessionHolder.getSession().enableFilter("filterByOwner").setParameter("currentUserId", whatsoeveruserId);
}
}
}
}
I want to have some kind of rowlevel security through a Hibernate filter. Through dependency injection i get hold of the sessionFactory and through the TA Manager, i get the current session on which i can enable my filter.
Doing this in a Grails filter, i can combine this with some kinda login mechanism and i’m good to go.
Whitelisting attributes through bindData
To me it’s a bad idea using blacklisting on data binding as i can and will forget attributes that must not be updated through a webform.
With Marc i found the following solution:
bindData(entity, params, entity.properties.collect{it.key} - ['foo', 'bar']) |
bindData(entity, params, entity.properties.collect{it.key} - ['foo', 'bar'])
That way only attributes foo and bar gets updated.
Anyway, with Grails 1.1 this won’t be necessary anymore as Graeme anonced.
Graeme was so kind to comment on this: This feature is already in 1.0.x, i just didn’t find it, have a look at the docu at The Web Layer.
bindData(entity, params, [include:['foo', 'bar']]) |
bindData(entity, params, [include:['foo', 'bar']])
Updates on 2008/12/9
Adding custom errors to a domain class
The grails reference has a handy example for adding custom errors to domain classes, have a look here. This works quite well except that all other errors from databinding are mysteriously gone.
For me, the following steps worked to update a user (change some persistent attributes and the transient attributes password and passwordConfirmation):
bindData(anwender, params, [include:['name', 'vorname', 'password', 'passwordConfirmation']])
if(params.password != "" && params.password == params.passwordConfirmation)
anwender.hashPassword() // As alway, never ever store plaintext passwords ;)
else if(params.password != "") {
anwender.validate() // IMPORTANT without that step, possible other errors from bindData vanished
anwender.errors.rejectValue('password', 'user.anwender.passwords_doesnotmatch')
} |
bindData(anwender, params, [include:['name', 'vorname', 'password', 'passwordConfirmation']])
if(params.password != "" && params.password == params.passwordConfirmation)
anwender.hashPassword() // As alway, never ever store plaintext passwords ;)
else if(params.password != "") {
anwender.validate() // IMPORTANT without that step, possible other errors from bindData vanished
anwender.errors.rejectValue('password', 'user.anwender.passwords_doesnotmatch')
}
Afterwords, hasErrors() show all errors, i.a. non nullable fields and the like.
More thoughts
I somewhat used to hibernate and come along very well with it, even though i’m actually a SQL fan. I guess if my inside into the Spring Framework would be a little bit deeper, some areas wouldn’t be hard to understand.
On the other hand i think that Grails does a great job for J2EE based development and it should do so even more. As always, there is the law of leaky abstractions, but the whole butload of stuff that is the J2EE stack should be abstracted away.
Updates on 2009/2/6
Grails 1.1-beta3
I use hibernate validator in my domain classes (that i created outside of rails as hibernate annotated classes) and i got
java.lang.NoSuchMethodError: org.hibernate.event.PreInsertEvent.getSource()Lorg/hibernate/engine/SessionImplementor |
java.lang.NoSuchMethodError: org.hibernate.event.PreInsertEvent.getSource()Lorg/hibernate/engine/SessionImplementor
on every insert and update. Hibernate validator 3.0.0.GA is incompatible with the Hibernate version in Grails 1.1-beta3. Problem was gone after upgrading validator to 3.1.0.GA.
Some other stuff:
Filed in English posts, Java
|