EclipseLink/Examples/JPA/Oracle/Proxy

From Eclipsepedia

< EclipseLink‎ | Examples‎ | JPA‎ | Oracle
Jump to: navigation, search
Catnicon.gifThis example is currently under development see Bug 224964

How to use EclipseLink JPA with Oracle Proxy Authentication

The Oracle database offers proxy authentication enabling the application to leverage a shared data source connected to the database by a single common/default user and then when used within the application the connection can be 'proxied' to be a different user. This offers the benefit of the database having knowledge of the specific user for the purposes of auditing or secure data access.

In this how-to the focus is on the usage of proxy authentication in conjunction with EclipseLink's JPA.

Contents


Overview

Requirements

  • Access to OracleConnection (typically from OracleDataSource) using Oracle jdbc driver version 10.1.0.2 or later.

Write Access Control. Auditing

Each change of the database could be attributed to the database user who did it (auditing). Eclipselink application maintains the shared cache.

  • EntityManager uses proxy user "john" for writes and reads inside transaction. Note that reads performed outside of transaction are done through the main (non proxied) connection.
Map emProperties = new HashMap();
emProperties.put("eclipselink.oracle.proxy-type", OracleConnection.PROXYTYPE_USER_NAME);
emProperties.put(OracleConnection.PROXY_USER_NAME, "john");
EntityManager em = emf.createEntityManager(emProperties);
// or in case of injected EntityManager
((org.eclipse.persistence.internal.jpa.EntityManagerImpl)em.getDelegate()).setProperties(emProperties);

Full (Read and Write) Access Control. VPD.

Isolated cache case.

The entities defined to use isolated (not shared) cache will be both written and read through the same "exclusive" connection.

  • Pass to createEntityManagerFactory method a property(ies) indicating that particular entity(ies) uses isolated cache.
// Entity named Employee uses isolated cache and will be both read and written through exclusive connection.
"eclipselink.cache.shared.Employee"  -> "false"
  • Or alternatively pass to createEntityManagerFactory method a property indicating that all entities use isolated cache.
// All entities use isolated cache and will be both read and written through exclusive connection.
"eclipselink.cache.shared.default"  -> "false"
  • Pass to either createEntityManagerFactory or createEntityManager a property indicating that isolated entities should be read through exclusive connection.
 
  "eclipselink.jdbc.exclusive-connection.mode" -> "Isolated"

Shared cache case.

All entities will be both written and read through the same "exclusive" connection. Note that (unless the entities are isolated) all the read entities end up in the same shared cache that might compromise security.

  • Pass to either createEntityManagerFactory or createEntityManager a property indicating that isolated entities should be read through exclusive connection.
 
  "eclipselink.jdbc.exclusive-connection.mode" -> "Always"

Defining Proxy Properties on EntityManagerFactory.

Proxy properties may be also used by EntityManagerFactory. In that case all connections use them - unless overridden in EntityManager.

Map factoryProperties = new HashMap();
factoryProperties.put("eclipselink.oracle.proxy-type", OracleConnection.PROXYTYPE_USER_NAME);
factoriesProperties.put(OracleConnection.PROXY_USER_NAME, "sarah");
EntityManagerFactory emf = Persistence.createEntityManagerFactory(factoryProperties);
 
// em1 doesn't specify its own proxy properties - uses proxy user "sarah" specified by the factory.
EntityManager em1 = emf.createEntityManager();
 
// em2 uses its own proxy properties - proxy user "john", doesn't matter whether factory has proxy properties or not.
EntityManager em2 = emf.createEntityManager(emProperties);
 
// em3 doesn't use any proxy connection - cancels proxy properties defined in the factory.
Map cancelProperties = new HashMap();
cancelProperties.put("eclipselink.oracle.proxy-type", "");
EntityManager em3 = emf.createEntityManager(cancelProperties);