-
Notifications
You must be signed in to change notification settings - Fork 7
Security Constraints for Collection Attributes
Let’s consider the following situation:
-
Your data model contains
OrderandOrderLineentities which form the one-to-many composition. -
Your REST client loads an instance of
Ordertogether with the nested collection ofOrderLineinstances. -
There are security constraints that filter out some
OrderLineinstances, so the client does not load them and doesn’t know they exist. Sayline5is not loaded by the client but exists in the database. -
If your client removes, say,
line2 from the collection and then saves the whole composition using the/entities/{entityName}/{entityId}endpoint, there are two outcomes:- If the constraints were not changed since the entities were loaded, the framework restores the filtered line5 instance in the collection and deletes only
line2, which is the correct behavior. - If the constraints were changed in a way that
line5is now available to the client, the framework cannot restore the information about filtered collection elements correctly. As a result, bothline2andline5will be deleted.
- If the constraints were not changed since the entities were loaded, the framework restores the filtered line5 instance in the collection and deletes only
If you are concerned with the case described above, you can eliminate possible data loss by sending a special system attribute in the JSON representing your entities. This attribute is called __securityToken and automatically included in resulting JSON if the cuba.rest.requiresSecurityToken application property is set to true. The responsibility of your REST client is to return this attribute back when saving entities.
An example of entity JSON including security token:
{
"id": "fa430b56-ceb2-150f-6a85-12c691908bd1",
"number": "OR-000001",
"items": [
{
"id": "82e6e6d2-be97-c81c-c58d-5e2760ae095a",
"description": "Item 1"
},
{
"id": "988a8cb5-d61a-e493-c401-f717dd9a2d66",
"description": "Item 2"
}
],
"__securityToken": "0NXc6bQh+vZuXE4Fsk4mJX4QnhS3lOBfxzUniltchpxPfi1rZ5htEmekfV60sbEuWUykbDoY+rCxdhzORaYQNQ=="
}The __securityToken attribute contains encoded identifiers of filtered instances, so the framework can always restore the required information regardless of changes in constraints.
- Home
- Predefined JPQL Queries Configuration
- Services Configuration
- Data Model Versioning
- CORS Settings
- Anonymous Access
- Other REST API Settings
- Creating Custom OAuth2 Protected Controllers
- Security Constraints for Collection Attributes
- Persistent Token Store
- Project-specific Swagger Documentation
- Application Properties
-
Using REST API
- Getting an OAuth Token
- REST API Authentication with LDAP
- Custom Authentication
- Getting an Entity Instances List
- New Entity Instance Creation
- Existing Entity Instance Update
- Executing a JPQL Query (GET)
- Executing a JPQL Query (POST)
- Service Method Invocation (GET)
- Service Method Invocation (POST)
- Files Downloading
- Files Uploading
- JavaScript Usage Example
- Getting Localized Messages
- Data Model Versioning Example
- Using Entities Search Filter