Home/ Questions/Q 389893
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-12T15:54:41+00:00

This is more of a design than implementation question and it’s going to be

  • 0

This is more of a design than implementation question and it’s going to be long so bear with me. It’s best explained with an example:

Let’s say I have a business entity called Product with a bunch of properties (name, price, vendor, etc…).

It’s represented by an interface (Product) and implementation (ProductImpl, mapped in Hibernate) as well as basic CRUD service interface (ProductService) and implementation (ProductServiceImpl).
Product and ProductService are exposed as API, their implementations are not.

I want to add a List findProducts(QueryCriteria criteria) method to ProductService that would return a list of products satisfying given criteria.
The requirements are:

  1. Query by direct Product properties (e.g. product.price gt 50.0)
  2. Query by association (e.g. product.vendor.name = "Oracle")
  3. Sort results (e.g. order by product.vendor.name desc, product.price asc")
  4. Apply additional filters. Unlike the above 3 items which are all specified by API client, additional filters may be applied by the service based on client’s identity (e.g. client invoking this method may be limited to only seeing products manufactured by given vendor). Such filters take precedence over any criteria specified by the client (e.g. if the filter is set to product.vendor.name = "Microsoft", query in (2) above should produce empty result set.

The question, therefore, is what should QueryCriteria interface used by such a method look like? I can think of 3 solutions and I don’t like either one of them:

  • Allow clients to specify HQL (starting with “where” clause) directly.
    This is the most straightforward solution, but also the most problematic security-wise. Even assuming that filters (#4 above) are simple enough to be implemented via Hibernate’s session filters, HQL still needs to be parsed to – at the very least – ensure that query parameters are specified as parameters and not inlined.
  • Use thinly wrapped Hibernate’s DetachedCriteria in place of QueryCriteria.
    “Thinly wrapped” because client can not be allowed to create DetachedCriteria directly for there would be no way to control what mapped entity it was created for.
    Also, this would not as flexible as HQL for some queries are not easily (or at all) expressible via Criteria API. As with HQL approach, filters (#4 above) will be limited to Hibernate session filters.
  • Write my own QueryCriteria interface / implementation which will form either DetachedCriteria or HQL behind the scenes.
    While probably the most flexible solution, this will have to duplicate a lot of code from Criteria API which seems less than ideal.

Any comments on the validity of the above approaches or – fingers crossed – simple elegant solutions that didn’t occur to me would be highly appreciated.

P.S. In my specific case, all API clients are internal and “semi-trusted” – that is I’m not as much concerned with someone trying to deliberately break something as with poor programming resulting in Cartesian product of 5 tables 🙂 However, it’d be nice to come up with a solution that would withstand API exposure to public.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    The actual solution I’ve implemented uses a hybrid approach.

    Methods that use well-defined queries (e.g. methods that are used internally by other services, predefined reports, etc.) have signature similar to HibernateTemplate’s findBy methods:

    public List<Entity> findEntities(String queryName, QueryParameters parameters);

    where QueryParameters is a convenience class for specifying named parameters explicitly or taking them from a bean. Sample usage is:

    List<Product> products = findProducts("latestUpdates",
 new QueryParameters()
  .add("vendor", "Oracle")
  .add("price", "50.0")
);

    or

    List<Product> products = findProducts("latestUpdates",
 new QueryParameters(product, "vendor", "price"));

    Access to such methods is limited to “trusted” code; queries used obviously must obviously be defined in Hibernate mappings. Filters are built into query or defined as session filters. The benefits are cleaner code (no Criteria-like stuff spread across half a page) and clearly defined HQL (easier to optimize and deal with cache if necessary).

    Methods that are exposed to UI or otherwise need to be more dynamic use Search interface from Hibernate-Generic-DAO project. It’s somewhat similar to Hibernate’s DetachedCriteria but has several advantages:

    1. It can be created without being tied to particular entity. It’s a big deal for me because entity interface (part of API visible to users) and implementation (POJO mapped in Hibernate) are two different classes and implementation is not available to user at compile time.

    2. It’s a well thought out open interface; quite unlike DetachedCriteria from which it’s nearly impossible to extract anything (yes, I know DC wasn’t designed for that; but still)

    3. Built-in pagination / results with total count / bunch of other little niceties.

    4. No explicit ties to Hibernate (though I personally don’t really care about this; I’m not going to suddenly drop Hibernate and go with EclipseLink tomorrow); there are both Hibernate and generic JPA implementations available.

    Filters can be added to Search on service side; that’s when entity class is specified as well. The only thing’s missing is quick-fail on client side if invalid property name is specified and that can be resolved by writing my own ISearch / IMutableSearch implementation but I didn’t get to that yet.

    • 0