Affected:
Spring Data JPA 1.10.2, 1.9.4
Other unsupported versions are also affected
Spring:
https://pivotal.io/security/cve-2016-6652
http://cve.circl.lu/cve/CVE-2016-6652
Mitigation:
Users of affected versions should apply the following mitigation:
Users are advised to upgrade to Spring Data JPA in version 1.10.4
(Hopper SR4) or 1.9.6 (Gosling SR6). These versions contain
sanitizing of the Sort instances handed to the data access layer and
only allow referring to domain object fields and aliases used in the
JPQL backing the query method.
Should users still need to hand complex sort expressions to the data
access layer, they can use the newly introduced JpaSort.unsafe(…) to
reinstantiate the old behavior.
Question:
We are using latest version of Spring data but security assessment tool shows that Sql injection vulnerability in code , should we start using OWASP ESAPI API on Repo level ?
Related
How can I persist and query userconnections via Hibernate in Spring Social?
The situation:
We have to introduce Spring Social in a legacy web application. This legacy system uses Hibernate. The problem is, that in Spring Social the userconnections are persisted via SpringTemplate (classes JdbcUsersConnectionRepository and JdbcConnectionRepository).
From my limited understanding, I have two options:
Use it as it is.
Implement a custom ConnectionRepository and UsersConnectionRepository, which use the existing Hibernate infrastructure
Option 1 is not what I want, as I then have to invest a lot of effort to configure properly a second persistence framework (multi-threading, connection-pooling, etc.).
Option 2 quickly solves my problems, but in the long run may lead to hidden or unhidden problems when upgrading to new Spring Social versions.
As both options are not really satisfying my question:
What would you propose? Do you know better options?
Is it possible to use Hibernate and RDBMS(Mysql, Postgres etc) with ReactiveCrudRepository instead of CrudRepository? I have tried some samples with Spring Data Jpa and Hibernate, but couldn't get it done. I was only able to find a few samples on ReactiveCrudRepository for MongoDB and cassandra.
Is it possible to use Hibernate and Mysql with ReactiveCrudRepository instead of CrudRepository?
TL;DR:
Not with Hibernate and MySQL, but with R2DBC and Postgres, Microsoft SQL Server or H2.
Take a look at Spring Data R2DBC.
Long Version
Why not JPA?
With Hibernate/JPA included this won't happen in the foreseeable future.
JPA is based on the idea that you load part of your data model into memory, manipulate the resulting object model and let JPA transform these changes.
All this within a single transaction.
This is kind of the opposite how one deals with a reactive store where you try to make atomic changes and try to decouple the loading, processing and storing and all this without blocking.
Why not JDBC?
So we have to look at the technology level below JPA: JDBC.
But JDBC is still blocking: You send a SQL statement to your database and then JDBC will block until you get the result.
And again this goes against the idea of reactive: Never block.
One could wrap this in a thread pool to mitigate this to some extent, but that is more of a workaround than a solution.
Why R2DBC?
There are some suitable drivers for some databases that could be used for reactive repositories.
But they are proprietary and thereby not a good basis for something that really should eventually work across all (relevant) relational databases.
For some time the Spring Data team hoped that ADBA would fill that gap.
But discussions on the mailing list made it clear that ADBA was not aiming for reactive but only for asynchronous.
Again not what we needed for a reactive repository abstraction.
So early in 2018 various people living at the intersection or reactive and relational decided that we need a standard for reactive database access.
R2DBC (Reactive Relational Database Connectivity)
is a proposal for such a standard.
The hope is that it either helps convincing Oracle to move ADBA to a reactive approach or if that doesn't happen it becomes the standard itself.
And with already three implementations available chances for the second option look promising.
R2DBC itself is mainly an SPI, i.e. an API that is to be implemented by database providers.
The SPI is designed in a way that puts minimal requirements on implementers.
But this also makes R2DBC somewhat cumbersome to use.
The idea is that other libraries will step up and build libraries designed for usability on top of that SPI, as it happened with JDBC.
Spring Data R2DBC
Spring Data R2DBC is one such library and it offers what you asked for: Support for ReactiveCrudRepository although it is independent of JPA/Hibernate and there is no support for MySQL yet.
State of the projects
Both R2DBC and Spring Data R2DBC didn't have a production release yet and it will take at least several months to get there.
Spring Data R2DBC just released the first milestone.
See the release article for its current capabilities.
R2DBC is on its 6th milestone. See the release article for details.
See also this answer: Why does Spring not provide reactive (non-blocking) clients for relational databases?
Original answer as a reference for archeologists:
As of now (Jan 2017) it is not possible.
The currently relevant release for the reactive part of Spring Data is Spring Data Kay M1 (You can check if there is a newer version available on the project home page)
And a blog post from the Spring Data team about that release and specifically the reactive parts in it starts with (emphasis mine):
Spring Data Kay M1 is the first release ever that comes with support for reactive data access. Its initial set of supported stores — MongoDB, Apache Cassandra, and Redis — all ship reactive drivers already, which made them very natural candidates for such a prototype.
The reason is that there is no standard non-blocking way to access a relational database. So only those that support this kind of API are supported right now.
One could implement a ReactiveCrudRepository using JPA or JDBC and delegate the work to a thread pool. This would provide an async API on the outside, but would still consume the resources for the Threads and block between independent data accesses, so only a small part of the benefits of the reactive approach would get realized.
Hibernate started a new Hibernate Reactive subproject for reactive streams support which provides Hibernate/JPA similar APIs to access RDBMS. But unfortunately at the moment, Spring Data does not support it. So there is no a ReactiveCrudRepoisoty for Hibernate Reactive.
But you can integrate Hibernate with Spring yourself and get reactive support.
Define a persistence.xml file, note the provider class must be specified as the one in Hibernate Reactive.
Declare a Mutiny.SessionFactory bean.
Then inject it in your repository class.
I have created a complete example demos Hibernate Reactive + Spring.
Update: Till now Spring team has no plan to support it, if you are willing to taste other framework, check Quarkus and Micronaunt, both have seamless Hibernate Reactive support. Check my Quarkus Hibernate Reactive example and Micronaut Hibernate Reactive example.
According to quote from previous answer
One could implement a ReactiveCrudRepository using JPA or JDBC and delegating the work to a thread pool. This would provide an async API on the outside, but would still consume the resources for the Threads and block between independent data accesses, so only a small part of the benefits of the reactive approach would get realized.
James Ward claims it can be non-blocking. I mean I asked him:
yeah ok, but isn't ScalikeJDBC-Async doing exactly the same? just putting query invocation into another thread pool?
and he replied
No because ScalalikeJDBC-Async uses https://github.com/mauricio... which is actually a non-blocking (NIO) JDBCish database driver.
source
So you can be reactive by replacing hibernate + spring data with postgresql-async (should work with mysql).
you could try with quarkus framework and panache mongo hibernate reactive repositories. https://quarkus.io/guides/mongodb-panache .It is easy manage a reactive repository over mongoDB, It is later but hope helps.
I am interested in Spring Data JPA projection but I need to use JPA specification. Is it possible to fetch projection interfaces with JPA specification?
As far as I know, this simply dooes not work and is not supposed to work, at least not for now https://jira.spring.io/browse/DATAJPA-1189
A Spring-Data-JPA Enthusiast has created a project that implements projections with specifications. I am using it in my own project without problem. You may check it from here:
https://github.com/pramoth/specification-with-projection
Update for database level projections
There is an outdated comment below.
Is not query optimized. It just map the results after they have been queried
The last version of this library supports database level projections link to the commit.
Update for the last Spring Boot versions
Until this pull request is not merged, to support the last Spring Boot versions, fixed library sources can be copy pasted directly to the project from here
https://github.com/v-ladynev/specification-with-projection-embeded
I want to access a Neo4j DB with Java and wanted to know what the preferred way to do this is. I just want to write a quite simple data structure to the DB.
http://neo4j.com/developer/java/ gives following options:
JDBC
Hibernate OGM
Spring Data
Rest API via Unmanaged Extensions
I looked into accessing Neo4J with JDBC and Hibernate OGM. It seems that its not worth it to use for me. JDBC gives me some trouble. So should i go with the REST way or try to fix my JDBC problems?
The JDBC driver is really a wrapper around the REST interface (as of neo4j 2.3). There is a example application how to use it. Should suffice for very simple use.
Then there is neo4j-ogm (different from Hibernate OGM) - this is an object graph mapping library, similar to hibernate in ORM world. This has minimal external dependencies and is very easy to use - ideal for cases where you want to map couple of objects into graph.
Then there is the Spring Data Neo4j project, which since version 4 uses neo4j-ogm for mapping, but adds other Spring data features, like repositories, derived finder queries, transactions ...
Currently We have an enterprise application that works with spring and JPA.
Today we are planning our next generation server.
We are debating whether to use spring-data in our project? It seems to increase productivity and development times.
Are there any alternatives to spring-data to consider? Why not using spring and JPA alone?
What do you suggest?
Bear in mind we are starting to develop from scratch so no constraints are available other than:
we use mysql and mongoDB
we code in java
we will develop client side code in GWT.
Currently we have a layered architecture.
We have a Service layer and a manager layer, which takes care for persisting and business logic. Whoever built that didn't see a good reason to insert the third DAO layer.
There are some technical benefits of Spring Data over Spring + JPA, which in a pure SQL environment, I think give Spring Data an advantage:
Spring Data uses the same CrudRepository interface for all implementations, so you'll have less effort to switch between JPA to MongoDB
Spring Data saves you writing the same methods again and again. You just add the method to the interface and it'll generate it for you (e.g. UserRepository.findByUsername())
You can save boilerplate on REST implementations for JPA, MongoDB and others (see http://projects.spring.io/spring-data-rest/)
If you wanted to experiment with other persistence or indexing services, then there are Spring Data implementations for both mature and newer technologies such as for Neo4j, Hadoop, Solr, ElasticSearch, fuzzydb.
Given that you use MySQL and MongoDB, I think Spring Data is a strong candidate, as it allows developers to code to a single data access API (Spring Data) instead of two (JPA and the MongoDB Java Client).
Regarding the existing architecture, it sounds as though your manager layer is implementing either a Rich Domain pattern, or Active Record.
Spring Data is in my view very well suited to Rich Domain when combined with injection of services using Spring's #Configurable.
Lastly, I'd say that Spring Data also gives a significant advantage when needing to implement services for things like Spring Security and Spring Social, which use MongoDB or others instead of SQL.
We did this in the fuzzydb sample webapp that can be found here. (Disclaimer: I'm the currently sole recent committer on fuzzydb, and haven't touched it for a number of years, but we did have a live service, www.fridgemountain.com, based on that code, but neglected to promote it)