Hello List,
I've used several different mechanisms on previous projects to restrict query
results to data the user is authorised to see, and now with my current project
and new standards-compliant JPA implementation of the 'data services layer', I
wanted check what the community holds to be the idiomatic approach.
I am inclined to add the user or group id wherever necessary in the Data Access
Object code after retrieving it from the security context, and indeed that seems
like the only approach possible at this time with JPA. Is that correct?
Thanks
Adam
|