openjpa-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Adam Hardy <adam....@cyberspaceroad.org>
Subject Re: adding data visibility / ownership restrictions to query
Date Thu, 13 Dec 2007 16:47:30 GMT
OK thanks. Threadlocal it is then.

plinskey@gmail.com on 13/12/07 03:13, wrote:
> From a JPA standpoint, you'll need to either pass along the credential info 
> (or use a ThreadLical or some sort of context-specific state), or use the 
> underlying capabilities of your database to do per-user authentication. For 
> example, Oracle's OCI driver allows communication of user authorization over 
> a pooled Connection prior to use.
> 
> -Patrick
> 
> On 12/12/07, Adam Hardy <adam.sql@cyberspaceroad.org> wrote:
>> Hello List,
>> 
>> I've used several different mechanisms on previous projects to restrict 
>> query results to data the user is authorised to see, and now with my 
>> current project and new standards-compliant JPA implementation of the 'data
>>  services layer', I wanted check what the community holds to be the 
>> idiomatic approach.
>> 
>> I am inclined to add the user or group id wherever necessary in the Data 
>> Access Object code after retrieving it from the security context, and 
>> indeed that seems like the only approach possible at this time with JPA. Is
>>  that correct?


Mime
View raw message