openjpa-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From plins...@gmail.com
Subject Re: adding data visibility / ownership restrictions to query
Date Thu, 13 Dec 2007 03:13:11 GMT
>From a JPA standpoint, you'll need to either pass along the credential
info (or use a ThreadLical or some sort of context-specific state), or
use the underlying capabilities of your database to do per-user
authentication. For example, Oracle's OCI driver allows communication
of user authorization over a pooled Connection prior to use.

-Patrick

On 12/12/07, Adam Hardy <adam.sql@cyberspaceroad.org> wrote:
> Hello List,
>
> I've used several different mechanisms on previous projects to restrict
> query
> results to data the user is authorised to see, and now with my current
> project
> and new standards-compliant JPA implementation of the 'data services layer',
> I
> wanted check what the community holds to be the idiomatic approach.
>
> I am inclined to add the user or group id wherever necessary in the Data
> Access
> Object code after retrieving it from the security context, and indeed that
> seems
> like the only approach possible at this time with JPA. Is that correct?
>
> Thanks
> Adam
>


-- 
Patrick Linskey
202 669 5907

Mime
View raw message