Hi everyone. I know that Hibernate session filters do not apply to find/load operations because the assumption was made that if you know the ID of the entity you wish to load, why tack on the extra WHERE condition. Please let me explain my use case for filters and illustrate why this assumption is incorrect.
We use filters to do data separation. For example, separating one customers data from another's. We also have other filters that do finer grained object visibility conditions. But lets take a look at customer data separation since its the easiest to understand. The advantage of doing customer data separation in this way is that developers don't need to think about it. It just works, and it works *automatically*. The problem comes in when you want to do something like em.find(User.class, 1). No WHERE clause is attached to the SQL statement. Yes, I know the ID, but I really want to tack on to the WHERE clause "AND customerId = 3" to make sure that someone isn't fuzzing the ID parameter to try and get at another customer's data. The workaround we have is another mechanism that validates the entity in a PostLoad entity listener and throws an exception if the customerId != the request's customerId. This is "ok" for the simple example I laid out here. However, we now have many more filters that implement complex visibility rules based on subselects and oracle CONNECT BY clauses which cannot be implemented using a simple equality check in java. The best, most performant, solution is to be able to apply the filter clause to the EntityManager.find operation. What is your take on this? Thanks, Jason Clawson _______________________________________________ hibernate-dev mailing list hibernate-dev@lists.jboss.org https://lists.jboss.org/mailman/listinfo/hibernate-dev
