On Wed, Nov 16, 2011 at 1:45 PM, James Sutherland
<jamesssss@xxxxxxxxx> wrote:
EclipseLink has support for appending additional criteria to queries.
And is that facility on the standards track, do you know?
It concerns me that I have to explicitly set properties here to fill JPQL slots; in the jpasecurity case I can set all that up as a kind of aspect (i.e. I can say "the current principal", instead of having to ensure that the current principal is set as a property on the EM. It's kind of like augmenting @AdditionalCriteria with ${expressionLanguage} ${constructs}).
I assume I can also set some sort of filtering on, say, one-to-many relationships so that even when I haven't explicitly issued a JPQL query I still see only the items I'm supposed to?
My goal here is not to say "how come you don't do it like X", but to see if there's a plan for row-level security in the JPA specification going forwards that does not force me to retrofit the business logic of an existing application (making explicit setProperty calls on my entity manager, when I don't know what the security rules might be, seems to me difficult if not impossible--which properties will I need to set?). jpasecurity is the closest thing I've seen to this approach.
(For completeness, Hibernate filters are the granddaddy for this sort of thing, and it looks like EclipseLink sort of followed their lead.)
Thanks for your reply and for any further information you have on all this.
Best,
Laird
--
