[hibernate-issues] [Hibernate-JIRA] Commented: (EJB-255) Remoting capabilities

[ http://opensource.atlassian.com/projects/hibernate/browse/EJB-255?page=co... ] Marek Mosiewicz commented on EJB-255: ------------------------------------- "Currently Hibernate does not offer read/insert/update/delete annotations for entity but if it would it could be interesting in some scenarios. " What do you mean? Some annotation to control permissions to operations. In fact there is no good solution to db security in case you use connection pool, becouse you can not use db security(it would require different connection to each app user). It can be useful to application to say that table x can be updated by role y and viewd by role z. It could be also easy to add some WHERE rewriter and have row level security (user x can access only this data from warehouse table where it fulfill some codition).Now in case of web application it is in duty of application logic, but could be done by hibernate in many cases. But problem is more serious problem in case of remote access. Currently you usually control it in SessionBeans, but it could be nice to give client EntityManager which is secure aware. Remote client would get SessionBean with EntityManager interface and it could do only what it is allowed. If client want to save or load entity which he is not allowed it will throw Exception. I now have something similar in my SessionBean which try to analyze query and apply security logic to it. But it only accepts simple queries. Next step would be remote EntityManager (local class connecting with server via servlet or as SessionBean) which would be secure and would lazy load and would do intellingent flush. Now there is great duplication of work. I have to update grants to tables for client (which uses db security) and duplicate security logic in SessionBean which does not use db security due to connection pooling. A other solution would be connection pooling which can be J2EE security aware and would get separate connection per user (using which password?), but it is not what connection pool is (anyway it would work well in many scenarios) Third solution I use is mentioned early intelligent session bean which makes security checks. But then I can not use lazy loading and any intelligent flush (I have limited ability to navigate relations) Marek Mosiewicz http://www.jotel.com.pl -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://opensource.atlassian.com/projects/hibernate/secure/Administrators.... - For more information on JIRA, see: http://www.atlassian.com/software/jira