anonymous wrote : One alternative approach is instead of passing the entity object around, just pass the id in a request parameter and use something like the ManagedEntity component (in Seam CVS) to auto-load the entity instance and expose it via a context variable. Since request parameters can be easily manipulated by a malicious user, this seems like a pretty dangerous general approach to me. When you're searching a blog or providing REST services, this works great. For a general CRUD framework this worries me. For example, I wouldn't want my bank's online "add joint account member" conversation to take in currentUserId and newJointUserId as a request params. Of course, I haven't seen this thing in action, maybe there are safeguards in place to detect manipulation of these params. Please assuage my fears. :) View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3974032#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...