[jbossseam-issues] [JBoss JIRA] Assigned: (JBSEAM-3838) Permission check fails on collections that contain lazily initialized entities

Permission check fails on collections that contain lazily initialized entities ------------------------------------------------------------------------------ Key: JBSEAM-3838 URL: https://jira.jboss.org/jira/browse/JBSEAM-3838 Project: Seam Issue Type: Bug Components: Security Affects Versions: 2.1.0.SP1 Reporter: Georges Berscheid Assignee: Shane Bryzak org.jboss.seam.security.permission.PermissionMapper.filterByPermission:94 The permission filter checks if the target of the check is of the same class as the target of the permission. If the collection-parameter is the result of a javax.persistence.Query.getResultList() (using Hibernate), and one of the entities returned in that List had previously been lazily fetched (e.g. as part of an entity relationship) this check will fail. Hibernate probably does some optimization and knows that it had fetched this entity before, and hence puts the lazy proxy into the result list. The proxy's class name is something like Entity_$$_javassist_12 which won't match the class name of the permission target (Entity). The only work-around I could find for this is to eagerly fetch all entity relationships that are affected by this behavior, which kills the performance of the application.