[hibernate-dev] Hibernate Filters and EntityManager.find

Jason Clawson jclawson at qualys.com
Tue Nov 29 12:24:19 EST 2011

Hi everyone.  I know that Hibernate session filters do not apply to
find/load operations because the assumption was made that if you know the
ID of the entity you wish to load, why tack on the extra WHERE condition.
 Please let me explain my use case for filters and illustrate why this
assumption is incorrect.

We use filters to do data separation.  For example, separating one
customers data from another's.  We also have other filters that do finer
grained object visibility conditions.  But lets take a look at customer
data separation since its the easiest to understand.  The advantage of
doing customer data separation in this way is that developers don't need to
think about it.  It just works, and it works *automatically*.  The problem
comes in when you want to do something like em.find(User.class, 1).  No
WHERE clause is attached to the SQL statement.  Yes, I know the ID, but I
really want to tack on to the WHERE clause "AND customerId = 3" to make
sure that someone isn't fuzzing the ID parameter to try and get at another
customer's data.

The workaround we have is another mechanism that validates the entity in a
PostLoad entity listener and throws an exception if the customerId != the
request's customerId.  This is "ok" for the simple example I laid out here.
 However, we now have many more filters that implement complex visibility
rules based on subselects and oracle CONNECT BY clauses which cannot be
implemented using a simple equality check in java.  The best, most
performant, solution is to be able to apply the filter clause to the
EntityManager.find operation.

What is your take on this?


Jason Clawson

More information about the hibernate-dev mailing list