[hibernate-dev] Hibernate Filters and EntityManager.find
Steve Ebersole
steve at hibernate.org
Wed Nov 30 09:30:00 EST 2011
What you are doing is called multi-tenancy.
Hibernate 4 has more explicit support for multi-tenant data.
Unfortunately 4.0 only supports cases where the schema is replicated on
multiple databases/schemas. There will also be support for
discrimination-based multi-tenancy at some point in 4.x (4.1 or 4.2).
If you want to help develop that feature, that would be great.
However, I am not going to change the way/places that filters are
applied. They work exactly as intended.
On Tue 29 Nov 2011 11:24:19 AM CST, Jason Clawson wrote:
> Hi everyone. I know that Hibernate session filters do not apply to
> find/load operations because the assumption was made that if you know the
> ID of the entity you wish to load, why tack on the extra WHERE condition.
> Please let me explain my use case for filters and illustrate why this
> assumption is incorrect.
>
> We use filters to do data separation. For example, separating one
> customers data from another's. We also have other filters that do finer
> grained object visibility conditions. But lets take a look at customer
> data separation since its the easiest to understand. The advantage of
> doing customer data separation in this way is that developers don't need to
> think about it. It just works, and it works *automatically*. The problem
> comes in when you want to do something like em.find(User.class, 1). No
> WHERE clause is attached to the SQL statement. Yes, I know the ID, but I
> really want to tack on to the WHERE clause "AND customerId = 3" to make
> sure that someone isn't fuzzing the ID parameter to try and get at another
> customer's data.
>
> The workaround we have is another mechanism that validates the entity in a
> PostLoad entity listener and throws an exception if the customerId != the
> request's customerId. This is "ok" for the simple example I laid out here.
> However, we now have many more filters that implement complex visibility
> rules based on subselects and oracle CONNECT BY clauses which cannot be
> implemented using a simple equality check in java. The best, most
> performant, solution is to be able to apply the filter clause to the
> EntityManager.find operation.
>
> What is your take on this?
>
> Thanks,
>
> Jason Clawson
> _______________________________________________
> hibernate-dev mailing list
> hibernate-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/hibernate-dev
--
steve at hibernate.org
http://hibernate.org
More information about the hibernate-dev
mailing list