[hibernate-dev] Hibernate Filters and EntityManager.find

Steve Ebersole steve at hibernate.org
Wed Nov 30 09:30:00 EST 2011

What you are doing is called multi-tenancy.

Hibernate 4 has more explicit support for multi-tenant data.  
Unfortunately 4.0 only supports cases where the schema is replicated on 
multiple databases/schemas.  There will also be support for 
discrimination-based multi-tenancy at some point in 4.x (4.1 or 4.2).  
If you want to help develop that feature, that would be great.

However, I am not going to change the way/places that filters are 
applied.  They work exactly as intended.

On Tue 29 Nov 2011 11:24:19 AM CST, Jason Clawson wrote:
> Hi everyone.  I know that Hibernate session filters do not apply to
> find/load operations because the assumption was made that if you know the
> ID of the entity you wish to load, why tack on the extra WHERE condition.
>   Please let me explain my use case for filters and illustrate why this
> assumption is incorrect.
> We use filters to do data separation.  For example, separating one
> customers data from another's.  We also have other filters that do finer
> grained object visibility conditions.  But lets take a look at customer
> data separation since its the easiest to understand.  The advantage of
> doing customer data separation in this way is that developers don't need to
> think about it.  It just works, and it works *automatically*.  The problem
> comes in when you want to do something like em.find(User.class, 1).  No
> WHERE clause is attached to the SQL statement.  Yes, I know the ID, but I
> really want to tack on to the WHERE clause "AND customerId = 3" to make
> sure that someone isn't fuzzing the ID parameter to try and get at another
> customer's data.
> The workaround we have is another mechanism that validates the entity in a
> PostLoad entity listener and throws an exception if the customerId != the
> request's customerId.  This is "ok" for the simple example I laid out here.
>   However, we now have many more filters that implement complex visibility
> rules based on subselects and oracle CONNECT BY clauses which cannot be
> implemented using a simple equality check in java.  The best, most
> performant, solution is to be able to apply the filter clause to the
> EntityManager.find operation.
> What is your take on this?
> Thanks,
> Jason Clawson
> _______________________________________________
> hibernate-dev mailing list
> hibernate-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/hibernate-dev

steve at hibernate.org

More information about the hibernate-dev mailing list