>From a JPA standpoint, you'll need to either pass along the credential info (or use a ThreadLical or some sort of context-specific state), or use the underlying capabilities of your database to do per-user authentication. For example, Oracle's OCI driver allows communication of user authorization over a pooled Connection prior to use.
-Patrick On 12/12/07, Adam Hardy <[EMAIL PROTECTED]> wrote: > Hello List, > > I've used several different mechanisms on previous projects to restrict > query > results to data the user is authorised to see, and now with my current > project > and new standards-compliant JPA implementation of the 'data services layer', > I > wanted check what the community holds to be the idiomatic approach. > > I am inclined to add the user or group id wherever necessary in the Data > Access > Object code after retrieving it from the security context, and indeed that > seems > like the only approach possible at this time with JPA. Is that correct? > > Thanks > Adam > -- Patrick Linskey 202 669 5907
