OK thanks. Threadlocal it is then.
[EMAIL PROTECTED] on 13/12/07 03:13, wrote:
From a JPA standpoint, you'll need to either pass along the credential info
(or use a ThreadLical or some sort of context-specific state), or use the
underlying capabilities of your database to do per-user authentication. For
example, Oracle's OCI driver allows communication of user authorization over
a pooled Connection prior to use.
-Patrick
On 12/12/07, Adam Hardy <[EMAIL PROTECTED]> wrote:
Hello List,
I've used several different mechanisms on previous projects to restrict
query results to data the user is authorised to see, and now with my
current project and new standards-compliant JPA implementation of the 'data
services layer', I wanted check what the community holds to be the
idiomatic approach.
I am inclined to add the user or group id wherever necessary in the Data
Access Object code after retrieving it from the security context, and
indeed that seems like the only approach possible at this time with JPA. Is
that correct?
