The system I am currently working on requires some role-based security, which is well catered for in the Java EE stack. The system intends to be a framework for business domain experts to write their code on top of.
However, there is also a requirement for data
security. That is, what information is visible to an end user.
This effectively means reducing visibility to rows (and perhaps even columns) in the database.
We are using Hibernate for our persistence. However, we are using our own annotations so as not to expose our persistence choice to the business domain experts.
For row based security this means we could add an annotation such as
@Secured at the entity level, which would cause an extra column to be added to the underlying table to constrain our selects?
For column based security, we could perhaps have
@Secured to either assist in query generation, or perhaps use an aspect to filter the information returned?
I'm curious to know how this might affect hibernate's caching mechanisms as well?
I'm sure a lot of others will have had the same issue, and I was wondering how you approached this?