I.E. J2EE declarative security handles Authentication (who am I), and Authorization (can I execute this code), but it doesn't handle can I see this data. By adding what you have suggested, and then implementing a custom interceptor an application could more transparently handle the "can I see (edit) this data" portion.
You can use custom interceptors now, and standalone programs can do call a JAAS LoginModule then call "doAsPrivileged" at the top level of the application. But something like a struts or JBoss application needs to call "doAsPrivileged" for each view and it makes much more sense to wrap the Hibernate call. Doing it explicitly is stupid - it's error prone, people will forget or get it wrong - and that's what got me thinking about doing it in the Session implementation.
That's why one of my questions is exactly what class *is* the Session implementation that I get back from a stock install. I looked around briefly but haven't found it yet.
... but being able to tie the control into a database (so that permissions can be modified in the DB) is vitally important. Unfortunately, that part will probably have to be custom developed for each application.
But all permissions are an instance of Permission. Can't the O/R mapping take advantage of that?
The other thing to keep in mind is that Policies can support multiple ProtectionDomains. It's perfectly valid to say that the Hibernate internal and "standard" Permissions form one domain and occupy one O/R mapped table, and any custom Permissions must occupy a different domain & table.
BTW, I forgot to mention earlier that this provides yet another solution to the "audit info" question - the interceptor can pull the Principals from the current Subject, find the specific class that the interceptor was told to look for, then insert the principal name into the results.
Bear
------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ hibernate-devel mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/hibernate-devel