I am considering implementing row level security using the Interceptor method for my application.

I know I need extend the EmptyInterceptor, but have a question about when methods are called. When an object is loaded from the database, the interceptor's onLoad event is called. Once it is loaded, it is maintained in the cache until such time as the space needs reclaiming. While it is in the cache, if another user requests that object will the onLoad even be called again.

The reason I ask is that if I put my RowSecurity at this level, will the security be circumvented by cached objects. The scenario I am envisioning is as follows: User1 requests Object1. The onLoad even is called and the authorization passes for User1 and the object is returned. User2 requests Object1(but they should not have access according to the custom interceptor). If the onLoad method of my custom interceptor is not called it just be returned and thereby circumventing security.

Is the onLoad only called when being loaded from the database or is it called when being returned from the cache as well.

Thanks in advance!

Note that Hibernate has both a first-level cache and a second-level cache... I am not sure which cache you are talking about.

In any case, the onLoad method is called whenever the object is loaded from the database or the second-level cache, but not from the first-level cache. But the first-level cache is always bound to a session and a session should not be shared between different users.