We'd like to implement a basic security check that throws a SecurityException when certain objects are loaded/saved/updated/deleted during a Hibernate session.
Intended solution: Collect onLoad()/onSave()/onDelete() calls in an Interceptor, and perform the security check in beforeTransactionComplete() [it cannot be done directly in onLoad etc, because the fields of the objects aren't fully initialized there yet]
Problem: Hibernate swallows *all Throwables* in
SessionImpl.beforeTransactionCompletion() [I wonder, if catching the Throwable without rethrowing is really a good idea?]
As a temporary workaround, we're performing our check postFlush() instead of beforeTransactionComplete(), but I'm not sure, if this is the correct place. Our unit tests show, that postFlush is called even if the session only
loads objects, but I don't think, the behaviour is fully specified? Is there maybe a better place?