Would it make sense to tie this into Hibernate validation, or is this a silly idea?
You can definitely write a JPA entitylistener which checks actual field values using equals() during an update operation. (In theory you should really use Type.isDirty() in Hibernate, but that's not portable.)
So you would require that the user annotate entity attributes with @Restrict, and imply a permission like (customer, name) from that. Then the interceptor would look at the fields annotated @Restrict and check the permission when the entity is updated.
The thing which makes me a bit skeptical of this stuff is that there would only be field-level permissions for update operations, not for read, create, delete.
I suppose you could interpret a field-level permission during create as meaning that it gets checked if it is non-null.
But read would be *very* difficult to do.
Shane, I don't see how Hibernate Validator would help.
Alternatively, the user can write an entitylistener, and call Identity.checkPermission() themselves.
I think UPDATE for individual fields is by far the most common case: You can always check CREATE easily in customerHome.persist() and SELECT in customerHome.find(). Nobody is using DELETE anyway :)