bounce ... nobody woried about parameter injection and hibernate filters?
bounce again... The number of views on this post tell me I schould have chosen a catchier title.
I'd just love to get a comment on this by the community or the Seam Team!
I can post some details from Hibernate logging to explain what I think is happening.
We need some time to look into it, its on my todo list.
Folks, it's supposed to work like this. Hibernate filters do not filter retrieval by identifier (it's your fault if you expose identifiers to malicious users), retrieval of proxies, many-to-one and one-to-one associations. If you want stuff filtered, use HQL, Criteria, or collection filters. Yes, there is a reason why it is like that.
Take this onto the Hibernate forum, this is the wrong place.
And examples/wiki/ shows you how to do it properly.