Are you using infinispan in client/server mode (e.g. through hotrod) or the client runs in same jvm with the infinispan node it queries?
If it is local then:
1. on node A client calls cache.ghet(k). This has security context associated
2. caller's thread on A retrieves the List<MyObject> from another node B (rpc)
3. this thread goes through a chain of interceptors. On the way back your custom interceptor filters out the result based on the security association
4. then returns the result to the user.
This is sub-optimal: everything is returned to the caller node (i.e. A) which filters out the data. A better approach would be to do the filtering remotlely, but it's not possible for now (ISPN-256 might overcome this limitation)
Here is some doc in custom interceptors: http://community.jboss.org/wiki/InfinispanCustomInterceptors
Ultimately I would like to use client/server mode and have this functionality, but it does not seem to be there yet. So, I think I am forced to have the client run in the same VM as one of the Infinispan cache's in a cluster.
I read the docs on the CustomInterceptor, it was initially unclear to me where they are executed. I think the problem lies in my understanding that when I run a cache locally in a VM, then I am NOT a client.
I'll have to play around with it a little I think to understand the relationship between the cache and the client of the cache when in the same VM more. It just came to me that it depends on the local nodes' configuration, when I call cache.get() that the data may be retrieved from another node in the cluster, but the interceptors defined in my node will be executed. Does this mean that you could have several different node configurations working in the same cluster? Interesting...