We are using Oracle Label Security (OLS) that supports row-level security. Each row in the database has an associated security label that is compared to the current label in the application context when a query is made. It is very effective.
When using BMP or straight JDBC, when we get a connection from the connection pool, we call a stored procedure that sets the user's access 'label' in the application context. Normal JDBC operations than occur subject to the row-level security. The end user doesn't actually have a database account. The stored procedure sets the label according to an entry in LDAP for the caller principal passed in.
Now CMP .... Is there any I can insert a call to this stored procedure before persistence operations take place?