Forem: Lucas Reis

Auditing in Java systems: RLS in the database or application-level control?

Lucas Reis — Sun, 08 Mar 2026 21:37:13 +0000

This question comes up in every project dealing with sensitive data. And the honest answer is: it depends — but there are clear criteria to decide.

Let me get straight to the point.

What is RLS-based auditing?

Row Level Security is a native PostgreSQL feature that filters and restricts row access directly in the database, using declarative policies.

-- Enable RLS on the table
ALTER TABLE transactions ENABLE ROW LEVEL SECURITY;
ALTER TABLE transactions FORCE ROW LEVEL SECURITY;

-- Policy: user only sees records from their own company
CREATE POLICY tenant_isolation ON transactions
  USING (company_id = current_setting('app.tenant_id')::uuid);

-- Audit trigger that captures session context
CREATE OR REPLACE FUNCTION fn_audit()
RETURNS TRIGGER AS $$
BEGIN
  INSERT INTO audit_log (table_name, operation, user_id, data_before, data_after)
  VALUES (
    TG_TABLE_NAME,
    TG_OP,
    current_setting('app.user_id', true)::uuid,
    CASE WHEN TG_OP = 'DELETE' THEN to_jsonb(OLD) END,
    CASE WHEN TG_OP != 'DELETE' THEN to_jsonb(NEW) END
  );
  RETURN NEW;
END;
$$ LANGUAGE plpgsql;

Auditing happens at the database level. It doesn’t matter where the query came from — psql, DBeaver, the application — the trigger logs everything.

What is application-level control with Spring?

Here, the responsibility for filtering and auditing sits in Java code, typically using Spring Security + AOP or interceptors.

// Interceptor that injects the tenant into context
@Component
public class TenantInterceptor implements HandlerInterceptor {

    @Override
    public boolean preHandle(HttpServletRequest request,
                             HttpServletResponse response,
                             Object handler) {
        String tenantId = request.getHeader("X-Tenant-ID");
        TenantContext.set(tenantId); // ThreadLocal
        return true;
    }

    @Override
    public void afterCompletion(...) {
        TenantContext.clear(); // Prevents leaking between requests
    }
}

// Repository that explicitly applies the filter
@Repository
public class TransactionRepository {

    public List<Transaction> findAll() {
        String tenantId = TenantContext.get(); // easy to forget this
        return entityManager
            .createQuery("SELECT t FROM Transaction t WHERE t.companyId = :tenantId")
            .setParameter("tenantId", tenantId)
            .getResultList();
    }
}

// Audit aspect via AOP
@Aspect
@Component
public class AuditAspect {

    @AfterReturning(
        pointcut = "@annotation(Auditable)",
        returning = "result"
    )
    public void audit(JoinPoint jp, Object result) {
        auditService.record(
            jp.getSignature().getName(),
            TenantContext.get(),
            SecurityContextHolder.getContext().getAuthentication().getName()
        );
    }
}

Works well — as long as nobody forgets to apply the filter.

The blind spot of each approach

With RLS, the risk is SET LOCAL outside a transaction — in connection pools like HikariCP, a plain SET without a transaction can leak between requests:


// WRONG — leaks in the connection pool
jdbcTemplate.execute("SET app.tenant_id = '" + tenantId + "'");

// CORRECT — scoped to the transaction
@Transactional
public List<Transaction> fetch(String tenantId) {
    jdbcTemplate.execute("SET LOCAL app.tenant_id = '" + tenantId + "'");
    return transactionRepository.findAll();
}

Conclusion

If the data is sensitive (financial, healthcare, legal), don’t rely solely on the application layer. Use RLS as an additional security layer and triggers for immutable auditing.
If your business rules are complex and the team is small, start with application-level control — but document the risks and plan to move tenant isolation to the database as the system scales.
The application can have bugs. The database needs to be the last barrier.

The time at the expense of software quality

Lucas Reis — Thu, 07 Sep 2023 16:22:14 +0000

To understand the current landscape of software development, it is essential to look back to the last century, a time when engineers from large companies dedicated years to creating applications before they could be effectively used. This scenario might not have been a problem if all external factors to the technology team were properly aligned, which, in reality, almost never happens.

During that time, applications were robust, and concepts like UX/UI would only emerge decades later. There was no research, code version control, or automated testing. This situation was, indeed, a time bomb, and in the 1970s, what we now call the Software Crisis emerged.

In this context, about one-third of projects were canceled, while two-thirds significantly exceeded their estimated budgets. Considering ease of maintenance was not part of the development process, resulting in exorbitant costs for software maintenance.

It was during this period that the concept of Software Engineering emerged when technology scholars of the time sought ways to make this process more efficient, eliminating flaws and turning it into a solid science.

Valuing time is not a mistake; today, technology has advanced, and it is possible to build software in less time. However, it becomes a mistake when it compromises quality and maintainability, which are inherently essential for software sustainability.

And the cost goes beyond software sustainability. Projects that do not prioritize software quality cost more because they consume more time maintaining the software itself than implementing features that would add value to the business. In 2020, the study "The Cost of Poor Software Quality In the US: A 2020 Report," produced by the "Consortium for Information & Software Quality (CISQ)," reported that low-quality software cost US companies $2.08 trillion.

Deliveries can benefit everyone involved in a project, but quality deliveries are essential for project success.

References

[1] FOWLER, Martin - https://martinfowler.com/articles/is-quality-worth-cost.html

[2] DEV Media, https://www.devmedia.com.br/qualidade-de-software-engenharia-de-software-29/18209

[3] PEIXOTO, Diogo - https://peixotoo.medium.com/qualidade-de-software-manutenibilidade-complexidade-ciclomática-5fa452791514

WebSockets protocol: Innovating your projects with efficiently live communication.

Lucas Reis — Wed, 25 Jan 2023 02:52:34 +0000

Presentation

Hello, my name is Lucas Reis, I am 19 years old and a Software Engineering student at UNIEvangélica de Goiás, Brazil. To understand this article, it is recommended that you have some knowledge about Network Protocols and how Web works at background.

I am here to introduce you to a powerful network protocol that can enhance your projects - WebSockets.

What is WebSockets?

WebSocket is, at its core, an application protocol, similar to HTTP or FTP. The main difference is that in these other protocols, communication ends after a request-response interaction, while in WebSockets, the communication persists until one of the sides closes the channel. See the diagram below:

Origin

This protocol is built on top of TCP/IP, just like HTTP, but it can also be used in conjunction with HTTP to establish an initial connection between the client and server. Its origins can be traced back to December 2011, when the web was transitioning to Web 2.0, the web of interactions. With this protocol, it has been possible to create real-time applications such as web chats, video games, and more.

Handshake HTTP Sample

What can this be helpful?

WebSockets can be extremely useful in certain situations where you need persistent and bidirectional real-time communication. In such contexts, it can be the best way to create an application that meets these requirements.

Application Sample

1. Webchat
You can use WebSockets to easily develop a real-time web chat!

2. Tracker
A Tracker can be developed using WebSockets to communicate in real-time between the front-end that sends coordinates to the back-end every 5 seconds or something similar.

3. Notifications
You can use WebSockets to communicate with the client that they have a new update without the need to reload the page or retrieve a specific endpoint with new notifications.

4. Video Games
Video Games can be developed using WebSockets as a Framework! It can enable instant communication between players and the server on the web without losing packets or causing lag.

The end!

This protocol is a great way to innovate your projects and show your friends that you know how to use TCP/IP to its full potential without sacrificing network performance! You are welcome to make suggestions for this article or correct any errors. =D

References

RFC 6455