Suppose there are two groups to develop a Seam application. A group in charge of Facelets templates and the other in charge of business logic (session beans and entities). Imagine I have an entity like the next:

@Entity
class BankClient{

public Long getAccountNumber(){...}

}

"accountNumber" is a property only readable by users with the "manager" permission. Suppose a view tier developer adds a text like this in their template:

<h:outputText value="#{bankClient.accountNumber}" />

There is no way to check the view developer doesn't includes restricted properties in the template. The only way to check security constraints on data bean properties is to passing DTOs instead of entities to view layer. A robust design is very hard without a way to restrict properties. The solution would be an annotation like this:

@RestrictProperty("#{s:hasPermission('manager')}")
public Long getAccountNumber(){,,,}

I hope to find an approach like this in a future Seam release.

Best Regards.

-- Andres Testi

pete, @Restrict acts only over @Name marked components and is intended for life-cycle methods and does not for serialization and properties. If I annotate a getter with @Restrict, the setter is not marked. And if I don't put an @Name annotation over an entity, it is not restricted.

Suppose I have a session bean working as backing bean. I don't want to enable the Facelet template access to property "accountNumber", but I want to enable my session bean to manage "accountNumber". @Restrict doen't work in this way. If my action method in the baking session bean is like this:

void updateBankClient(){
int number = createAccountNumber();
bankClient.setAccountNumber(number);
em.update(bankClient);
}

an exception will be raised if I work with @Restrict.