6 Replies Latest reply on Jan 13, 2009 6:31 PM by xnejp03.pnejedly.ondemand.co.uk

    Usage of @Restrict on entity!?

      Hi all


      I'm having problems understanding the @Restrict annotation. If I restrict access to an entity with @Restrict(#{s:hasRole('ADMIN')}), then a user without the ADMIN role shouldn't be able to use any method of that entity, right??


      My problem is, that I even tried a @Restrict(#{false}) and my table in JSF is still able to display all records from that entity.


      Did I get something wrong!?

        • 1. Re: Usage of @Restrict on entity!?
          shane.bryzak

          There is a separate section devoted to entity security in the security chapter of the Seam reference docs.  In a nutshell, if you want to restrict access to your entities then you have to configure entity security and then write some security rules.  As a side note, you can't use it to filter a list of records (although in Seam 2.1.0 you can) you can only restrict the standard events postload, prepersist, preupdate, etc.

          • 2. Re: Usage of @Restrict on entity!?
            stephen

            Are you using JPA or native Hibernate?
            If you use JPA have you configured the entity listener as described in 14.6.5.1. Entity security with JPA?

            • 3. Re: Usage of @Restrict on entity!?

              Thanks! I'll check the security chapter then.
              So basically, if you work with roles (not rules), you just restrict access in your JSF pages?
              That's what I'm doing now. But I thought if I restrict the access in my entities, I only had to declare restrictions once.


              And I don't want to filter a list of records (yet...).


              But thanks for now, I'm off to reading..

              • 4. Re: Usage of @Restrict on entity!?

                Mhh.. I am using JPA but I'll have to check if we have the listener setup correctly. Thanks for the tip!

                • 5. Re: Usage of @Restrict on entity!?

                  ARG!!! Stupid me .. forget my last post. We are using Hibernate in this application, not JPA!


                  So in this case, I don't have to do anything special for entity security..

                  • 6. Re: Usage of @Restrict on entity!?
                    xnejp03.pnejedly.ondemand.co.uk

                    Shane Bryzak wrote on May 28, 2008 09:52:

                    ... you can't use it to filter a list of records (although in Seam 2.1.0 you can) ...


                    Shane, can you give me an example how to do this? I didn't find anything in the docs (maybe I'm just blind ;-) ). Let say I want to have a method that returns list of all products that belong to a company the logged in user is an employee of:


                    public List getAllProducts();



                    I presume there has to be a Drools rule implementing the permission logic. How would the annotation / code look like?


                    Thanks,


                    Petr