Hi,

There is two class, parent and child, so we could call them

@Entity
class Child implements Serializable {
 ...
 @ManyToOne
 public void setParent( Parent parent ) {
 this.parent = parent;
 }
}

and

@Entity
class Parent implements Serializable {
 ...
 @OneToMany
 public List<Child> getChildren() {
 return children;
 }

 public Child addChild( String name ) {
 if (children == null)
 children = new ArrayList<Child>();

 Child child = new Child( name );
 child.setParent( this );
 children.add( child );

 return child;
 }
}

I'm running this example with a remote client, that's why these class are Serializable.

Now we can imagine two kind of user : the first one can do everything, the "admin". The other one isn't allowed to create parent, but can create children, we call him "regular".

How can I implement this security restriction with stateless bean ?
I tried this :

@Stateless
@SecurityDomain( "mySecurityDomain" )
class ParentManagerBean implements ParentManager {
 ...
 @RolesAllowed( "admin" )
 public Parent addParent( String name ) {
 Parent parent = new Parent( name );
 manager.persist( parent ); // manager = EntityManager ...
 return parent;
 }

 @RolesAllowed( "admin" )
 public void updateParent( Parent parent ) {
 manager.merge( parent );
 }
}

and the childmanager :

@Stateless
@SecurityDomain( ... )
class ChildManagerBean implements ChildManager {
 ...
 @RolesAllowed( { "admin", "regular" } )
 public Child addChild( String name, Parent parent ) {
 Child child = parent.addChild( name );
 manager.persist( child );
 return child;
 }
}

Problem :
* My remote client call this method with a detached parent (serialized). The child is persisted but my client's parent instance doesn't have this child in his List. I need to add it manually in my client code. In fact it would be great if I could return both the child and the parent instance (updated).

Any idea ?

Bruno