5 Replies Latest reply on Aug 2, 2007 1:59 AM by omilian

    Seam security working in Facelets but not via annotations

    omilian

      Hi,

      Following the Seam reference, I've setup a login page using the identity management facilities. The log in works fine, and in my Facelets I can use the following successfully:

      <s:div rendered="#{identity.loggedIn}">
       YOU ARE LOGGED IN
      </s:div>


      I've also setup the JBoss Rules engine, so the following also works:

      <s:div rendered="#{s:hasPermission('customer', 'delete', null)}">
       YOU HAVE CUSTOMER DELETE
      </s:div>


      and;

      <s:div rendered="#{s:hasRole('power')}">
       YOU HAVE POWER ROLE
      </s:div>


      So far so good. These pages all reference a simple backing bean as follows:
      package au.gov.austrac.ao.prototype;
      
      import org.jboss.seam.annotations.In;
      import org.jboss.seam.annotations.Name;
      import org.jboss.seam.annotations.security.Restrict;
      import org.jboss.seam.security.Identity;
      
      @Name("authenticator")
      public class ExampleAuthenticator {
      
       @In
       Identity identity;
      
       public String name = "bill";
      
       public String getName() {
       tryRulesEngine();
       return name;
       }
      
       public void setName(String name) {
       this.name = name;
       }
      
       @Restrict("#{identity.loggedIn}")
       public void tryRulesEngine() {
       System.out.println("logged in? " + identity.isLoggedIn());
       }
      
       public boolean authenticate() {
       identity.addRole("power");
       return true;
       }
      }


      This bean is available under the name "authenticator" in my pages via the @Name annotation, and the authenticate() method is invoked by the identity code, so it would seem that the framework knows about this class and the Seam annotations are being invoked (at least @Name is), yet when I'm not logged in I can still access the tryRulesEngine() method. Note that the section of the page controlled by the first code snippet above is not displayed.

      It appears that the @Restrict annotation is not working or is not being invoked?