There is a separate section devoted to entity security in the security chapter of the Seam reference docs. In a nutshell, if you want to restrict access to your entities then you have to configure entity security and then write some security rules. As a side note, you can't use it to filter a list of records (although in Seam 2.1.0 you can) you can only restrict the standard events postload, prepersist, preupdate, etc.
Are you using JPA or native Hibernate?
If you use JPA have you configured the entity listener as described in
188.8.131.52. Entity security with JPA?
Thanks! I'll check the security chapter then.
So basically, if you work with roles (not rules), you just restrict access in your JSF pages?
That's what I'm doing now. But I thought if I restrict the access in my entities, I only had to declare restrictions once.
And I don't want to filter a list of records (yet...).
But thanks for now, I'm off to reading..
Mhh.. I am using JPA but I'll have to check if we have the listener setup correctly. Thanks for the tip!
ARG!!! Stupid me .. forget my last post. We are using Hibernate in this application, not JPA!
So in this case, I don't have to do anything special for entity security..
Shane Bryzak wrote on May 28, 2008 09:52:
... you can't use it to filter a list of records (although in Seam 2.1.0 you can) ...
Shane, can you give me an example how to do this? I didn't find anything in the docs (maybe I'm just blind ;-) ). Let say I want to have a method that returns list of all products that belong to a company the logged in user is an employee of:
public List getAllProducts();
I presume there has to be a Drools rule implementing the permission logic. How would the annotation / code look like?