0 Replies Latest reply on Jan 19, 2010 9:28 PM by Derrick Aubin

    Entities and @Restrict on methods

    Derrick Aubin Newbie
      Hi,

      I am working with entity security, in seam 2.2.0.GA, on Jboss 5.1.0.GA

      I've created a simple project using Dan Allen's add-identity-management enhancement to seam-gen described at http://in.relation.to/10904.lace

      I have added an EntitySecurityListener to orm.xml and an EntityManager in components.xml.  I am using JPA.

      I have annotated a number of entities with JPA tags to persist them into my database. 

      These entities have additional @Restrict tags as follows:

      @Entity
      @Name("foo")
      @Restrict
      public class Foo{...contents irrelevant...}


      @Entity
      @Name("bar")
      public class Bar
      {
         @Restrict
         public void whatev() {...contents irrelevant...}
      }


      I have an entity called TestDriver which implements two actions called "testFoo" and "testBar".  I have a test.xhtml which calls TestDriver.testFoo(), which does an entityManager.find(Foo.class,1) (1 is a valid primary key).  Find fails with an AuthorizationException as expected.

      I have another method called testBar(), which does the following:


      public void testBar()
      {
         Bar bar = entityManager.find(Bar.class,1);

         bar.whatev();
      }


      EntityManager.find() returns the instance of bar as expected.  However I am able to call bar.whatev() successfully, even though the subject doesn't have privs to do so, based on the @Restrict.

      As near as I can tell, this is because there isn't a proxy object returned by entityManager.find() (I get a straight Bar object), and therefore Seam is unable to apply security restrictions when I make a call to bar.whatev().

      All method level restrictions are respected if I make calls to entities from .xhtml, so there shouldn't be anything in my environment precluding method restrictions.

      So my questions are:

      1/ is this expected behavior?
      2/ if not, then what am I missing?

      Thanks,
      Derrick