Hi,

I am working with entity security, in seam 2.2.0.GA, on Jboss 5.1.0.GA

I've created a simple project using Dan Allen's add-identity-management enhancement to seam-gen described at http://in.relation.to/10904.lace

I have added an EntitySecurityListener to orm.xml and an EntityManager in components.xml.  I am using JPA.

I have annotated a number of entities with JPA tags to persist them into my database. 

These entities have additional @Restrict tags as follows:

@Entity
@Name("foo")
@Restrict
public class Foo{...contents irrelevant...}


@Entity
@Name("bar")
public class Bar
{
   @Restrict
   public void whatev() {...contents irrelevant...}
}


I have an entity called TestDriver which implements two actions called "testFoo" and "testBar".  I have a test.xhtml which calls TestDriver.testFoo(), which does an entityManager.find(Foo.class,1) (1 is a valid primary key).  Find fails with an AuthorizationException as expected.

I have another method called testBar(), which does the following:


public void testBar()
{
   Bar bar = entityManager.find(Bar.class,1);

   bar.whatev();
}


EntityManager.find() returns the instance of bar as expected.  However I am able to call bar.whatev() successfully, even though the subject doesn't have privs to do so, based on the @Restrict.

As near as I can tell, this is because there isn't a proxy object returned by entityManager.find() (I get a straight Bar object), and therefore Seam is unable to apply security restrictions when I make a call to bar.whatev().

All method level restrictions are respected if I make calls to entities from .xhtml, so there shouldn't be anything in my environment precluding method restrictions.

So my questions are:

1/ is this expected behavior?
2/ if not, then what am I missing?

Thanks,
Derrick