Hi,
I am working with entity security, in seam 2.2.0.GA, on Jboss 5.1.0.GA
I've created a simple project using Dan Allen's add-identity-management enhancement to seam-gen described at http://in.relation.to/10904.lace
I have added an EntitySecurityListener to orm.xml and an EntityManager in components.xml. I am using JPA.
I have annotated a number of entities with JPA tags to persist them into my database.
These entities have additional @Restrict tags as follows:
@Entity
@Name("foo")
@Restrict
public class Foo{...contents irrelevant...}
@Entity
@Name("bar")
public class Bar
{
@Restrict
public void whatev() {...contents irrelevant...}
}
I have an entity called TestDriver which implements two actions called "testFoo" and "testBar". I have a test.xhtml which calls TestDriver.testFoo(), which does an entityManager.find(Foo.class,1) (1 is a valid primary key). Find fails with an AuthorizationException as expected.
I have another method called testBar(), which does the following:
public void testBar()
{
Bar bar = entityManager.find(Bar.class,1);
bar.whatev();
}
EntityManager.find() returns the instance of bar as expected. However I am able to call bar.whatev() successfully, even though the subject doesn't have privs to do so, based on the @Restrict.
As near as I can tell, this is because there isn't a proxy object returned by entityManager.find() (I get a straight Bar object), and therefore Seam is unable to apply security restrictions when I make a call to bar.whatev().
All method level restrictions are respected if I make calls to entities from .xhtml, so there shouldn't be anything in my environment precluding method restrictions.
So my questions are:
1/ is this expected behavior?
2/ if not, then what am I missing?
Thanks,
Derrick