6 Replies Latest reply on Apr 11, 2012 1:55 PM by thor-k

    seam 3.1 security annotations not working

    kelly goedert Apprentice

      Hi,

       

      I am creating a project using seam 3.1 and I would like to create security annotations like @Admin to place on methods and restrict access. But it is not working. The method supposed to handle the annotation is never called. The authentication method is working fine, and the @loggedIn annotation is also working, so I suppose I have seam security set up correctly. I created my annotation like this:

       

       

      {code}

      @SecurityBindingType

      @Retention(RetentionPolicy.RUNTIME)

      @Target({ElementType.TYPE, ElementType.METHOD})

      public @interface Admin {

       

       

      }

      {code}

       

      The class supposed to handle the annotation is:

       

       

      {code}

      public class Authorizer {

                @Secures

                @Admin

                public  boolean isAdmin(Identity identity) {

                    boolean res = identity.hasRole("admin", "USERS", "GROUP");

                   

                    return res;

                  }

      }

       

      {code}

       

      and the bean I am trying to secure

       

       

      {code}

      @Named("userBean")

      @Stateful

      @ConversationScoped

      @LoggedIn

      public class UserBean extends AbstractBean<User, UserManagerBeanLocal, LazyUserDataModel> {

                private static final long serialVersionUID = 1L;

                @EJB

                private UserManagerBeanLocal userController;

                @EJB

                private CompanyManagerBeanLocal companyController;

       

       

                @Inject

                private Conversation conversation;

       

       

                @Inject

                private FacesContext context;

       

       

                private User user;

       

      // other methods

       

                @Admin

                public String create() {

                          return super.create();

                }

       

      {code}

       

      I expected that before the create method is executed the isAdmin method on the Authorizer class was going to be called. But it never is. What am I missing?

       

      Thanks for any help

       

      Kelly