I'm using picketlink and annotated my scaffolded beans' create(), delete(), update() methods with @LoggedIn to prevent writing data, but you can view data. I wrote a ServletExceptionHandler that catches the access denied and redirects to my No-No! page just fine. But, here's the problem...
Good - When I click a "Create" button, I get immediately denied.
Bad - When I click an "Edit" button, I get the form and I make changes, then click "Save". The @LoggedIn on the update() method causes the access denied pipeline to work, but the data is successfully persisted by the bean. I've changed the gatekeeper from using @LoggedIn on the update() method to actual code within the update() method that checks for being logged in, and alas, the entity is changed and persisted, even before we get to the body of the update() method.
If I change @PersistenceContext(type = PersistenceContextType.EXTENDED) to @PersistenceContext(type = PersistenceContextType.TRANSACTION), that causes this one case to work properly, but then I get Lazy loading errors that I'm sure will be much harder to solve. I'm pretty sure I should stay with @PersistenceContext(type = PersistenceContextType.EXTENDED) at this point.
How am I supposed to wire this all together to be able to prevent access to methods? Do I have to rewrite the beans and views entirely to have a different flow?
I'm guessing the fact that I'm using Weld has something to do with the persistence happening immediately, is that right?