Seam security also makes it possible to apply security restrictions to read, insert, update and delete actions for entities.
To secure all actions for an entity class, add a @Restrict annotation on the class itself:
@Entity
@Name("customer")
@Restrict
public class Customer {
...
}
If no expression is specified in the @Restrict annotation, the default security check that is performed is a permission check of entityName:action, where entityName is the name of the entity (or the class name if no @Name is specified), and the action is either read, insert, update or delete.
It is also possible to only restrict certain actions, by placing a @Restrict annotation on the relevent entity lifecycle method (annotated as follows):
@PostLoad - Called after an entity instance is loaded from the database. Use this method to configure a read permission.
@PrePersist - Called before a new instance of the entity is inserted. Use this method to configure an insert permission.
@PreUpdate - Called before an entity is updated. Use this method to configure an update permission.
@PreRemove - Called before an entity is deleted. Use this method to configure a delete permission.
Here's an example of how an entity would be configured to perform a security check for any insert operations. Please note that the method is not required to do anything, the only important thing in regard to security is how it is annotated:
@PrePersist @Restrict
public void prePersist() {}
And here's an example of an entity permission rule that checks if the authenticated user is allowed to create a new blog entry (from the seamspace example):
rule InsertMemberBlog no-loop activation-group "permissions" when c: PermissionCheck(name == "memberBlog", action == "insert", granted == false) Principal(nm : name) MemberBlog(mbr : member -> (mbr.getUsername().equals(nm))) then c.grant(); modify(c); end;
Finally, we need to install a listener class that integrates Seam security with your JPA provider.