It is sometimes necessary to perform a security check in code, without using the
@Restrict annotation. To do so, use Identity.checkRestriction() to evaluate a security expression, like this:
public void deleteCustomer() { Identity.instance().checkRestriction("#{s:hasPermission(selectedCustomer, 'delete')}"); }
If the specified expression does not evaluate to
true, one of two exceptions occurs. If the user is not logged in, a NotLoggedInException is thrown. If the user is logged in, an AuthorizationException is thrown.
You can also call the
hasRole() and hasPermission() methods directly from Java code:
if (!Identity.instance().hasRole("admin")) throw new AuthorizationException("Must be admin to perform this action"); if (!Identity.instance().hasPermission("customer", "create")) throw new AuthorizationException("You may not create new customers");