15.6.6. Typesafe Permission Annotations
Seam provides a number of alternative annotations to
@Restrict
. These support arbitrary EL expressions differently, which gives them additional compile-time safety.
Seam comes with a set of annotations for standard CRUD-based permissions. The following annotations are provided in the
org.jboss.seam.annotations.security
package:
- @Insert
- @Read
- @Update
- @Delete
To use these annotations, place them on the method or parameter for which you wish to perform a security check. When placed on a method, they specify a target class for which the permission will be checked. Take the following example:
@Insert(Customer.class) public void createCustomer() { ... }
Here, a permission check will be performed for the user to ensure that they have permission to create new
Customer
objects. The target of the permission check is Customer.class
(the actual java.lang.Class
instance itself), and the action is the lower case representation of the annotation name, which in this example is insert
.
You can annotate a component method's parameters in the same way, as follows. If you do this, you need not specify a permission target, since the parameter value itself will be the target of the permission check.
public void updateCustomer(@Update Customer customer) { ... }
To create your own security annotation, just annotate it with
@PermissionCheck
. For example:
@Target({METHOD, PARAMETER}) @Documented @Retention(RUNTIME) @Inherited @PermissionCheck public @interface Promote { Class value() default void.class; }
If you wish to override the default permission action name (the lower case version of the annotation name) with another value, you can specify this within the
@PermissionCheck
annotation:
@PermissionCheck("upgrade")