It is very common to restrict access to a resource based on the state of the current user. Basically, check whether he is authenticated or not.

The @RequiresAccount annotation allows you to protect a bean and allow access only from previously authenticated users.

@RequiresAccount
public void logout() {
	// only authenticated users can logout
}

The @RequiresAccount annotation can also be used on types. In this case, all bean methods are protected:

@RequiresAccount
public class MyRESTAPI() {
	
}

Accounts in PicketLink are represented by a specific type. For example, by default PicketLink provides a org.picketlink.idm.model.basic.User type to represent them. Considering that PicketLink allows you to provide your own types, the @RequiresAccount can also be used to restrict which account types are allowed to perform an operation:

@RequiresAccount(type = {Employee.class, Customer.class})

Where Employee and Customer are account types, implementing the org.picketlink.idm.model.Account interface.