11.7. Restricting Access Based on the Authenticated User
It is very common to restrict access to a resource based on the state of the current user. Basically, check whether he is authenticated or not.
The
@LoggedIn
annotation allows you to protect a bean and allow access only from previously authenticated users.
@LoggedIn public void logout() { // only authenticated users can logout }
The
@LoggedIn
annotation can also be used on types. In this case, all bean methods are protected:
@LoggedIn public class MyRESTAPI() { }
Accounts in PicketLink are represented by a specific type. For example, by default PicketLink provides a
org.picketlink.idm.model.basic.User
type to represent them. Considering that PicketLink allows you to provide your own types, the @LoggedIn
can also be used to restrict which account types are allowed to perform an operation:
@LoggedIn(requiresAccount = {Employee.class, Customer.class})
Where
Employee
and Customer
are account types, implementing the org.picketlink.idm.model.Account
interface.