First of all thanks to Ben! With is help I have been able to get a very basic Method Invocation security implemented in AppFuse:
Now that I got that to wiggle, it is time to get to the real goal of this venture. I want to be able to limit access to UserManager.saveUser based on the object being passed to the method. In other words I want my users to be able to update their own account, but no one elses [except the admin, but that I will allow with a RoleVoter].
But now that I'm looking closer at the existing voter code, I'm not sure if what I want to do is even possible without changing the way the UserManager works. Right now the only way I can see making this work is to have a UserManager.setUser(User user) method and then a UserManager.saveUser(). Then when I intercept the saveUser method, I can look up the user Object that was added to the secured object before the save method was called.
Is there a way to access the parameters of a secured method?