BIS-142 Moving authorization annotations from IScreeningServer and...

BIS-142 Moving authorization annotations from IScreeningServer and IScreeningApiServer to ScreeningServer. Introducing system test ScreeningServerAuthorizationTest. Moving ServerInterfaceRegressionTest from shared to server package. SVN: 26577

BIS-142 Moving authorization annotations from IScreeningServer and...
b3ab46f4 · felmer · 571d1fd3 · b3ab46f4 · b3ab46f4 · b3ab46f4
Commit b3ab46f4 authored 12 years ago by felmer
--- a/screening/source/java/ch/systemsx/cisd/openbis/plugin/screening/server/ScreeningServer.java
+++ b/screening/source/java/ch/systemsx/cisd/openbis/plugin/screening/server/ScreeningServer.java
@@ -32,7 +32,6 @@ import org.springframework.stereotype.Component;
 import ch.rinn.restrictions.Private;
 import ch.systemsx.cisd.authentication.ISessionManager;
 import ch.systemsx.cisd.common.exceptions.UserFailureException;
-import ch.systemsx.cisd.common.spring.ExposablePropertyPlaceholderConfigurer;
 import ch.systemsx.cisd.common.spring.IInvocationLoggerContext;
 import ch.systemsx.cisd.openbis.generic.server.AbstractServer;
 import ch.systemsx.cisd.openbis.generic.server.business.IPropertiesBatchManager;
@@ -44,6 +43,15 @@ import ch.systemsx.cisd.openbis.generic.server.plugin.IDataSetTypeSlaveServerPlu
 import ch.systemsx.cisd.openbis.generic.server.plugin.ISampleTypeSlaveServerPlugin;
 import ch.systemsx.cisd.openbis.generic.shared.ICommonServer;
 import ch.systemsx.cisd.openbis.generic.shared.api.v1.dto.Sample;
+import ch.systemsx.cisd.openbis.generic.shared.authorization.annotation.AuthorizationGuard;
+import ch.systemsx.cisd.openbis.generic.shared.authorization.annotation.Capability;
+import ch.systemsx.cisd.openbis.generic.shared.authorization.annotation.ReturnValueFilter;
+import ch.systemsx.cisd.openbis.generic.shared.authorization.annotation.RolesAllowed;
+import ch.systemsx.cisd.openbis.generic.shared.authorization.predicate.AbstractTechIdPredicate.DataSetTechIdPredicate;
+import ch.systemsx.cisd.openbis.generic.shared.authorization.predicate.AbstractTechIdPredicate.ExperimentTechIdPredicate;
+import ch.systemsx.cisd.openbis.generic.shared.authorization.predicate.DataSetCodeCollectionPredicate;
+import ch.systemsx.cisd.openbis.generic.shared.authorization.predicate.DataSetCodePredicate;
+import ch.systemsx.cisd.openbis.generic.shared.authorization.predicate.SampleTechIdPredicate;
 import ch.systemsx.cisd.openbis.generic.shared.basic.TechId;
 import ch.systemsx.cisd.openbis.generic.shared.basic.dto.BasicProjectIdentifier;
 import ch.systemsx.cisd.openbis.generic.shared.basic.dto.CodeAndLabel;
@@ -54,6 +62,7 @@ import ch.systemsx.cisd.openbis.generic.shared.basic.dto.MaterialType;
 import ch.systemsx.cisd.openbis.generic.shared.basic.dto.NewMaterial;
 import ch.systemsx.cisd.openbis.generic.shared.basic.dto.NewSamplesWithTypes;
 import ch.systemsx.cisd.openbis.generic.shared.basic.dto.Project;
+import ch.systemsx.cisd.openbis.generic.shared.basic.dto.RoleWithHierarchy;
 import ch.systemsx.cisd.openbis.generic.shared.basic.dto.SampleParentWithDerived;
 import ch.systemsx.cisd.openbis.generic.shared.basic.dto.Vocabulary;
 import ch.systemsx.cisd.openbis.generic.shared.dto.SamplePE;
@@ -78,6 +87,13 @@ import ch.systemsx.cisd.openbis.plugin.screening.server.logic.ScreeningUtils;
 import ch.systemsx.cisd.openbis.plugin.screening.server.logic.WellContentLoader;
 import ch.systemsx.cisd.openbis.plugin.screening.shared.IScreeningServer;
 import ch.systemsx.cisd.openbis.plugin.screening.shared.ResourceNames;
+import ch.systemsx.cisd.openbis.plugin.screening.shared.api.internal.authorization.ExperimentIdentifierPredicate;
+import ch.systemsx.cisd.openbis.plugin.screening.shared.api.internal.authorization.PlateIdentifierPredicate;
+import ch.systemsx.cisd.openbis.plugin.screening.shared.api.internal.authorization.PlateWellReferenceWithDatasetsValidator;
+import ch.systemsx.cisd.openbis.plugin.screening.shared.api.internal.authorization.ScreeningExperimentValidator;
+import ch.systemsx.cisd.openbis.plugin.screening.shared.api.internal.authorization.ScreeningPlateListReadOnlyPredicate;
+import ch.systemsx.cisd.openbis.plugin.screening.shared.api.internal.authorization.ScreeningPlateValidator;
+import ch.systemsx.cisd.openbis.plugin.screening.shared.api.internal.authorization.WellIdentifierPredicate;
 import ch.systemsx.cisd.openbis.plugin.screening.shared.api.v1.IScreeningApiServer;
 import ch.systemsx.cisd.openbis.plugin.screening.shared.api.v1.dto.ExperimentIdentifier;
 import ch.systemsx.cisd.openbis.plugin.screening.shared.api.v1.dto.ExperimentImageMetadata;
@@ -92,6 +108,12 @@ import ch.systemsx.cisd.openbis.plugin.screening.shared.api.v1.dto.PlateMetadata
 import ch.systemsx.cisd.openbis.plugin.screening.shared.api.v1.dto.PlateWellMaterialMapping;
 import ch.systemsx.cisd.openbis.plugin.screening.shared.api.v1.dto.PlateWellReferenceWithDatasets;
 import ch.systemsx.cisd.openbis.plugin.screening.shared.api.v1.dto.WellIdentifier;
+import ch.systemsx.cisd.openbis.plugin.screening.shared.authorization.DatasetReferencePredicate;
+import ch.systemsx.cisd.openbis.plugin.screening.shared.authorization.ExperimentSearchCriteriaPredicate;
+import ch.systemsx.cisd.openbis.plugin.screening.shared.authorization.MaterialExperimentFeatureVectorSummaryValidator;
+import ch.systemsx.cisd.openbis.plugin.screening.shared.authorization.MaterialFeaturesOneExpPredicate;
+import ch.systemsx.cisd.openbis.plugin.screening.shared.authorization.WellContentValidator;
+import ch.systemsx.cisd.openbis.plugin.screening.shared.authorization.WellSearchCriteriaPredicate;
 import ch.systemsx.cisd.openbis.plugin.screening.shared.basic.dto.AnalysisProcedures;
 import ch.systemsx.cisd.openbis.plugin.screening.shared.basic.dto.DatasetReference;
 import ch.systemsx.cisd.openbis.plugin.screening.shared.basic.dto.ExperimentFeatureVectorSummary;
@@ -133,9 +155,6 @@ public final class ScreeningServer extends AbstractServer<IScreeningServer> impl
     */
    public static final int MINOR_VERSION = 9;

-    @Resource(name = ExposablePropertyPlaceholderConfigurer.PROPERTY_CONFIGURER_BEAN_NAME)
-    private ExposablePropertyPlaceholderConfigurer configurer;
-    
    @Resource(name = ResourceNames.SCREENING_BUSINESS_OBJECT_FACTORY)
    private IScreeningBusinessObjectFactory businessObjectFactory;

@@ -194,8 +213,10 @@ public final class ScreeningServer extends AbstractServer<IScreeningServer> impl
    //

    @Override
-    public final SampleParentWithDerived getSampleInfo(final String sessionToken,
-            final TechId sampleId)
+    @RolesAllowed(RoleWithHierarchy.SPACE_OBSERVER)
+    public SampleParentWithDerived getSampleInfo(final String sessionToken,
+            @AuthorizationGuard(guardClass = SampleTechIdPredicate.class)
+            final TechId sampleId) throws UserFailureException
    {
        final Session session = getSession(sessionToken);
        final ISampleBO sampleBO = businessObjectFactory.createSampleBO(session);
@@ -206,14 +227,19 @@ public final class ScreeningServer extends AbstractServer<IScreeningServer> impl
    }

    @Override
-    public PlateContent getPlateContent(String sessionToken, TechId plateId)
+    @RolesAllowed(RoleWithHierarchy.SPACE_OBSERVER)
+    public PlateContent getPlateContent(String sessionToken,
+            @AuthorizationGuard(guardClass = SampleTechIdPredicate.class)
+            TechId plateId)
    {
        Session session = getSession(sessionToken);
        return PlateContentLoader.loadImagesAndMetadata(session, businessObjectFactory, plateId);
    }

    @Override
+    @RolesAllowed(RoleWithHierarchy.SPACE_OBSERVER)
    public FeatureVectorDataset getFeatureVectorDataset(String sessionToken,
+            @AuthorizationGuard(guardClass = DatasetReferencePredicate.class)
            DatasetReference dataset, CodeAndLabel featureName)
    {
        Session session = getSession(sessionToken);
@@ -222,7 +248,10 @@ public final class ScreeningServer extends AbstractServer<IScreeningServer> impl
    }

    @Override
-    public PlateImages getPlateContentForDataset(String sessionToken, TechId datasetId)
+    @RolesAllowed(RoleWithHierarchy.SPACE_OBSERVER)
+    public PlateImages getPlateContentForDataset(String sessionToken,
+            @AuthorizationGuard(guardClass = DataSetTechIdPredicate.class)
+            TechId datasetId)
    {
        Session session = getSession(sessionToken);
        return PlateContentLoader.loadImagesAndMetadataForDataset(session, businessObjectFactory,
@@ -230,7 +259,11 @@ public final class ScreeningServer extends AbstractServer<IScreeningServer> impl
    }

    @Override
-    public List<WellContent> listPlateWells(String sessionToken, WellSearchCriteria materialCriteria)
+    @RolesAllowed(RoleWithHierarchy.SPACE_OBSERVER)
+    @ReturnValueFilter(validatorClass = WellContentValidator.class)
+    public List<WellContent> listPlateWells(String sessionToken,
+            @AuthorizationGuard(guardClass = WellSearchCriteriaPredicate.class)
+            WellSearchCriteria materialCriteria)
    {
        Session session = getSession(sessionToken);
        return WellContentLoader.load(session, businessObjectFactory, getDAOFactory(),
@@ -238,7 +271,9 @@ public final class ScreeningServer extends AbstractServer<IScreeningServer> impl
    }

    @Override
+    @RolesAllowed(RoleWithHierarchy.SPACE_OBSERVER)
    public List<WellReplicaImage> listWellImages(String sessionToken, TechId materialId,
+            @AuthorizationGuard(guardClass = ExperimentTechIdPredicate.class)
            TechId experimentId)
    {
        Session session = getSession(sessionToken);
@@ -247,7 +282,10 @@ public final class ScreeningServer extends AbstractServer<IScreeningServer> impl
    }

    @Override
-    public List<Material> listMaterials(String sessionToken, WellSearchCriteria materialCriteria)
+    @RolesAllowed(RoleWithHierarchy.SPACE_OBSERVER)
+    public List<Material> listMaterials(String sessionToken,
+            @AuthorizationGuard(guardClass = WellSearchCriteriaPredicate.class)
+            WellSearchCriteria materialCriteria)
    {
        Session session = getSession(sessionToken);
        return WellContentLoader.loadMaterials(session, businessObjectFactory, getDAOFactory(),
@@ -255,8 +293,10 @@ public final class ScreeningServer extends AbstractServer<IScreeningServer> impl
    }

    @Override
-    public FeatureVectorValues getWellFeatureVectorValues(String sessionToken, String datasetCode,
-            String datastoreCode, WellLocation wellLocation)
+    @RolesAllowed(RoleWithHierarchy.SPACE_OBSERVER)
+    public FeatureVectorValues getWellFeatureVectorValues(String sessionToken,
+            @AuthorizationGuard(guardClass = DataSetCodePredicate.class)
+            String datasetCode, String datastoreCode, WellLocation wellLocation)
    {
        getSession(sessionToken);
        return FeatureVectorValuesLoader.loadFeatureVectorValues(businessObjectFactory,
@@ -264,8 +304,10 @@ public final class ScreeningServer extends AbstractServer<IScreeningServer> impl
    }

    @Override
-    public LogicalImageInfo getImageDatasetInfo(String sessionToken, String datasetCode,
-            String datastoreCode, WellLocation wellLocationOrNull)
+    @RolesAllowed(RoleWithHierarchy.SPACE_OBSERVER)
+    public LogicalImageInfo getImageDatasetInfo(String sessionToken,
+            @AuthorizationGuard(guardClass = DataSetCodePredicate.class)
+            String datasetCode, String datastoreCode, WellLocation wellLocationOrNull)
    {
        Session session = getSession(sessionToken);
        return LogicalImageLoader.loadLogicalImageInfo(session, businessObjectFactory, datasetCode,
@@ -273,7 +315,9 @@ public final class ScreeningServer extends AbstractServer<IScreeningServer> impl
    }

    @Override
+    @RolesAllowed(RoleWithHierarchy.SPACE_OBSERVER)
    public ImageDatasetEnrichedReference getImageDatasetReference(String sessionToken,
+            @AuthorizationGuard(guardClass = DataSetCodePredicate.class)
            String datasetCode, String datastoreCode)
    {
        Session session = getSession(sessionToken);
@@ -282,7 +326,9 @@ public final class ScreeningServer extends AbstractServer<IScreeningServer> impl
    }

    @Override
+    @RolesAllowed(RoleWithHierarchy.SPACE_OBSERVER)
    public List<ImageResolution> getImageDatasetResolutions(String sessionToken,
+            @AuthorizationGuard(guardClass = DataSetCodePredicate.class)
            String datasetCode, String datastoreCode)
    {
        checkSession(sessionToken);
@@ -292,8 +338,10 @@ public final class ScreeningServer extends AbstractServer<IScreeningServer> impl
    }

    @Override
-    public ImageSampleContent getImageDatasetInfosForSample(String sessionToken, TechId sampleId,
-            WellLocation wellLocationOrNull)
+    @RolesAllowed(RoleWithHierarchy.SPACE_OBSERVER)
+    public ImageSampleContent getImageDatasetInfosForSample(String sessionToken,
+            @AuthorizationGuard(guardClass = SampleTechIdPredicate.class)
+            TechId sampleId, WellLocation wellLocationOrNull)
    {
        Session session = getSession(sessionToken);
        return PlateContentLoader.getImageDatasetInfosForSample(session, businessObjectFactory,
@@ -301,18 +349,23 @@ public final class ScreeningServer extends AbstractServer<IScreeningServer> impl
    }

    @Override
-    public ExternalData getDataSetInfo(String sessionToken, TechId datasetId)
+    @RolesAllowed(RoleWithHierarchy.SPACE_OBSERVER)
+    public ExternalData getDataSetInfo(String sessionToken,
+            @AuthorizationGuard(guardClass = DataSetTechIdPredicate.class)
+            TechId datasetId)
    {
        return commonServer.getDataSetInfo(sessionToken, datasetId);
    }

    @Override
+    @RolesAllowed(RoleWithHierarchy.SPACE_OBSERVER)
    public Material getMaterialInfo(String sessionToken, TechId materialId)
    {
        return commonServer.getMaterialInfo(sessionToken, materialId);
    }

    @Override
+    @RolesAllowed(RoleWithHierarchy.SPACE_OBSERVER)
    public Vocabulary getVocabulary(String sessionToken, String code) throws UserFailureException
    {
        checkSession(sessionToken);
@@ -322,6 +375,8 @@ public final class ScreeningServer extends AbstractServer<IScreeningServer> impl
    }

    @Override
+    @RolesAllowed(RoleWithHierarchy.SPACE_ADMIN)
+    @Capability("WRITE_EXPERIMENT_SAMPLE_MATERIAL")
    public void registerLibrary(String sessionToken, String userEmail,
            List<NewMaterial> newGenesOrNull, List<NewMaterial> newOligosOrNull,
            List<NewSamplesWithTypes> newSamplesWithType)
@@ -331,8 +386,10 @@ public final class ScreeningServer extends AbstractServer<IScreeningServer> impl
    }

    @Override
-    public List<Material> listExperimentMaterials(String sessionToken, TechId experimentId,
-            MaterialType materialType)
+    @RolesAllowed(RoleWithHierarchy.SPACE_OBSERVER)
+    public List<Material> listExperimentMaterials(String sessionToken,
+            @AuthorizationGuard(guardClass = ExperimentTechIdPredicate.class)
+            TechId experimentId, MaterialType materialType)
    {
        // TODO 2010-09-01, Piotr Buczek: move it to some BO when we have more queries like that
        IScreeningQuery dao = createDAO(getDAOFactory());
@@ -348,7 +405,9 @@ public final class ScreeningServer extends AbstractServer<IScreeningServer> impl
    }

    @Override
+    @RolesAllowed(RoleWithHierarchy.SPACE_OBSERVER)
    public ExperimentFeatureVectorSummary getExperimentFeatureVectorSummary(String sessionToken,
+            @AuthorizationGuard(guardClass = ExperimentTechIdPredicate.class)
            TechId experimentId, AnalysisProcedureCriteria analysisProcedureCriteria)
    {
        Session session = getSession(sessionToken);
@@ -362,6 +421,8 @@ public final class ScreeningServer extends AbstractServer<IScreeningServer> impl
    }

    @Override
+    @RolesAllowed(RoleWithHierarchy.SPACE_OBSERVER)
+    @ReturnValueFilter(validatorClass = MaterialExperimentFeatureVectorSummaryValidator.class)
    public List<MaterialSimpleFeatureVectorSummary> getMaterialFeatureVectorsFromAllExperiments(
            String sessionToken, MaterialFeaturesManyExpCriteria criteria)
    {
@@ -409,7 +470,9 @@ public final class ScreeningServer extends AbstractServer<IScreeningServer> impl
    }

    @Override
+    @RolesAllowed(RoleWithHierarchy.SPACE_OBSERVER)
    public MaterialReplicaFeatureSummaryResult getMaterialFeatureVectorSummary(String sessionToken,
+            @AuthorizationGuard(guardClass = MaterialFeaturesOneExpPredicate.class)
            MaterialFeaturesOneExpCriteria criteria)
    {
        Session session = getSession(sessionToken);
@@ -422,36 +485,50 @@ public final class ScreeningServer extends AbstractServer<IScreeningServer> impl
    // --------- IScreeningOpenbisServer - method signature should be changed with care

    @Override
-    public List<FeatureVectorDatasetReference> listFeatureVectorDatasets(String sessionToken,
-            List<? extends PlateIdentifier> plates)
+    @RolesAllowed(RoleWithHierarchy.SPACE_OBSERVER)
+    public List<FeatureVectorDatasetReference> listFeatureVectorDatasets(
+            String sessionToken,
+            @AuthorizationGuard(guardClass = ScreeningPlateListReadOnlyPredicate.class) List<? extends PlateIdentifier> plates)
+            throws IllegalArgumentException
    {
        return createScreeningApiImpl(sessionToken).listFeatureVectorDatasets(plates);
    }

    @Override
-    public List<ImageDatasetReference> listImageDatasets(String sessionToken,
-            List<? extends PlateIdentifier> plates)
+    @RolesAllowed(RoleWithHierarchy.SPACE_OBSERVER)
+    public List<ImageDatasetReference> listImageDatasets(
+            String sessionToken,
+            @AuthorizationGuard(guardClass = ScreeningPlateListReadOnlyPredicate.class) List<? extends PlateIdentifier> plates)
+            throws IllegalArgumentException
    {
        return createScreeningApiImpl(sessionToken).listImageDatasets(plates);
    }

    @Override
-    public List<ImageDatasetReference> listRawImageDatasets(String sessionToken,
-            List<? extends PlateIdentifier> plates)
+    @RolesAllowed(RoleWithHierarchy.SPACE_OBSERVER)
+    public List<ImageDatasetReference> listRawImageDatasets(
+            String sessionToken,
+            @AuthorizationGuard(guardClass = ScreeningPlateListReadOnlyPredicate.class) List<? extends PlateIdentifier> plates)
+            throws IllegalArgumentException
    {
        return createScreeningApiImpl(sessionToken).listRawImageDatasets(plates);
    }

    @Override
-    public List<ImageDatasetReference> listSegmentationImageDatasets(String sessionToken,
-            List<? extends PlateIdentifier> plates)
+    @RolesAllowed(RoleWithHierarchy.SPACE_OBSERVER)
+    public List<ImageDatasetReference> listSegmentationImageDatasets(
+            String sessionToken,
+            @AuthorizationGuard(guardClass = ScreeningPlateListReadOnlyPredicate.class) List<? extends PlateIdentifier> plates)
+            throws IllegalArgumentException
    {
        return createScreeningApiImpl(sessionToken).listSegmentationImageDatasets(plates);
    }

    @Override
+    @RolesAllowed(RoleWithHierarchy.SPACE_OBSERVER)
    public List<PlateWellReferenceWithDatasets> listPlateWells(
            String sessionToken,
+            @AuthorizationGuard(guardClass = ExperimentIdentifierPredicate.class)
            ch.systemsx.cisd.openbis.plugin.screening.shared.api.v1.dto.ExperimentIdentifier experimentIdentifer,
            MaterialIdentifier materialIdentifier, boolean findDatasets)
    {
@@ -460,6 +537,8 @@ public final class ScreeningServer extends AbstractServer<IScreeningServer> impl
    }

    @Override
+    @RolesAllowed(RoleWithHierarchy.SPACE_OBSERVER)
+    @ReturnValueFilter(validatorClass = PlateWellReferenceWithDatasetsValidator.class)
    public List<PlateWellReferenceWithDatasets> listPlateWells(String sessionToken,
            MaterialIdentifier materialIdentifier, boolean findDatasets)
    {
@@ -468,58 +547,78 @@ public final class ScreeningServer extends AbstractServer<IScreeningServer> impl
    }

    @Override
-    public List<WellIdentifier> listPlateWells(String sessionToken, PlateIdentifier plateIdentifier)
+    @RolesAllowed(RoleWithHierarchy.SPACE_OBSERVER)
+    public List<WellIdentifier> listPlateWells(
+            String sessionToken,
+            @AuthorizationGuard(guardClass = PlateIdentifierPredicate.class) PlateIdentifier plateIdentifier)
    {
        return createScreeningApiImpl(sessionToken).listPlateWells(plateIdentifier);
    }

    @Override
-    public Sample getWellSample(String sessionToken, WellIdentifier wellIdentifier)
+    @RolesAllowed(RoleWithHierarchy.SPACE_OBSERVER)
+    public Sample getWellSample(
+            String sessionToken,
+            @AuthorizationGuard(guardClass = WellIdentifierPredicate.class) WellIdentifier wellIdentifier)
    {
        return createScreeningApiImpl(sessionToken).getWellSample(wellIdentifier, true);
    }

    @Override
-    public Sample getPlateSample(String sessionToken, PlateIdentifier plateIdentifier)
+    @RolesAllowed(RoleWithHierarchy.SPACE_OBSERVER)
+    public Sample getPlateSample(
+            String sessionToken,
+            @AuthorizationGuard(guardClass = PlateIdentifierPredicate.class) PlateIdentifier plateIdentifier)
    {
        return createScreeningApiImpl(sessionToken).getPlateSample(plateIdentifier);
    }

    @Override
-    public List<Plate> listPlates(String sessionToken)
+    @RolesAllowed(RoleWithHierarchy.SPACE_OBSERVER)
+    @ReturnValueFilter(validatorClass = ScreeningPlateValidator.class)
+    public List<Plate> listPlates(String sessionToken) throws IllegalArgumentException
    {
        return createScreeningApiImpl(sessionToken).listPlates();
    }

    @Override
-    public List<Plate> listPlates(String sessionToken, ExperimentIdentifier experiment)
+    @RolesAllowed(RoleWithHierarchy.SPACE_OBSERVER)
+    public List<Plate> listPlates(
+            String sessionToken,
+            @AuthorizationGuard(guardClass = ExperimentIdentifierPredicate.class) ExperimentIdentifier experiment)
+            throws IllegalArgumentException
    {
        return createScreeningApiImpl(sessionToken).listPlates(experiment);
    }

    @Override
-    public List<ch.systemsx.cisd.openbis.plugin.screening.shared.api.v1.dto.ExperimentIdentifier> listExperiments(
-            String sessionToken)
+    @RolesAllowed(RoleWithHierarchy.SPACE_OBSERVER)
+    @ReturnValueFilter(validatorClass = ScreeningExperimentValidator.class)
+    public List<ExperimentIdentifier> listExperiments(String sessionToken)
    {
        return createScreeningApiImpl(sessionToken).listExperiments();
    }

    @Override
-    public List<ch.systemsx.cisd.openbis.plugin.screening.shared.api.v1.dto.ExperimentIdentifier> listExperiments(
-            String sessionToken, String userId)
+    @RolesAllowed(RoleWithHierarchy.INSTANCE_OBSERVER)
+    public List<ExperimentIdentifier> listExperiments(String sessionToken, String userId)
    {
        return createScreeningApiImpl(sessionToken).listExperiments(userId);
    }

    @Override
-    public List<IDatasetIdentifier> getDatasetIdentifiers(String sessionToken,
-            List<String> datasetCodes)
+    @RolesAllowed(RoleWithHierarchy.SPACE_OBSERVER)
+    public List<IDatasetIdentifier> getDatasetIdentifiers(
+            String sessionToken,
+            @AuthorizationGuard(guardClass = DataSetCodeCollectionPredicate.class) List<String> datasetCodes)
    {
        return createScreeningApiImpl(sessionToken).getDatasetIdentifiers(datasetCodes);
    }

    @Override
+    @RolesAllowed(RoleWithHierarchy.SPACE_OBSERVER)
    public AnalysisProcedures listNumericalDatasetsAnalysisProcedures(String sessionToken,
+            @AuthorizationGuard(guardClass = ExperimentSearchCriteriaPredicate.class)
            ExperimentSearchCriteria experimentSearchCriteria)
    {
        checkSession(sessionToken);
@@ -542,8 +641,10 @@ public final class ScreeningServer extends AbstractServer<IScreeningServer> impl
    }

    @Override
-    public List<PlateWellMaterialMapping> listPlateMaterialMapping(String sessionToken,
-            List<? extends PlateIdentifier> plates,
+    @RolesAllowed(RoleWithHierarchy.SPACE_OBSERVER)
+    public List<PlateWellMaterialMapping> listPlateMaterialMapping(
+            String sessionToken,
+            @AuthorizationGuard(guardClass = ScreeningPlateListReadOnlyPredicate.class) List<? extends PlateIdentifier> plates,
            MaterialTypeIdentifier materialTypeIdentifierOrNull)
    {
        return createScreeningApiImpl(sessionToken).listPlateMaterialMapping(plates,
@@ -594,15 +695,20 @@ public final class ScreeningServer extends AbstractServer<IScreeningServer> impl
    }

    @Override
-    public List<PlateMetadata> getPlateMetadataList(String sessionToken,
-            List<? extends PlateIdentifier> plateIdentifiers) throws IllegalArgumentException
+    @RolesAllowed(RoleWithHierarchy.SPACE_OBSERVER)
+    public List<PlateMetadata> getPlateMetadataList(
+            String sessionToken,
+            @AuthorizationGuard(guardClass = ScreeningPlateListReadOnlyPredicate.class) List<? extends PlateIdentifier> plateIdentifiers)
+            throws IllegalArgumentException
    {
        return createScreeningApiImpl(sessionToken).getPlateMetadata(plateIdentifiers);
    }

    @Override
-    public ExperimentImageMetadata getExperimentImageMetadata(String sessionToken,
-            ExperimentIdentifier experimentIdentifer)
+    @RolesAllowed(RoleWithHierarchy.SPACE_OBSERVER)
+    public ExperimentImageMetadata getExperimentImageMetadata(
+            String sessionToken,
+            @AuthorizationGuard(guardClass = ExperimentIdentifierPredicate.class) ExperimentIdentifier experimentIdentifer)
    {
        checkSession(sessionToken);
        return createScreeningApiImpl(sessionToken).getExperimentImageMetadata(experimentIdentifer);

--- a/screening/source/java/ch/systemsx/cisd/openbis/plugin/screening/shared/IScreeningServer.java
+++ b/screening/source/java/ch/systemsx/cisd/openbis/plugin/screening/shared/IScreeningServer.java
@@ -22,14 +22,6 @@ import org.springframework.transaction.annotation.Transactional;

 import ch.systemsx.cisd.common.exceptions.UserFailureException;
 import ch.systemsx.cisd.openbis.generic.shared.IServer;
-import ch.systemsx.cisd.openbis.generic.shared.authorization.annotation.AuthorizationGuard;
-import ch.systemsx.cisd.openbis.generic.shared.authorization.annotation.Capability;
-import ch.systemsx.cisd.openbis.generic.shared.authorization.annotation.ReturnValueFilter;
-import ch.systemsx.cisd.openbis.generic.shared.authorization.annotation.RolesAllowed;
-import ch.systemsx.cisd.openbis.generic.shared.authorization.predicate.AbstractTechIdPredicate.DataSetTechIdPredicate;
-import ch.systemsx.cisd.openbis.generic.shared.authorization.predicate.AbstractTechIdPredicate.ExperimentTechIdPredicate;
-import ch.systemsx.cisd.openbis.generic.shared.authorization.predicate.DataSetCodePredicate;
-import ch.systemsx.cisd.openbis.generic.shared.authorization.predicate.SampleTechIdPredicate;
 import ch.systemsx.cisd.openbis.generic.shared.basic.TechId;
 import ch.systemsx.cisd.openbis.generic.shared.basic.dto.CodeAndLabel;
 import ch.systemsx.cisd.openbis.generic.shared.basic.dto.ExternalData;
@@ -37,16 +29,9 @@ import ch.systemsx.cisd.openbis.generic.shared.basic.dto.Material;
 import ch.systemsx.cisd.openbis.generic.shared.basic.dto.MaterialType;
 import ch.systemsx.cisd.openbis.generic.shared.basic.dto.NewMaterial;
 import ch.systemsx.cisd.openbis.generic.shared.basic.dto.NewSamplesWithTypes;
-import ch.systemsx.cisd.openbis.generic.shared.basic.dto.RoleWithHierarchy;
 import ch.systemsx.cisd.openbis.generic.shared.basic.dto.Sample;
 import ch.systemsx.cisd.openbis.generic.shared.basic.dto.SampleParentWithDerived;
 import ch.systemsx.cisd.openbis.generic.shared.basic.dto.Vocabulary;
-import ch.systemsx.cisd.openbis.plugin.screening.shared.authorization.DatasetReferencePredicate;
-import ch.systemsx.cisd.openbis.plugin.screening.shared.authorization.ExperimentSearchCriteriaPredicate;
-import ch.systemsx.cisd.openbis.plugin.screening.shared.authorization.MaterialExperimentFeatureVectorSummaryValidator;
-import ch.systemsx.cisd.openbis.plugin.screening.shared.authorization.MaterialFeaturesOneExpPredicate;
-import ch.systemsx.cisd.openbis.plugin.screening.shared.authorization.WellContentValidator;
-import ch.systemsx.cisd.openbis.plugin.screening.shared.authorization.WellSearchCriteriaPredicate;
 import ch.systemsx.cisd.openbis.plugin.screening.shared.basic.dto.AnalysisProcedures;
 import ch.systemsx.cisd.openbis.plugin.screening.shared.basic.dto.DatasetReference;
 import ch.systemsx.cisd.openbis.plugin.screening.shared.basic.dto.ExperimentFeatureVectorSummary;
@@ -81,18 +66,14 @@ public interface IScreeningServer extends IServer
     * image analysis only if one dataset with such a data exist.
     */
    @Transactional(readOnly = true)
-    @RolesAllowed(RoleWithHierarchy.SPACE_OBSERVER)
    public PlateContent getPlateContent(String sessionToken,
-            @AuthorizationGuard(guardClass = SampleTechIdPredicate.class)
            TechId plateId);

    /**
     * Loads feature vector of specified dataset with one feature specified by name.
     */
    @Transactional(readOnly = true)
-    @RolesAllowed(RoleWithHierarchy.SPACE_OBSERVER)
    public FeatureVectorDataset getFeatureVectorDataset(String sessionToken,
-            @AuthorizationGuard(guardClass = DatasetReferencePredicate.class)
            DatasetReference dataset, CodeAndLabel featureName);

    /**
@@ -100,9 +81,7 @@ public interface IScreeningServer extends IServer
     */
    // TODO can return null
    @Transactional(readOnly = true)
-    @RolesAllowed(RoleWithHierarchy.SPACE_OBSERVER)
    public FeatureVectorValues getWellFeatureVectorValues(String sessionToken,
-            @AuthorizationGuard(guardClass = DataSetCodePredicate.class)
            String datasetCode, String datastoreCode, WellLocation wellLocation);

    /**
@@ -110,9 +89,7 @@ public interface IScreeningServer extends IServer
     * specified dataset, which is supposed to contain images in BDS-HCS format.
     */
    @Transactional(readOnly = true)
-    @RolesAllowed(RoleWithHierarchy.SPACE_OBSERVER)
    public PlateImages getPlateContentForDataset(String sessionToken,
-            @AuthorizationGuard(guardClass = DataSetTechIdPredicate.class)
            TechId datasetId);

    /**
@@ -120,10 +97,7 @@ public interface IScreeningServer extends IServer
     * image dataset and feature vectors.
     */
    @Transactional(readOnly = true)
-    @RolesAllowed(RoleWithHierarchy.SPACE_OBSERVER)
-    @ReturnValueFilter(validatorClass = WellContentValidator.class)
    public List<WellContent> listPlateWells(String sessionToken,
-            @AuthorizationGuard(guardClass = WellSearchCriteriaPredicate.class)
            WellSearchCriteria materialCriteria);

    /**
@@ -133,9 +107,7 @@ public interface IScreeningServer extends IServer
     * the whole well is ignored.
     */
    @Transactional(readOnly = true)
-    @RolesAllowed(RoleWithHierarchy.SPACE_OBSERVER)
    public List<WellReplicaImage> listWellImages(String sessionToken, TechId materialId,
-            @AuthorizationGuard(guardClass = ExperimentTechIdPredicate.class)
            TechId experimentId);

    /**
@@ -144,9 +116,7 @@ public interface IScreeningServer extends IServer
     *         specified experiment(s) will be returned.
     */
    @Transactional(readOnly = true)
-    @RolesAllowed(RoleWithHierarchy.SPACE_OBSERVER)
    public List<Material> listMaterials(String sessionToken,
-            @AuthorizationGuard(guardClass = WellSearchCriteriaPredicate.class)
            WellSearchCriteria materialCriteria);

    /**
@@ -155,33 +125,23 @@ public interface IScreeningServer extends IServer
     * @param materialType
     */
    @Transactional(readOnly = true)
-    @RolesAllowed(RoleWithHierarchy.SPACE_OBSERVER)
    public List<Material> listExperimentMaterials(String sessionToken,
-            @AuthorizationGuard(guardClass = ExperimentTechIdPredicate.class)
            TechId experimentId, MaterialType materialType);

    @Transactional
-    @RolesAllowed(RoleWithHierarchy.SPACE_OBSERVER)
    public LogicalImageInfo getImageDatasetInfo(String sessionToken,
-            @AuthorizationGuard(guardClass = DataSetCodePredicate.class)
            String datasetCode, String datastoreCode, WellLocation wellLocationOrNull);

    @Transactional
-    @RolesAllowed(RoleWithHierarchy.SPACE_OBSERVER)
    public ImageDatasetEnrichedReference getImageDatasetReference(String sessionToken,
-            @AuthorizationGuard(guardClass = DataSetCodePredicate.class)
            String datasetCode, String datastoreCode);

    @Transactional
-    @RolesAllowed(RoleWithHierarchy.SPACE_OBSERVER)
-    List<ImageResolution> getImageDatasetResolutions(String sessionToken,
-            @AuthorizationGuard(guardClass = DataSetCodePredicate.class)
+    public List<ImageResolution> getImageDatasetResolutions(String sessionToken,
            String datasetCode, String datastoreCode);

    @Transactional
-    @RolesAllowed(RoleWithHierarchy.SPACE_OBSERVER)
    public ImageSampleContent getImageDatasetInfosForSample(String sessionToken,
-            @AuthorizationGuard(guardClass = SampleTechIdPredicate.class)
            TechId sampleId, WellLocation wellLocationOrNull);

    /**
@@ -192,40 +152,32 @@ public interface IScreeningServer extends IServer
     *             uniquely identified by given <var>sampleId</var> does not exist.
     */
    @Transactional(readOnly = true)
-    @RolesAllowed(RoleWithHierarchy.SPACE_OBSERVER)
    public SampleParentWithDerived getSampleInfo(final String sessionToken,
-            @AuthorizationGuard(guardClass = SampleTechIdPredicate.class)
            final TechId sampleId) throws UserFailureException;

    /**
     * For given {@link TechId} returns the corresponding {@link ExternalData}.
     */
    @Transactional(readOnly = true)
-    @RolesAllowed(RoleWithHierarchy.SPACE_OBSERVER)
    public ExternalData getDataSetInfo(String sessionToken,
-            @AuthorizationGuard(guardClass = DataSetTechIdPredicate.class)
            TechId datasetId);

    /**
     * For given {@link TechId} returns the corresponding {@link Material}.
     */
    @Transactional(readOnly = true)
-    @RolesAllowed(RoleWithHierarchy.SPACE_OBSERVER)
    public Material getMaterialInfo(String sessionToken, TechId materialId);

    /**
     * Returns vocabulary with given code.
     */
    @Transactional
-    @RolesAllowed(RoleWithHierarchy.SPACE_OBSERVER)
    public Vocabulary getVocabulary(String sessionToken, String code) throws UserFailureException;

    /**
     * Registers the contents of an uploaded library.
     */
    @Transactional
-    @RolesAllowed(RoleWithHierarchy.SPACE_ADMIN)
-    @Capability("WRITE_EXPERIMENT_SAMPLE_MATERIAL")
    public void registerLibrary(String sessionToken, String userEmail,
            List<NewMaterial> newGenesOrNull, List<NewMaterial> newOligosOrNull,
            List<NewSamplesWithTypes> newSamplesWithType);
@@ -235,9 +187,7 @@ public interface IScreeningServer extends IServer
     * materials.
     */
    @Transactional(readOnly = true)
-    @RolesAllowed(RoleWithHierarchy.SPACE_OBSERVER)
    public ExperimentFeatureVectorSummary getExperimentFeatureVectorSummary(String sessionToken,
-            @AuthorizationGuard(guardClass = ExperimentTechIdPredicate.class)
            TechId experimentId, AnalysisProcedureCriteria analysisProcedureCriteria);

    /**
@@ -245,17 +195,13 @@ public interface IScreeningServer extends IServer
     * material.
     */
    @Transactional(readOnly = true)
-    @RolesAllowed(RoleWithHierarchy.SPACE_OBSERVER)
    public MaterialReplicaFeatureSummaryResult getMaterialFeatureVectorSummary(String sessionToken,
-            @AuthorizationGuard(guardClass = MaterialFeaturesOneExpPredicate.class)
            MaterialFeaturesOneExpCriteria criteria);

    /**
     * Returns feature vectors from all experiments for a specified material.
     */
    @Transactional(readOnly = true)
-    @RolesAllowed(RoleWithHierarchy.SPACE_OBSERVER)
-    @ReturnValueFilter(validatorClass = MaterialExperimentFeatureVectorSummaryValidator.class)
    public List<MaterialSimpleFeatureVectorSummary> getMaterialFeatureVectorsFromAllExperiments(
            String sessionToken, MaterialFeaturesManyExpCriteria criteria);

@@ -271,9 +217,7 @@ public interface IScreeningServer extends IServer
     * </p>
     */
    @Transactional(readOnly = true)
-    @RolesAllowed(RoleWithHierarchy.SPACE_OBSERVER)
    public AnalysisProcedures listNumericalDatasetsAnalysisProcedures(String sessionToken,
-            @AuthorizationGuard(guardClass = ExperimentSearchCriteriaPredicate.class)
            ExperimentSearchCriteria experimentSearchCriteria);

 }
--- a/screening/source/java/ch/systemsx/cisd/openbis/plugin/screening/shared/api/v1/IScreeningApiServer.java
+++ b/screening/source/java/ch/systemsx/cisd/openbis/plugin/screening/shared/api/v1/IScreeningApiServer.java
@@ -23,18 +23,6 @@ import org.springframework.transaction.annotation.Transactional;
 import ch.systemsx.cisd.common.api.IRpcService;
 import ch.systemsx.cisd.common.api.MinimalMinorVersion;
 import ch.systemsx.cisd.openbis.generic.shared.api.v1.dto.Sample;
-import ch.systemsx.cisd.openbis.generic.shared.authorization.annotation.AuthorizationGuard;
-import ch.systemsx.cisd.openbis.generic.shared.authorization.annotation.ReturnValueFilter;
-import ch.systemsx.cisd.openbis.generic.shared.authorization.annotation.RolesAllowed;
-import ch.systemsx.cisd.openbis.generic.shared.authorization.predicate.DataSetCodeCollectionPredicate;
-import ch.systemsx.cisd.openbis.generic.shared.basic.dto.RoleWithHierarchy;
-import ch.systemsx.cisd.openbis.plugin.screening.shared.api.internal.authorization.ExperimentIdentifierPredicate;
-import ch.systemsx.cisd.openbis.plugin.screening.shared.api.internal.authorization.PlateIdentifierPredicate;
-import ch.systemsx.cisd.openbis.plugin.screening.shared.api.internal.authorization.PlateWellReferenceWithDatasetsValidator;
-import ch.systemsx.cisd.openbis.plugin.screening.shared.api.internal.authorization.ScreeningExperimentValidator;
-import ch.systemsx.cisd.openbis.plugin.screening.shared.api.internal.authorization.ScreeningPlateListReadOnlyPredicate;
-import ch.systemsx.cisd.openbis.plugin.screening.shared.api.internal.authorization.ScreeningPlateValidator;
-import ch.systemsx.cisd.openbis.plugin.screening.shared.api.internal.authorization.WellIdentifierPredicate;
 import ch.systemsx.cisd.openbis.plugin.screening.shared.api.v1.dto.ExperimentIdentifier;
 import ch.systemsx.cisd.openbis.plugin.screening.shared.api.v1.dto.ExperimentImageMetadata;
 import ch.systemsx.cisd.openbis.plugin.screening.shared.api.v1.dto.FeatureVectorDatasetReference;
@@ -71,7 +59,7 @@ public interface IScreeningApiServer extends IRpcService
     * Service part of the URL to access this service remotely.
     */
    public static final String SERVICE_URL = "/rmi-" + SERVICE_NAME + "-api-v1";
-    
+
    public static final String JSON_SERVICE_URL = SERVICE_URL + ".json";

    /**
@@ -94,22 +82,16 @@ public interface IScreeningApiServer extends IRpcService
     * hierarchical context (space, project, experiment).
     */
    @Transactional(readOnly = true)
-    @RolesAllowed(RoleWithHierarchy.SPACE_OBSERVER)
-    @ReturnValueFilter(validatorClass = ScreeningPlateValidator.class)
    List<Plate> listPlates(String sessionToken) throws IllegalArgumentException;

-
    /**
     * Return the list of all plates assigned to the given experiment.
     * 
     * @since 1.5
     */
    @Transactional(readOnly = true)
-    @RolesAllowed(RoleWithHierarchy.SPACE_OBSERVER)
    @MinimalMinorVersion(5)
-    List<Plate> listPlates(
-            String sessionToken,
-            @AuthorizationGuard(guardClass = ExperimentIdentifierPredicate.class) ExperimentIdentifier experiment)
+    List<Plate> listPlates(String sessionToken, ExperimentIdentifier experiment)
            throws IllegalArgumentException;

    /**
@@ -119,12 +101,9 @@ public interface IScreeningApiServer extends IRpcService
     * @since 1.8
     */
    @Transactional(readOnly = true)
-    @RolesAllowed(RoleWithHierarchy.SPACE_OBSERVER)
    @MinimalMinorVersion(8)
-    List<PlateMetadata> getPlateMetadataList(
-            String sessionToken,
-            @AuthorizationGuard(guardClass = ScreeningPlateListReadOnlyPredicate.class) List<? extends PlateIdentifier> plates)
-            throws IllegalArgumentException;
+    List<PlateMetadata> getPlateMetadataList(String sessionToken,
+            List<? extends PlateIdentifier> plates) throws IllegalArgumentException;

    /**
     * Return the list of all visible experiments, along with their hierarchical context (space,
@@ -133,8 +112,6 @@ public interface IScreeningApiServer extends IRpcService
     * @since 1.1
     */
    @Transactional(readOnly = true)
-    @RolesAllowed(RoleWithHierarchy.SPACE_OBSERVER)
-    @ReturnValueFilter(validatorClass = ScreeningExperimentValidator.class)
    @MinimalMinorVersion(1)
    List<ExperimentIdentifier> listExperiments(String sessionToken);

@@ -145,7 +122,6 @@ public interface IScreeningApiServer extends IRpcService
     * @since 1.6
     */
    @Transactional(readOnly = true)
-    @RolesAllowed(RoleWithHierarchy.INSTANCE_OBSERVER)
    @MinimalMinorVersion(6)
    List<ExperimentIdentifier> listExperiments(String sessionToken, String userId);

@@ -154,22 +130,16 @@ public interface IScreeningApiServer extends IRpcService
     * sets containing feature vectors for each of these plates.
     */
    @Transactional(readOnly = true)
-    @RolesAllowed(RoleWithHierarchy.SPACE_OBSERVER)
-    List<FeatureVectorDatasetReference> listFeatureVectorDatasets(
-            String sessionToken,
-            @AuthorizationGuard(guardClass = ScreeningPlateListReadOnlyPredicate.class) List<? extends PlateIdentifier> plates)
-            throws IllegalArgumentException;
+    List<FeatureVectorDatasetReference> listFeatureVectorDatasets(String sessionToken,
+            List<? extends PlateIdentifier> plates) throws IllegalArgumentException;

    /**
     * For a given set of plates provide the list of all data sets containing images for each of
     * these plates.
     */
    @Transactional(readOnly = true)
-    @RolesAllowed(RoleWithHierarchy.SPACE_OBSERVER)
-    List<ImageDatasetReference> listImageDatasets(
-            String sessionToken,
-            @AuthorizationGuard(guardClass = ScreeningPlateListReadOnlyPredicate.class) List<? extends PlateIdentifier> plates)
-            throws IllegalArgumentException;
+    List<ImageDatasetReference> listImageDatasets(String sessionToken,
+            List<? extends PlateIdentifier> plates) throws IllegalArgumentException;

    /**
     * For a given set of plates provide the list of all data sets containing raw images for each of
@@ -178,12 +148,9 @@ public interface IScreeningApiServer extends IRpcService
     * @since 1.6
     */
    @Transactional(readOnly = true)
-    @RolesAllowed(RoleWithHierarchy.SPACE_OBSERVER)
    @MinimalMinorVersion(6)
-    List<ImageDatasetReference> listRawImageDatasets(
-            String sessionToken,
-            @AuthorizationGuard(guardClass = ScreeningPlateListReadOnlyPredicate.class) List<? extends PlateIdentifier> plates)
-            throws IllegalArgumentException;
+    List<ImageDatasetReference> listRawImageDatasets(String sessionToken,
+            List<? extends PlateIdentifier> plates) throws IllegalArgumentException;

    /**
     * For a given set of plates provide the list of all data sets containing segmentation images
@@ -192,21 +159,15 @@ public interface IScreeningApiServer extends IRpcService
     * @since 1.6
     */
    @Transactional(readOnly = true)
-    @RolesAllowed(RoleWithHierarchy.SPACE_OBSERVER)
    @MinimalMinorVersion(6)
-    List<ImageDatasetReference> listSegmentationImageDatasets(
-            String sessionToken,
-            @AuthorizationGuard(guardClass = ScreeningPlateListReadOnlyPredicate.class) List<? extends PlateIdentifier> plates)
-            throws IllegalArgumentException;
+    List<ImageDatasetReference> listSegmentationImageDatasets(String sessionToken,
+            List<? extends PlateIdentifier> plates) throws IllegalArgumentException;

    /**
     * Converts a given list of dataset codes to dataset identifiers.
     */
    @Transactional(readOnly = true)
-    @RolesAllowed(RoleWithHierarchy.SPACE_OBSERVER)
-    List<IDatasetIdentifier> getDatasetIdentifiers(
-            String sessionToken,
-            @AuthorizationGuard(guardClass = DataSetCodeCollectionPredicate.class) List<String> datasetCodes);
+    List<IDatasetIdentifier> getDatasetIdentifiers(String sessionToken, List<String> datasetCodes);

    /**
     * For the given <var>experimentIdentifier</var>, find all plate locations that are connected to
@@ -216,12 +177,10 @@ public interface IScreeningApiServer extends IRpcService
     * @since 1.1
     */
    @Transactional(readOnly = true)
-    @RolesAllowed(RoleWithHierarchy.SPACE_OBSERVER)
    @MinimalMinorVersion(1)
-    List<PlateWellReferenceWithDatasets> listPlateWells(
-            String sessionToken,
-            @AuthorizationGuard(guardClass = ExperimentIdentifierPredicate.class) ExperimentIdentifier experimentIdentifer,
-            MaterialIdentifier materialIdentifier, boolean findDatasets);
+    List<PlateWellReferenceWithDatasets> listPlateWells(String sessionToken,
+            ExperimentIdentifier experimentIdentifer, MaterialIdentifier materialIdentifier,
+            boolean findDatasets);

    /**
     * For the given <var>materialIdentifier</var>, find all plate locations that are connected to
@@ -231,8 +190,6 @@ public interface IScreeningApiServer extends IRpcService
     * @since 1.2
     */
    @Transactional(readOnly = true)
-    @RolesAllowed(RoleWithHierarchy.SPACE_OBSERVER)
-    @ReturnValueFilter(validatorClass = PlateWellReferenceWithDatasetsValidator.class)
    @MinimalMinorVersion(2)
    List<PlateWellReferenceWithDatasets> listPlateWells(String sessionToken,
            MaterialIdentifier materialIdentifier, boolean findDatasets);
@@ -243,35 +200,27 @@ public interface IScreeningApiServer extends IRpcService
     * @since 1.3
     */
    @Transactional(readOnly = true)
-    @RolesAllowed(RoleWithHierarchy.SPACE_OBSERVER)
    @MinimalMinorVersion(3)
-    public List<WellIdentifier> listPlateWells(
-            String sessionToken,
-            @AuthorizationGuard(guardClass = PlateIdentifierPredicate.class) PlateIdentifier plateIdentifier);
+    public List<WellIdentifier> listPlateWells(String sessionToken, PlateIdentifier plateIdentifier);

    /**
-     * For a given <var>wellIdentifier</var>, return the corresponding {@link Sample} including properties.
+     * For a given <var>wellIdentifier</var>, return the corresponding {@link Sample} including
+     * properties.
     * 
     * @since 1.3
     */
    @Transactional(readOnly = true)
-    @RolesAllowed(RoleWithHierarchy.SPACE_OBSERVER)
    @MinimalMinorVersion(3)
-    public Sample getWellSample(
-            String sessionToken,
-            @AuthorizationGuard(guardClass = WellIdentifierPredicate.class) WellIdentifier wellIdentifier);
-    
+    public Sample getWellSample(String sessionToken, WellIdentifier wellIdentifier);
+
    /**
     * For a given <var>plateIdentifier</var>, return the corresponding {@link Sample}.
     * 
     * @since 1.7
     */
    @Transactional(readOnly = true)
-    @RolesAllowed(RoleWithHierarchy.SPACE_OBSERVER)
    @MinimalMinorVersion(7)
-    public Sample getPlateSample(
-            String sessionToken,
-            @AuthorizationGuard(guardClass = PlateIdentifierPredicate.class) PlateIdentifier plateIdentifier);
+    public Sample getPlateSample(String sessionToken, PlateIdentifier plateIdentifier);

    /**
     * For a given list of <var>plates</var>, return the mapping of plate wells to materials
@@ -284,11 +233,9 @@ public interface IScreeningApiServer extends IRpcService
     * @since 1.2
     */
    @Transactional(readOnly = true)
-    @RolesAllowed(RoleWithHierarchy.SPACE_OBSERVER)
    @MinimalMinorVersion(2)
-    List<PlateWellMaterialMapping> listPlateMaterialMapping(
-            String sessionToken,
-            @AuthorizationGuard(guardClass = ScreeningPlateListReadOnlyPredicate.class) List<? extends PlateIdentifier> plates,
+    List<PlateWellMaterialMapping> listPlateMaterialMapping(String sessionToken,
+            List<? extends PlateIdentifier> plates,
            MaterialTypeIdentifier materialTypeIdentifierOrNull);

    /**
@@ -297,10 +244,8 @@ public interface IScreeningApiServer extends IRpcService
     * @since 1.9
     */
    @Transactional(readOnly = true)
-    @RolesAllowed(RoleWithHierarchy.SPACE_OBSERVER)
    @MinimalMinorVersion(1)
-    ExperimentImageMetadata getExperimentImageMetadata(
-            String sessionToken,
-            @AuthorizationGuard(guardClass = ExperimentIdentifierPredicate.class) ExperimentIdentifier experimentIdentifer);
+    ExperimentImageMetadata getExperimentImageMetadata(String sessionToken,
+            ExperimentIdentifier experimentIdentifer);

 }
--- a/screening/sourceTest/java/ch/systemsx/cisd/openbis/plugin/screening/shared/ServerInterfaceRegressionTest.java
+++ b/screening/sourceTest/java/ch/systemsx/cisd/openbis/plugin/screening/shared/ServerInterfaceRegressionTest.java
@@ -14,11 +14,13 @@
 * limitations under the License.
 */

-package ch.systemsx.cisd.openbis.plugin.screening.shared;
+package ch.systemsx.cisd.openbis.plugin.screening.server;

 import org.testng.annotations.Test;

 import ch.systemsx.cisd.openbis.generic.shared.RegressionTestCase;
+import ch.systemsx.cisd.openbis.plugin.screening.shared.IScreeningServer;
+import ch.systemsx.cisd.openbis.plugin.screening.shared.api.v1.IScreeningApiServer;

 /**
 * @author Tomasz Pylak
@@ -28,6 +30,13 @@ public class ServerInterfaceRegressionTest extends RegressionTestCase
    @Test
    public void testServerAnnotations()
    {
-        assertMandatoryMethodAnnotations(IScreeningServer.class);
+        assertMandatoryMethodAnnotations(IScreeningServer.class, ScreeningServer.class);
+    }
+    
+    @Test
+    public void testApiServerAnnotations()
+    {
+        assertMandatoryMethodAnnotations(IScreeningApiServer.class, ScreeningServer.class,
+                "tryLoginScreening: RolesAllowed\n" + "logoutScreening: RolesAllowed\n");
    }
 }
--- a/screening/sourceTest/java/ch/systemsx/cisd/openbis/screening/systemtests/ScreeningServerAuthorizationTest.java
+++ b/screening/sourceTest/java/ch/systemsx/cisd/openbis/screening/systemtests/ScreeningServerAuthorizationTest.java
+/*
+ * Copyright 2012 ETH Zuerich, CISD
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package ch.systemsx.cisd.openbis.screening.systemtests;
+
+import java.util.Collections;
+import java.util.List;
+
+import org.testng.annotations.BeforeMethod;
+import org.testng.annotations.Test;
+
+import ch.systemsx.cisd.common.exceptions.AuthorizationFailureException;
+import ch.systemsx.cisd.openbis.generic.server.ICommonServerForInternalUse;
+import ch.systemsx.cisd.openbis.generic.shared.basic.dto.Grantee;
+import ch.systemsx.cisd.openbis.generic.shared.basic.dto.NewMaterial;
+import ch.systemsx.cisd.openbis.generic.shared.basic.dto.NewSamplesWithTypes;
+import ch.systemsx.cisd.openbis.generic.shared.basic.dto.Person;
+import ch.systemsx.cisd.openbis.generic.shared.basic.dto.RoleWithHierarchy.RoleCode;
+import ch.systemsx.cisd.openbis.generic.shared.basic.dto.Space;
+import ch.systemsx.cisd.openbis.generic.shared.dto.identifier.DatabaseInstanceIdentifier;
+import ch.systemsx.cisd.openbis.generic.shared.dto.identifier.SpaceIdentifier;
+import ch.systemsx.cisd.openbis.plugin.screening.shared.IScreeningServer;
+import ch.systemsx.cisd.openbis.plugin.screening.shared.ResourceNames;
+import ch.systemsx.cisd.openbis.plugin.screening.shared.api.v1.IScreeningApiServer;
+import ch.systemsx.cisd.openbis.plugin.screening.shared.api.v1.dto.ExperimentIdentifier;
+
+/**
+ * 
+ *
+ * @author Franz-Josef Elmer
+ */
+public class ScreeningServerAuthorizationTest extends AbstractScreeningSystemTestCase
+{
+    private static final String TEST_USER = "test-user";
+    private static final String SPACE_CODE = "CISD";
+    
+    private ICommonServerForInternalUse commonServer;
+    private IScreeningServer screeningServer;
+    private IScreeningApiServer screeningApiServer;
+    private String userSessionToken;
+
+    @BeforeMethod
+    public void setUp()
+    {
+        commonServer =
+                (ICommonServerForInternalUse) applicationContext
+                        .getBean(ch.systemsx.cisd.openbis.generic.shared.ResourceNames.COMMON_SERVER);
+        Object serverBean = applicationContext
+                .getBean(ResourceNames.SCREENING_PLUGIN_SERVER);
+        screeningServer = (IScreeningServer) serverBean;
+        screeningApiServer = (IScreeningApiServer) serverBean;
+        String sessionToken = commonServer.tryToAuthenticateAsSystem().getSessionToken();
+        if (hasSpace(sessionToken, SPACE_CODE) == false)
+        {
+            commonServer.registerSpace(sessionToken, SPACE_CODE, null);
+        }
+        if (hasPerson(sessionToken, TEST_USER) == false)
+        {
+            commonServer.registerPerson(sessionToken, TEST_USER);
+            Grantee grantee = Grantee.createPerson(TEST_USER);
+            commonServer.registerSpaceRole(sessionToken, RoleCode.OBSERVER, new SpaceIdentifier(
+                    SPACE_CODE), grantee);
+        }
+        userSessionToken = commonServer.tryToAuthenticate(TEST_USER, "abc").getSessionToken();
+    }
+
+    private boolean hasSpace(String sessionToken, String spaceCode)
+    {
+        List<Space> spaces =
+                commonServer.listSpaces(sessionToken, DatabaseInstanceIdentifier.HOME_INSTANCE);
+        for (Space space : spaces)
+        {
+            if (space.getCode().equals(spaceCode))
+            {
+                return true;
+            }
+        }
+        return false;
+    }
+    
+    private boolean hasPerson(String sessionToken, String personID)
+    {
+        List<Person> persons = commonServer.listPersons(sessionToken);
+        for (Person person : persons)
+        {
+            if (person.getUserId().equals(personID))
+            {
+                return true;
+            }
+        }
+        return false;
+    }
+    
+    @Test(expectedExceptions = AuthorizationFailureException.class)
+    public void testSetSessionUserFailsBecauseOfNonAuthorized()
+    {
+        screeningServer.setSessionUser(userSessionToken, "system");
+    }
+    
+    @Test(expectedExceptions = AuthorizationFailureException.class)
+    public void testListPlatesFailsBecauseOfAuthorization()
+    {
+        screeningApiServer.listPlates(userSessionToken, new ExperimentIdentifier("a", "b", "c", "d"));
+    }
+    
+    @Test(expectedExceptions = AuthorizationFailureException.class)
+    public void testRegisterLibraryFailsBecauseOfNonAuthorized()
+    {
+        screeningServer.registerLibrary(userSessionToken, "",
+                Collections.<NewMaterial> emptyList(), Collections.<NewMaterial> emptyList(),
+                Collections.<NewSamplesWithTypes> emptyList());
+    }
+    
+}