The curam.citizenaccount.security.impl.CitizenAccountSecurity API offers a method performDefaultSecurityChecks that will ensure that the user is of the correct type. This method will check the user type, and if not acceptable, will write a message to the logs and fail the transaction. This should be called in the first line of every custom facade method, before any processing or further validation has taken place:
public CitizenPaymentInstDetailsList listCitizenPayments() throws AppException, InformationalException { // perform security checks citizenAccountSecurity.performDefaultSecurityChecks(); // validate any page parameters (none in this case) // invoke business logic return citizenPayments.listPayments(); }