jsr339-experts@jax-rs-spec.java.net

[jsr339-experts] Re: Integration of Java EE security annotations with JAX-RS 2.0

From: Marek Potociar <marek.potociar_at_oracle.com>
Date: Sat, 27 Oct 2012 18:09:46 +0200

I don't think that's something we would be able to specify in JAX-RS 2.0 timeframe.

Marek

On Oct 27, 2012, at 4:01 PM, Markus KARG <markus_at_headcrashing.eu> wrote:

>
> Experts,
>
> possibly I (again) missed an already finished discussion (I am happy if you send an archive URL in that case)…:
>
> I want to ask whether there are plans to integrate JAX-RS 2.0's automatic creation of "Allow:" (as a rection to OPTIONS) with Java EE's security annotations like "@RolesAllowed"?
>
> Example:
>
> Given the following EJB-integrated JAX-RS resource…
>
> @Path("/stats") @Stateless class UserStatistics {
> @GET @RolesAllowed("Administrators") public getSomeInteresticMetrics() {…}
> }
>
> …will the automatic OPTIONS response provided by a compliant JAX-RS implementation have to automatically omit "GET" in case the caller is not authenticated and authorized as an Administrator?
>
> If not, this would be a really brilliant addition the the EJB-integration chapter of the spec, as it allows client applications to prevent a GET invocation completely, hence show a "disabled" GUI or suppress a senseless network roundtrip. :-)
>
> Regards
> Markus