jsr339-experts@jax-rs-spec.java.net

[jsr339-experts] Re: Integration of Java EE security annotations with JAX-RS 2.0

From: Markus KARG <markus_at_headcrashing.eu>
Date: Sun, 28 Oct 2012 08:56:16 +0100

Understood. So I'll file a JIRA for that for a potential 2.1 candidate
feature.

 

From: Marek Potociar [mailto:marek.potociar_at_oracle.com]
Sent: Samstag, 27. Oktober 2012 18:10
To: jsr339-experts_at_jax-rs-spec.java.net
Subject: [jsr339-experts] Re: Integration of Java EE security annotations
with JAX-RS 2.0

 

I don't think that's something we would be able to specify in JAX-RS 2.0
timeframe.

 

Marek

 

On Oct 27, 2012, at 4:01 PM, Markus KARG <markus_at_headcrashing.eu> wrote:





 

Experts,

 

possibly I (again) missed an already finished discussion (I am happy if you
send an archive URL in that case).:

 

I want to ask whether there are plans to integrate JAX-RS 2.0's automatic
creation of "Allow:" (as a rection to OPTIONS) with Java EE's security
annotations like "@RolesAllowed"?

 

Example:

 

Given the following EJB-integrated JAX-RS resource.

 

@Path("/stats") @Stateless class UserStatistics {

  @GET @RolesAllowed("Administrators") public getSomeInteresticMetrics() {.}

}

 

.will the automatic OPTIONS response provided by a compliant JAX-RS
implementation have to automatically omit "GET" in case the caller is not
authenticated and authorized as an Administrator?

 

If not, this would be a really brilliant addition the the EJB-integration
chapter of the spec, as it allows client applications to prevent a GET
invocation completely, hence show a "disabled" GUI or suppress a senseless
network roundtrip. :-)

 

Regards

Markus