[jax-rs-spec users] [jsr339-experts] FW: Integration of Java EE security annotations with JAX-RS 2.0

From: Markus KARG <>
Date: Sat, 27 Oct 2012 16:01:11 +0200




possibly I (again) missed an already finished discussion (I am happy if you
send an archive URL in that case).:


I want to ask whether there are plans to integrate JAX-RS 2.0's automatic
creation of "Allow:" (as a rection to OPTIONS) with Java EE's security
annotations like "@RolesAllowed"?




Given the following EJB-integrated JAX-RS resource.


@Path("/stats") @Stateless class UserStatistics {

  @GET @RolesAllowed("Administrators") public getSomeInteresticMetrics() {.}



.will the automatic OPTIONS response provided by a compliant JAX-RS
implementation have to automatically omit "GET" in case the caller is not
authenticated and authorized as an Administrator?


If not, this would be a really brilliant addition the the EJB-integration
chapter of the spec, as it allows client applications to prevent a GET
invocation completely, hence show a "disabled" GUI or suppress a senseless
network roundtrip. :-)