[jax-rs-spec users] [jsr339-experts] Feature Proposal: Using @RolesAllowed for JAX-RS resources

From: Markus KARG <>
Date: Sun, 28 Oct 2012 13:56:07 +0100



I'd like to ask you to comment this feature proposal for improved integration of
JAX-RS with EJB security annotations. :-)





From: Marek Potociar []
Sent: Samstag, 27. Oktober 2012 18:10
Subject: [jsr339-experts] Re: Integration of Java EE security annotations
with JAX-RS 2.0


I don't think that's something we would be able to specify in JAX-RS 2.0




On Oct 27, 2012, at 4:01 PM, Markus KARG <> wrote:




possibly I (again) missed an already finished discussion (I am happy if you
send an archive URL in that case).:


I want to ask whether there are plans to integrate JAX-RS 2.0's automatic
creation of "Allow:" (as a rection to OPTIONS) with Java EE's security
annotations like "@RolesAllowed"?




Given the following EJB-integrated JAX-RS resource.


@Path("/stats") @Stateless class UserStatistics {

  @GET @RolesAllowed("Administrators") public getSomeInteresticMetrics() {.}



.will the automatic OPTIONS response provided by a compliant JAX-RS
implementation have to automatically omit "GET" in case the caller is not
authenticated and authorized as an Administrator?


If not, this would be a really brilliant addition the the EJB-integration
chapter of the spec, as it allows client applications to prevent a GET
invocation completely, hence show a "disabled" GUI or suppress a senseless
network roundtrip. :-)