On 29/10/12 07:34, Jan Algermissen wrote:
>
> On Oct 28, 2012, at 1:56 PM, Markus KARG<markus_at_headcrashing.eu> wrote:
>
>> Experts,
>>
>> I'd like to ask you to comment this feature proposal http://java.net/jira/browse/JAX_RS_SPEC-304 for improved integration of JAX-RS with EJB security annotations. :-)
>
> I don't think that the Allow header is conceptually tied to authorization. AFAIK it informs about general server or resource capabilities, orthogonal to any given principal.
>
> I think it would be wise to check back on the HTTP list, first.
The idea of "(4) The JAX-RS's automatically provided "Allow" header for
an OPTIONS request will omit any HTTP methods which would be not
executed following the sense of (3) when requested with the same
security credentials as the OPTIONS call (i. e. either unauthenticated
or authenticated as the same user)." does not work.
It really the server side issue, making sure the authenticated client is
properly authorized, so I'm not sure what Options is to do with it, I
can already hear the security experts saying this would allow a rogue
client to use this mechanism to expose the info the client does not need
to know.
Now, in UI frontends, it it handy sometimes to block certain actions
based on the client's identity. This still can be resolved by offering
client specific views (presented after the initial login) and in cases
when the UI is to rigid, it is a completely out-of-scope activity for
JAX-RS anyway.
I'm -1 on it
Cheers, Sergey
>
> Jan
>
>
>
>>
>> Regards
>> Markus
>>
>> From: Marek Potociar [mailto:marek.potociar_at_oracle.com]
>> Sent: Samstag, 27. Oktober 2012 18:10
>> To: jsr339-experts_at_jax-rs-spec.java.net
>> Subject: [jsr339-experts] Re: Integration of Java EE security annotations with JAX-RS 2.0
>>
>> I don't think that's something we would be able to specify in JAX-RS 2.0 timeframe.
>>
>> Marek
>>
>> On Oct 27, 2012, at 4:01 PM, Markus KARG<markus_at_headcrashing.eu> wrote:
>>
>>
>>
>> Experts,
>>
>> possibly I (again) missed an already finished discussion (I am happy if you send an archive URL in that case)…:
>>
>> I want to ask whether there are plans to integrate JAX-RS 2.0's automatic creation of "Allow:" (as a rection to OPTIONS) with Java EE's security annotations like "@RolesAllowed"?
>>
>> Example:
>>
>> Given the following EJB-integrated JAX-RS resource…
>>
>> @Path("/stats") @Stateless class UserStatistics {
>> @GET @RolesAllowed("Administrators") public getSomeInteresticMetrics() {…}
>> }
>>
>> …will the automatic OPTIONS response provided by a compliant JAX-RS implementation have to automatically omit "GET" in case the caller is not authenticated and authorized as an Administrator?
>>
>> If not, this would be a really brilliant addition the the EJB-integration chapter of the spec, as it allows client applications to prevent a GET invocation completely, hence show a "disabled" GUI or suppress a senseless network roundtrip. :-)
>>
>> Regards
>> Markus
>>
>