I have some opinions on opportunities for adding security to JAX-RS.
First, on the client side I'd love to see a method added to
Invocation.builder to add an implementation of a new interface named
AuthorizationProvider. This would allow implementations of
AuthorizationProvider to be created for specific types of authz...like
OAuth2AuthorizationProvider or BasicAuthorizationProvider. These
providers would be responsible for applying necessary Authorization
header (or query params?) to the invocation. What are the thoughts on
adding some standard providers to the API? OAuth 2.0 for example is
something that has become ubiquitous, but has a steep learning curve
for developers to use properly.
On the server side aren't the JSR-250 security annotations supported
by JAX-RS? Or is that only implemented by some specific vendors?
Seems that those solve course grained security (by role). We have
chosen to leverage those annotations and treat OAuth 2.0 scopes as
roles. Would it make sense to have a more OAuth 2.0 specific solution
(@ScopesAllowed)?
-Casey