users@jax-rs-spec.java.net

[jax-rs-spec users] Re: JAX-RS Security

From: arjan tijms <arjan.tijms_at_gmail.com>
Date: Fri, 12 Dec 2014 23:02:20 +0100

Hi,

On Fri, Dec 12, 2014 at 9:05 PM, Santiago Pericas-Geertsen
<Santiago.PericasGeertsen_at_oracle.com> wrote:
>> On the server side aren't the JSR-250 security annotations supported
>> by JAX-RS? Or is that only implemented by some specific vendors?
>
> Not in the spec, but implementations support some annotations. Definitely an area for us to work on, but we also need to keep an eye on the new Security JSR. Hence, why we should wait a bit until diving into this.

More universal support for things like @RolesAllowed has indeed been
discussed before as one of the things the Security API could focus on.

One of the ideas is to implement an Interceptors spec/CDI interceptor
for it so it can be applied to methods of any managed bean.
Incidentally, the primary use case for HttpServletRequest#authenticate
was to let technologies like JAX-RS start an authentication dialog
upon encountering e.g. an @RolesAllowed annotation (which is non-path
based) and finding that the current user is not authenticated.

>> Seems that those solve course grained security (by role). We have
>> chosen to leverage those annotations and treat OAuth 2.0 scopes as
>> roles. Would it make sense to have a more OAuth 2.0 specific solution
>> (@ScopesAllowed)?
>
> Possibly, but this is why we need to liaison with the Security JSR to avoid duplication.

Absolutely agree, would be great if we can align our security related
efforts as much as possible.

Kind regards,
Arjan


>
> -- Santiago
>
>