[jax-rs-spec users] Re: JAX-RS Security

From: Markus KARG <>
Date: Fri, 12 Dec 2014 23:45:54 +0100


I am not a security guy at all, so please don't mind if the question is dumb, but doesn't JAAS already define interfaces for authentication providers? If so, we could use those instead of reinventing the wheel.


-----Original Message-----
From: Casey Lee []
Sent: Freitag, 12. Dezember 2014 17:53
Subject: JAX-RS Security

I have some opinions on opportunities for adding security to JAX-RS.
First, on the client side I'd love to see a method added to Invocation.builder to add an implementation of a new interface named AuthorizationProvider. This would allow implementations of AuthorizationProvider to be created for specific types of OAuth2AuthorizationProvider or BasicAuthorizationProvider. These providers would be responsible for applying necessary Authorization header (or query params?) to the invocation. What are the thoughts on adding some standard providers to the API? OAuth 2.0 for example is something that has become ubiquitous, but has a steep learning curve for developers to use properly.

On the server side aren't the JSR-250 security annotations supported by JAX-RS? Or is that only implemented by some specific vendors?
Seems that those solve course grained security (by role). We have chosen to leverage those annotations and treat OAuth 2.0 scopes as roles. Would it make sense to have a more OAuth 2.0 specific solution (@ScopesAllowed)?