[jax-rs-spec users] Re: JAX-RS Security

From: Bill Burke <>
Date: Mon, 15 Dec 2014 08:46:21 -0500

On 12/15/2014 7:27 AM, Sergey Beryozkin wrote:
> Hi Bill
> On 15/12/14 12:14, Bill Burke wrote:
>> Just like JAX-RS, Servlet spec is a standalone specification. There are
>> many embeddable servlet implementations that can run in a "Java SE
>> environment". We would be much better off working with JASPIC to create
>> a JAX-RS binding.
>> But I told you this earlier in the thread: pure JAX-RS does not need a
>> security SPI. Filters work just fine both on the client and server.
> You recommended adding a client side support for 2.0, it was not done
> but you had some good ideas, right ?
> IMHO a higher-level binding, possibly around the latest Security JSR
> would be better, as opposed to working with JASPIC - binding to it can
> be in itself an internal detail if needed...

I'm not sure what the right direction is yet. JASPIC allows you to set
up the user principal, role mappings, and other Subject related metadata
before it hits the servlet container's (And EJB, and JAX-RS)
@RoleAllowed processing. The SPI also is supposed to propagate the
Subject across component boundaries.

Do you know the scope of the new Security JSR?

Bill Burke
JBoss, a division of Red Hat