[jax-rs-spec users] Re: JAX-RS Security

From: Sergey Beryozkin <>
Date: Mon, 15 Dec 2014 14:58:51 +0000

On 15/12/14 13:46, Bill Burke wrote:
> On 12/15/2014 7:27 AM, Sergey Beryozkin wrote:
>> Hi Bill
>> On 15/12/14 12:14, Bill Burke wrote:
>>> Just like JAX-RS, Servlet spec is a standalone specification. There are
>>> many embeddable servlet implementations that can run in a "Java SE
>>> environment". We would be much better off working with JASPIC to create
>>> a JAX-RS binding.
>>> But I told you this earlier in the thread: pure JAX-RS does not need a
>>> security SPI. Filters work just fine both on the client and server.
>> You recommended adding a client side support for 2.0, it was not done
>> but you had some good ideas, right ?
>> IMHO a higher-level binding, possibly around the latest Security JSR
>> would be better, as opposed to working with JASPIC - binding to it can
>> be in itself an internal detail if needed...
> I'm not sure what the right direction is yet. JASPIC allows you to set
> up the user principal, role mappings, and other Subject related metadata
> before it hits the servlet container's (And EJB, and JAX-RS)
> @RoleAllowed processing. The SPI also is supposed to propagate the
> Subject across component boundaries.
> Do you know the scope of the new Security JSR?
I guess this is it:

Cheers, Sergey