On Apr 13, 2010, at 7:44 PM, James Russo wrote:
> Hello,
>
> Is there any way to enforce certain security requirements (like
> require https?) on certain RESTful methods? I'm thinking about
> writing an annotation to accomplish this (with a filter?), but
> wanted to know if there was a better way. If I do implement it, any
> interest in a patch to add this functionality? Any thoughts on
> annotation design?
>
> @RequireSecureChannel -> look for isSecure() method on request?
>
> My requirements are to just return forbidden, not attempt to
> redirect to the secure channel. It's an API interface. I suppose I
> could implement it at a servlet filter, but I'd rather keep the
> requirement of secure/non-secure close to the method itself.
>
A resource filter would be best, as you suggest. You could support the
case that if the class is annotated then all resource methods, sub-
resource methods and sub-resource locators are checked, unless they
are overridden with an annotation that declares it does not care
whether the request was made using a secure channel or not.
And a contribution would be most welcome. Best way to do that is log
an issue and attach a patch.
Paul.