users@jersey.java.net

Using the Security Annotations

From: Ersin Er <ersin.er_at_gmail.com>
Date: Thu, 25 Mar 2010 00:06:36 +0200

Hi,

I am trying to secure my application using the JSR-250 Security Annotations.
I have a setup as follows:

A tomcat-users.xml file:

<tomcat-users>
  <role rolename="role1"/>
  <role rolename="role2"/>
  <user username="user1" password="pass1" roles="role1"/>
  <user username="user2" password="pass2" roles="role2"/>
</tomcat-users>

So I am deploying to Tomcat using the MemoryRealm as I defined in the
META-INF/context.xml:

<Realm className="org.apache.catalina.realm.MemoryRealm" debug="99"
pathname="<<<Full Path To tomcat-users.xml>>>"/>

web.xml:

    <security-constraint>
        <web-resource-collection>
            <url-pattern>/resources/*</url-pattern>
        </web-resource-collection>
        <auth-constraint>
            <role-name>*</role-name>
        </auth-constraint>
    </security-constraint>

    <login-config>
        <auth-method>BASIC</auth-method>
    </login-config>

    <security-role>
        <role-name>role1</role-name>
    </security-role>
    <security-role>
        <role-name>role2</role-name>
    </security-role>

So I assume by this configuration that both role1 and role2 are allowed to
access /resources/* and further authorization will be done via the
Annotations Handling. (?)

And finally in one of my resources I have @RolesAllowed("role1").

The problem is that both users (so both roles) are able to access the
resource after authentication. However I only expect user1 to access to
resource.

Do I need any further configuration to make this work?

Thanks.

-- 
Ersin