Hi,
To enable the use of @RolesAllowed on say tomcat you need to declare
the following request filter:
https://jersey.dev.java.net/nonav/apidocs/latest/jersey/com/sun/jersey/api/container/filter/RolesAllowedResourceFilterFactory.html
in your web.xml.
Paul.
On Mar 24, 2010, at 11:06 PM, Ersin Er wrote:
> Hi,
>
> I am trying to secure my application using the JSR-250 Security
> Annotations. I have a setup as follows:
>
> A tomcat-users.xml file:
>
> <tomcat-users>
> <role rolename="role1"/>
> <role rolename="role2"/>
> <user username="user1" password="pass1" roles="role1"/>
> <user username="user2" password="pass2" roles="role2"/>
> </tomcat-users>
>
> So I am deploying to Tomcat using the MemoryRealm as I defined in
> the META-INF/context.xml:
>
> <Realm className="org.apache.catalina.realm.MemoryRealm" debug="99"
> pathname="<<<Full Path To tomcat-users.xml>>>"/>
>
> web.xml:
>
> <security-constraint>
> <web-resource-collection>
> <url-pattern>/resources/*</url-pattern>
> </web-resource-collection>
> <auth-constraint>
> <role-name>*</role-name>
> </auth-constraint>
> </security-constraint>
>
> <login-config>
> <auth-method>BASIC</auth-method>
> </login-config>
>
> <security-role>
> <role-name>role1</role-name>
> </security-role>
> <security-role>
> <role-name>role2</role-name>
> </security-role>
>
> So I assume by this configuration that both role1 and role2 are
> allowed to access /resources/* and further authorization will be
> done via the Annotations Handling. (?)
>
> And finally in one of my resources I have @RolesAllowed("role1").
>
> The problem is that both users (so both roles) are able to access
> the resource after authentication. However I only expect user1 to
> access to resource.
>
> Do I need any further configuration to make this work?
>
> Thanks.
>
> --
> Ersin