Hi,
This is missing from the Jersey/EJB/Servlet integration (and also from
the JAX-RS spec). Can you log an issue?
As a workaround you can register your own impl of
ExceptionMapper<AccessLocalException> to map an AccessLocalException
to a 401 response. However, i am not sure what the WWW-Authenticate
response header should be as Jersey may not be able to access the
information as to how the servlet security was configured.
Paul.
On May 28, 2010, at 2:00 PM, Witold Szczerba wrote:
> Hi there,
> I have problem with JAX-RS security.
> Environment: GlassFish v3 (build 74.2)
>
> @Path("generic")
> @RolesAllowed("user")
> @Stateless
> public class GenericResource {
> ....
> }
>
> And now:
> http://localhost:8080/WebApplication1/resources/generic
> produces:
> HTTP Status 500
> javax.servlet.ServletException: javax.ejb.AccessLocalException: Client
> not authorized for this invocation.
>
> When I remove @Stateless annotation, then everything works, but
> browser does not ask for user/password, so there is no security.
> However, I have also one servlet in this application like this:
>
> @WebServlet(name="NewServlet", urlPatterns={"/NewServlet"})
> @ServletSecurity(@HttpConstraint(rolesAllowed = "user"))
> public class NewServlet extends HttpServlet {
> ...
> }
>
> And this servlet works fine. Web browser asks for username/password
> and when provided I can see the page, so Glassfish and project/web-app
> are both configured correctly.
>
> Any ideas what's wrong?
>
> Thanks,
> Witold Szczerba
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe_at_jersey.dev.java.net
> For additional commands, e-mail: users-help_at_jersey.dev.java.net
>