On May 29, 2010, at 2:15 AM, Witold Szczerba wrote:
> 2010/5/28 Paul Sandoz <Paul.Sandoz_at_sun.com>:
>> Hi,
>>
>> This is missing from the Jersey/EJB/Servlet integration (and also
>> from the
>> JAX-RS spec). Can you log an issue?
>>
>> As a workaround you can register your own impl of
>> ExceptionMapper<AccessLocalException> to map an
>> AccessLocalException to a
>> 401 response. However, i am not sure what the WWW-Authenticate
>> response
>> header should be as Jersey may not be able to access the
>> information as to
>> how the servlet security was configured.
>>
>> Paul.
>
> Does it mean that JAX-RS as a session bean is not fully specified in
> the 'security' area, or is it just not yet implemented?
>
Both. I have logged:
https://jsr311.dev.java.net/issues/show_bug.cgi?id=99
The workaround using an ExceptionMapper is portable.
Paul.