2010/5/31 Paul Sandoz <Paul.Sandoz_at_sun.com>:
>
> Both. I have logged:
>
> https://jsr311.dev.java.net/issues/show_bug.cgi?id=99
>
> The workaround using an ExceptionMapper is portable.
>
> Paul.
>
Thanks. However, my main problem was that authorization is not
implemented. I haven't even noticed the incorrect HTTP error code. I
think, the proper way would be - first to implement access control, so
it could generate 401 if user was not allowed to access. Right now it
looks like a missing link between EJB authorization and Jersey.
BTW: I was thinking - maybe there is no need to implement resources as
session beans. Actually, I do not need my resources to be session
beans as long as I can delegate to them. E.g. servlet is not a session
bean and EJB injection and security works fine.
My first attempt failed:
@Path("generic")
@RolesAllowed("user")
public class GenericResource {
....
}
It works but @RolesAllowed is ignored. How can I turn the security on
without using session beans?