On May 31, 2010, at 1:20 PM, Witold Szczerba wrote:
> 2010/5/31 Paul Sandoz <Paul.Sandoz_at_sun.com>:
>>
>> Both. I have logged:
>>
>> https://jsr311.dev.java.net/issues/show_bug.cgi?id=99
>>
>> The workaround using an ExceptionMapper is portable.
>>
>> Paul.
>>
>
> Thanks. However, my main problem was that authorization is not
> implemented. I haven't even noticed the incorrect HTTP error code. I
> think, the proper way would be - first to implement access control, so
> it could generate 401 if user was not allowed to access. Right now it
> looks like a missing link between EJB authorization and Jersey.
>
The access control is defined by the web and ejb configuration as a
JAX-RS application is deployed as a servlet. The missing link is two
fold:
1) mapping the AccessLocalException; and
2) returning an appropriate WWW-Authenticate response header.
> BTW: I was thinking - maybe there is no need to implement resources as
> session beans. Actually, I do not need my resources to be session
> beans as long as I can delegate to them. E.g. servlet is not a session
> bean and EJB injection and security works fine.
>
> My first attempt failed:
>
> @Path("generic")
> @RolesAllowed("user")
> public class GenericResource {
> ....
> }
>
> It works but @RolesAllowed is ignored. How can I turn the security on
> without using session beans?
>
See:
https://jersey.dev.java.net/nonav/apidocs/latest/jersey/com/sun/jersey/api/container/filter/RolesAllowedResourceFilterFactory.html
Paul.