users@jersey.java.net

Re: [Jersey] What if no _at_RolesAllowed match

From: Paul Sandoz <Paul.Sandoz_at_Sun.COM>
Date: Wed, 02 Jun 2010 15:04:52 +0200

On Jun 2, 2010, at 2:55 PM, Christopher Piggott wrote:

> 403 is what I expected... not sure why I'm not getting it.
>

What status code are you getting instead?


> I'm using
> guice 2.0
> jersey-guice 1.2
> jersey-server 1.2
> grizzly 1.9.18
> guice-servlet 2.0
>
> My test resource looks like:
>
> @Path("/")
> public class RootResource {
> ...
>
> @GET
> @Produces("text/plain")
> @RolesAllowed({"user"})
> public Response getSomething(@Context SecurityContext sc) throws
> JAXBException {
> }
> }
>
> Could that be the problem - that I'm injecting the SecurityContext
> into the method call rather than into the resource class itself?

No. It will not make any difference.


> I
> tried moving it out as just a class member, but then it wasn't getting
> injected at all. I didn't try again, though.
>

   @Context SecurityContext sc;

?


> The only other thing I can think of is that I'm doing something wrong
> setting up grizzly ... but I can't think what that would be. I do
> have some exception mappers set up, though I don't have one for
> SecurityException.
>

Have you configured the filter?

https://jersey.dev.java.net/nonav/apidocs/latest/jersey/com/sun/jersey/api/container/filter/RolesAllowedResourceFilterFactory.html

Paul.

>
> On Wed, Jun 2, 2010 at 5:28 AM, Paul Sandoz <Paul.Sandoz_at_sun.com>
> wrote:
>> On Jun 1, 2010, at 10:59 PM, Christopher Piggott wrote:
>>>
>>> If no roles match your resource methods marked @RolesAllowed what is
>>> supposed to happen? I get a blank result, but no real indication
>>> that
>>> it failed because of a permissions problem.
>>
>> If the authenticated user is not n any of the roles declared by
>> @RolesAllowed then a 403 (Forbidden) response is returned.
>>
>> What app/web server and client are you using?
>>
>> Jersey does not include an entity in such a response so that the
>> developer
>> can use an exception mapper or servlet error mapping to customize.
>>
>> Paul.
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe_at_jersey.dev.java.net
>> For additional commands, e-mail: users-help_at_jersey.dev.java.net
>>
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe_at_jersey.dev.java.net
> For additional commands, e-mail: users-help_at_jersey.dev.java.net
>
© Oracle | By contributing to this project, you are agreeing to the terms of use described here.