I wrote:
> Could that be the problem - that I'm injecting the SecurityContext
> into the method call rather than into the resource class itself?
That seemed to fix it, actually:
Request
GET
http://localhost:8000/ HTTP/1.0
Accept: text/plain
Authorization: Basic [redacted]
Response when user is not in group
HTTP/1.1 403 Forbidden
server: grizzly/1.9.18
Date: Wed, 02 Jun 2010 13:19:56 GMT
Connection: close
Response when user is in group
HTTP/1.1 200 OK
server: grizzly/1.9.18
Content-Type: text/plain
Date: Wed, 02 Jun 2010 13:22:53 GMT
Connection: close
Sorry for the false alarm, I must have been doing something stupid.
--Chris