I have a case where a resource implements the GET method using the @GET
annotation. In addition it limits access to the entire resource via the
@RolesAllowed annotation. There is no explicit @HEAD annotation. (See code
below)
When a HEAD http call is made Jersey makes a call to the @GET annotated
function "doGet()" as would be expected. However, the @RolesAllowed limits
are ignored and the method is called. Then the role limit is applied to the
result. It seems to me that the @RolesAllowd on the resource class should
restrict the HEAD call to doGet() on that class.
If I move the @RolesAllowed to the methods of the resource class there is no
difference.
If I implement an @HEAD annotated method the @RolesAllowed limit is
respected.
Anybody have any idea why this happens and/or how to fix it?
@RolesAllowed({"RESTRICTED"})
public class RolesAllowedTest {
private static final Logger log =
Logger.getLogger(RolesAllowedTest.class);
public RolesAllowedTest() {
}
@GET
@Produces("text/html")
public Response doGet() {
log.trace("Entered doGet");
if(!this.securityContext.isUserInRole( "RESTRICTED"))
{
log.error( "Called GET with non restricted
user"+this.getContextUtil().getHttpServletRequest().getUserPrincipal());
}
return Response.ok.build();
}
/*
Whit this commented out the get HEAD calls doGet() and exhibits the
@RolesAllowed error
@HEAD
@Produces("text/html")
public Response doHead() {
log.trace("Entered doHead");
final Map<String, Collection<?>> model = new HashMap<String,
Collection<?>>();
if(!this.securityContext.isUserInRole( "RESTRICTED"))
{
log.error( "Called HEAD with non admin user
"+this.getContextUtil().getHttpServletRequest().getUserPrincipal());
}
return Response.ok.build();
}
*/
}
--
View this message in context: http://jersey.576304.n2.nabble.com/RolesAllowed-ignored-when-HEAD-not-implemented-and-is-called-tp5454241p5454241.html
Sent from the Jersey mailing list archive at Nabble.com.