users@jersey.java.net

Re: [Jersey] _at_RolesAllowed ignored when HEAD not implemented and is called

From: Paul Sandoz <Paul.Sandoz_at_oracle.com>
Date: Tue, 24 Aug 2010 12:01:48 +0200

Hi,

This is fixed in the trunk, see:

   https://jersey.dev.java.net/issues/show_bug.cgi?id=549

the only work around is to explicitly implement @HEAD methods that
defer to the @GET method.

Paul.

On Aug 23, 2010, at 10:49 PM, claude wrote:

>
> I have a case where a resource implements the GET method using the
> @GET
> annotation. In addition it limits access to the entire resource via
> the
> @RolesAllowed annotation. There is no explicit @HEAD annotation.
> (See code
> below)
>
> When a HEAD http call is made Jersey makes a call to the @GET
> annotated
> function "doGet()" as would be expected. However, the @RolesAllowed
> limits
> are ignored and the method is called. Then the role limit is
> applied to the
> result. It seems to me that the @RolesAllowd on the resource class
> should
> restrict the HEAD call to doGet() on that class.
>
> If I move the @RolesAllowed to the methods of the resource class
> there is no
> difference.
>
> If I implement an @HEAD annotated method the @RolesAllowed limit is
> respected.
>
> Anybody have any idea why this happens and/or how to fix it?
>
>
>
> @RolesAllowed({"RESTRICTED"})
> public class RolesAllowedTest {
>
> private static final Logger log =
> Logger.getLogger(RolesAllowedTest.class);
>
> public RolesAllowedTest() {
> }
>
> @GET
> @Produces("text/html")
> public Response doGet() {
> log.trace("Entered doGet");
> if(!this.securityContext.isUserInRole( "RESTRICTED"))
> {
> log.error( "Called GET with non restricted
> user
> "+this.getContextUtil().getHttpServletRequest().getUserPrincipal());
> }
>
> return Response.ok.build();
> }
>
> /*
> Whit this commented out the get HEAD calls doGet() and exhibits the
> @RolesAllowed error
>
> @HEAD
> @Produces("text/html")
> public Response doHead() {
> log.trace("Entered doHead");
> final Map<String, Collection<?>> model = new HashMap<String,
> Collection<?>>();
> if(!this.securityContext.isUserInRole( "RESTRICTED"))
> {
> log.error( "Called HEAD with non admin user
> "+this.getContextUtil().getHttpServletRequest().getUserPrincipal());
> }
>
> return Response.ok.build();
> }
>
> */
>
>
>
> }
>
>
> --
> View this message in context: http://jersey.576304.n2.nabble.com/RolesAllowed-ignored-when-HEAD-not-implemented-and-is-called-tp5454241p5454241.html
> Sent from the Jersey mailing list archive at Nabble.com.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe_at_jersey.dev.java.net
> For additional commands, e-mail: users-help_at_jersey.dev.java.net
>
© Oracle | By contributing to this project, you are agreeing to the terms of use described here.