users@jersey.java.net

[Jersey] Using Security Constraints with Filters (tomcat)

From: luksurious <lukas_at_brueckner-web.de>
Date: Tue, 8 Mar 2011 11:47:09 -0800 (PST)

Hey,

I'm using tomcat with jersey and found the only way to achieve our custom
authentication scheme by using a filter.
In this filter I register a Principal like I would in a tomcat Valve.
Then to use security annotations like @RolesAllowed I specified a security
constraint element in my web.xml file.
It appears however that the web.xml filtering and checking if the current
role is allowed happens before my filter is processed and the appropiate
principal is registered.
Omitting the auth-constraint leads to proper processing of the filter, but
disables the security annotations.

Is there a way to use the security annotations with a filter in tomcat? Or
do I have to check for the appropiate role at the beginning of each web
method?

Thanks,
Luke

--
View this message in context: http://jersey.576304.n2.nabble.com/Using-Security-Constraints-with-Filters-tomcat-tp6138107p6138107.html
Sent from the Jersey mailing list archive at Nabble.com.