[Jersey] Re: user/roles provider for AAA?

From: ljnelson <>
Date: Thu, 28 Apr 2011 07:26:07 -0700 (PDT)

On Thu, Apr 28, 2011 at 9:35 AM, Kristian Rink [via Jersey] <> wrote:

> Well yes, I was thinking about servlet filters here and login() as
> well. However so far either I completely got something wrong or I
> didn't so far figure out how to correctly put things together. Isn't
> login() just making use of the preconfigured security mechanisms in
> order to do what needs to be done?

Jumping in here, yes, that's exactly right--unless you use JACC, you won't
be able to tie *your* security system's notion of authorization into *
Glassfish's* notion of authorization. You can of course
*bypass*Glassfish's notion of authorization by handling security
yourself and not
messing around with @RolesAllowed at all, but if you want to accomplish
role-based security by using the standard annotations, you really don't have
any choice. :-(

The other thing about JACC is that your Policy ends up being the One True
Policy for the entire JVM, not just for your web application. So you need
to write a Policy that wraps another and delegates to it as necessary. JACC
looks like it was pulled out of the oven waaaaay too early.


View this message in context:
Sent from the Jersey mailing list archive at