[Jersey] Re: user/roles provider for AAA?

From: Kristian Rink <>
Date: Thu, 28 Apr 2011 20:26:02 +0200

Am Thu, 28 Apr 2011 08:02:38 -0700 (PDT)
schrieb ljnelson <>:
> > As another thought, couldn't I somehow make use of JAAS and map JAAS
> > principals to (application specific) roles for use with
> > @RolesAllowed in some way?
> >
> Well, JACC is a specification that governs how JAAS is to be used in
> a Java EE environment.
> Ultimately, JAAS uses a Policy. JACC formalizes what kinds of
> Permissions get handed to a Policy in the world of a Java EE
> application.

Ah, thanks for clarifying and sorry for the mess-up. Looking at the
state of APIs and technologies in Java EE > 1.4, I have to say that
this is not (yet?) on par with servlets and friends from an ease-of-use
point of view, which eventually is not a good thing as we're talking
about security. ;)

Anyway: At the moment I try evaluating which solutions are at hand to
be used in our case. This is how I see things at the moment:

* Use the @RolesAllowed and, ultimately, JACC and
  This is a tedious bunch of work which would not be too difficult, but
  from my point of view this goes too deep into the whole rest of the
  infrastructure as, as pointed out before, it is effective not just on
  application- or application server but even on VM level. Given our
  current lack of experience with this technology, from my point of
  view this is too risky to be a real option.

* Go for a "proprietary" way and make use of a servlet filter wrapped
  around the JAX-RS endpoints to take care of auth and access control.
  This is not a really clean way but it seems the least painful in
  terms of overall scope of changes as it just affects the resources to
  be protected.

* Find another option on a level not as low/general as to just take care of the features we need. Given
  in most cases there are many ways of how to extend or hook into
  existing technologies, I really am surprised to see this ain't
  possible here. After reading through [1], I stumbled across [2] in
  order to write a custom (Glassfish) realm to provide just what we
  need here - domain-specific user and group names to then be mapped to
  application specific roles, but, given our elaborations on JACC, I am
  unsure whether this would really do what we need here.

Thoughts on that, anyone? Would the custom-realm approach (a) work and
(b) do? Any pitfalls, ... to expect here?

TIA and all the best,