[Jersey] Re: looking for helping hand on securing service

From: Django <>
Date: Mon, 11 Aug 2014 06:16:45 +0200

Hi Libor,

On Friday 08 August 2014 - 07:58:51, Libor Kramolis wrote:
> You can see RolesAllowedDynamicFeature uses
> requestContext.getSecurityContext().isUserInRole(role) [1] to implement
> security filtering.

I did some more tests and thought about given implementation, responsibility

with the conclusion: SecurityContext of WebComponent is wrong conceptually.


A request is just a chunk of bits sent from the client to the server, so a
request class may have methods to access the bits or even interpret subchunks
of bits ...
... but a request does not (and should not) know anything about a principal. A
UserPrincipal should be a very private information of the server/service.
Same is true for the roles of a user. So a request can't even respond to a
question like isUserInRole. That's a server question, not a request question.

So I think, getUserPrincipal and isUserInRole should be handled by
SecurityContext and definitely not delegated to HttpServletRequest. A request
context may know something about it, but not the request itself.
Service-developers / jersey users may then inject their own interpretation of
SecurityContext but not change/extend the request.

I would like to hear your thoughts about that detail.

br Django