Re: JSR311: Servlet spec changes for security and JSR311

From: Paul Sandoz <Paul.Sandoz_at_Sun.COM>
Date: Wed, 02 Apr 2008 12:28:08 +0200

Marc Hadley wrote:
> On Apr 1, 2008, at 12:00 PM, Bill Burke wrote:
>>> To give fine-grained control we anticipate allowing use of
>>> @RolesAllowed on resource classes, sub-resource methods and
>>> sub-resource locators
>> This is the approach that I wanted to avoid....JSR311 creating its own
>> component model. EE is supposed to have an integrated platform and
>> each spec seems to want to create their own component model. I mean,
>> the only thing differentiating JAX-RS from EJB-lite will be
>> transaction demarcation/handling.
> I agree, ideally we'll be able to say that a resource class can be a JSR
> 299 Web Bean and leave it at that. However that may not work out if the
> various time lines don't align so instead we'll have a section on
> expectations (rather than requirements) for a resource class in an EE
> container and then revisit that in a maintenance review once all the
> other pieces are in place. That's what I meant by "anticipate" above.

Some more info. The sub-locator stuff is very different to that of
existing EE stuff. Because of this the URI space is not something that
can be determined statically and is fully known in advance to the
runtime (or even potentially to the developer if classes are loaded
dynamically e.g. there are plug-ins to the web application). The URI
space is augmented at runtime as each object returned by a sub-locator
is processed. Such sub-locator class may also have @RolesAllowed. Thus I
don't think any static declaration and duplication of URI templates at
the servlet container for fine grained security is the right approach.


| ? + ? = To question
    Paul Sandoz