The intention was, that sometimes this is only needed for special
resources, not for the full application.
But you are right, that it could be delegated to the underlying
container for the full application.
Stephan
Bill Burke schrieb:
> I don't think we need it. Underyling implementation should be able to
> handle this, no?
>
> Stephan Koops wrote:
>> Hi,
>>
>> to avoid code like the following
>>
>> @GET
>> public Object getSecureData(@Context SecurityContext securityContext,
>> @Context UriInfo uriInfo) {
>> if (!securityContext.isSecure()) {
>> ResponseBuilder rb = Response.status(Status.MOVED_PERMANENTLY);
>> rb.entity("You must use a secure connection");
>>
>> rb.location(uriInfo.getRequestUriBuilder().scheme("https").build());
>> throw new WebApplicationException(rb.build());
>> }
>> // deliver secure data
>> }
>>
>> what about a method SecurityContext.ensureSecure() that throws a
>> WebApplication with a redirect to https, if the call was insecure?
>> This will result in better readeable code. Another possiblity is to
>> use an annotation for this. But this is only useful if we also define
>> the use of @RolesAllowed
>>
>> @GET
>> public Object getSecureData(@Context SecurityContext securityContext,
>> @Context UriInfo uriInfo) {
>> securityContext.ensureSecure();
>> // deliver secure data
>> }
>>
>> The runtime environment must know at set-up time, what the base uri
>> for corresponding http requests is. If no secure base uri was given,
>> or https is otherwise not supported, this method could e.g. reject
>> the request with status 500 and log a message.
>>
>> best regards
>> Stephan
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe_at_jsr311.dev.java.net
>> For additional commands, e-mail: dev-help_at_jsr311.dev.java.net
>>
>