Servlet spec changes for security and JSR311

From: Bill Burke <>
Date: Tue, 01 Apr 2008 10:26:19 -0400

I've been reluctant to add security features to our JAX-RS
implementation mainly because I believe that the combination of the
Servlet and EJB (or Spring) specifications should be enough. Servlet
spec can be used to authenticate/authorize URL patterns. EJB can be
used for very fine grain security like authorization on exchanging
different content type formats.

The major problem I've found with this approach lies solely with the
fault of the Servlet spec and its poor definition of <url-pattern>. If
you want a site that has a mix of secured and unsecured URLs, the
servlet spec just can't handle all JAX-RS use cases it as a "foo/*/bar"
pattern is not supported. For example, I can't do fine grain security on:


Have address unsecure
Credit card secured.

Maybe this usecase is contrived, but my intuition tells me not.

Now, finally, my quesiton: I wondering if we should get a minor tweak to
the Servlet 3.0 spec?

Bill Burke
JBoss, a division of Red Hat