Re: JSR311: Servlet spec changes for security and JSR311

From: Bill Burke <>
Date: Tue, 01 Apr 2008 12:00:46 -0400

Marc Hadley wrote:
> On Apr 1, 2008, at 10:26 AM, Bill Burke wrote:
>> I've been reluctant to add security features to our JAX-RS
>> implementation mainly because I believe that the combination of the
>> Servlet and EJB (or Spring) specifications should be enough. Servlet
>> spec can be used to authenticate/authorize URL patterns. EJB can be
>> used for very fine grain security like authorization on exchanging
>> different content type formats.
>> The major problem I've found with this approach lies solely with the
>> fault of the Servlet spec and its poor definition of <url-pattern>.
>> If you want a site that has a mix of secured and unsecured URLs, the
>> servlet spec just can't handle all JAX-RS use cases it as a
>> "foo/*/bar" pattern is not supported. For example, I can't do fine
>> grain security on:
>> /customers/{id}/address
>> /customers/{id}/creditcard
>> Have address unsecure
>> Credit card secured.
>> Maybe this usecase is contrived, but my intuition tells me not.
> To give fine-grained control we anticipate allowing use of @RolesAllowed
> on resource classes, sub-resource methods and sub-resource locators

This is the approach that I wanted to avoid....JSR311 creating its own
component model. EE is supposed to have an integrated platform and each
spec seems to want to create their own component model. I mean, the
only thing differentiating JAX-RS from EJB-lite will be transaction

Bill Burke
JBoss, a division of Red Hat