Re: JSR311: Issue 18: XML Descriptor

From: Marc Hadley <Marc.Hadley_at_Sun.COM>
Date: Fri, 27 Jun 2008 13:27:51 -0400

On Jun 27, 2008, at 7:47 AM, Bill Burke wrote:

> The only reason I want an XML Descriptor is for security. Even
> though our implementation uses Servlet as a default deployment
> model, I can't use Servlet security in all situations because their
> URL expressions are so limited. For instance the pattern cannot be
> matched using servlet URL expressions:
> {foo}/a/b
> You can't do:
> */a/b as the servlet container will just assume /*
> Then of course you can't limit by media type as well.
> Maybe you guys can lobby the Servlet 3.0 spec to get this changed?
There's a deeper question of what the right security model is too.
With JAX-RS I think a resource-based rather than URI-based model is
preferable. What I mean by that is that you attach security
constraints to resource classes and the HTTP methods on those classes
rather than the servlet approach of attaching security to URI paths.
That way you don't need to worry about how a resource is reached if
the same resource is accessible as a root resource and via a sub-
resource locator.

Use of the @RolesAllowed annotation will give us this in Java code but
I guess we could do with something that a deployer could use as well.


> Paul Sandoz wrote:
>> On Jun 26, 2008, at 7:04 PM, Marc Hadley wrote:
>>> What are folks use cases and requirements (if any) for an XML
>>> descriptor in:
>>> (a) A non-EE environment
>>> (b) An EE environment
>>> Do folks think we need something like the EJB metadata-complete
>>> facility to make a runtime ignore all JAX-RS annotations ?
>>> I'm struggling a bit since I think most RESTful services would
>>> need to use JAX-RS facilities like Response, UriInfo etc and,
>>> beyond some simple overriding (perhaps turning a method off or
>>> adding a media type to the list of supported ones), I find it hard
>>> to imagine a realistic scenario that would require specifying
>>> everything in XML metadata rather than simply using annotations.
>> Same here.
>> From an ease of use perspective using XML descriptors is taking a
>> big step backwards.
>> Also i am not sure what the plans are for "EJB light" in EE 6 and
>> the relation with WebBeans so perhaps we cannot answer everything
>> until we know more?
>> Paul.
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail:
>> For additional commands, e-mail:
> --
> Bill Burke
> JBoss, a division of Red Hat
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:

Marc Hadley <marc.hadley at>
CTO Office, Sun Microsystems.