The specification seems to forget to map annotation-based security
constraints. The current version of the Servlet 3.0 specification in
section 13.4 specifies the relationship between 250 security annotations
and how they map to web.xml metadata. JAX-RS 1.1 should reference this
section to state how to interpret mappings. We may also want to
borrow/allow the @TransportProtected annotation.
I've stated this before, but JAX-RS doesn't mix very well with security
constraints and <url-pattern> as the Servlet 2.x and 3.0 specification
has very limited url pattern matching (it only supports /* wildcards and
not even /foo/*/bar). We may need some language there too unless you
can get the servlet guys to change.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com