Missing security integration in maintenance draft

From: Bill Burke <>
Date: Tue, 23 Jun 2009 17:09:31 -0400

The specification seems to forget to map annotation-based security
constraints. The current version of the Servlet 3.0 specification in
section 13.4 specifies the relationship between 250 security annotations
and how they map to web.xml metadata. JAX-RS 1.1 should reference this
section to state how to interpret mappings. We may also want to
borrow/allow the @TransportProtected annotation.

I've stated this before, but JAX-RS doesn't mix very well with security
constraints and <url-pattern> as the Servlet 2.x and 3.0 specification
has very limited url pattern matching (it only supports /* wildcards and
not even /foo/*/bar). We may need some language there too unless you
can get the servlet guys to change.

Bill Burke
JBoss, a division of Red Hat