dev@jsr311.java.net

Re: JSR311: Missing security integration in maintenance draft

From: Marc Hadley <Marc.Hadley_at_Sun.COM>
Date: Tue, 23 Jun 2009 17:47:45 -0400

On Jun 23, 2009, at 5:09 PM, Bill Burke wrote:

> The specification seems to forget to map annotation-based security
> constraints.

We didn't forget, we just punt to whatever component model the
resource class is implemented with. E.g. if a resource class is an EJB
then the EJB container will support method-targeted security ACLs.

We don't currently require support for any of the JSR 250 common
annotations for POJO resource classes. Not sure yet how the new EE
managed beans spec will change things in an EE container but I suspect
we can just say that that in an EE container a JAX-RS resource class
is a managed bean and inherit whatever capabilities come with that.

> The current version of the Servlet 3.0 specification in section
> 13.4 specifies the relationship between 250 security annotations and
> how they map to web.xml metadata. JAX-RS 1.1 should reference this
> section to state how to interpret mappings. We may also want to
> borrow/allow the @TransportProtected annotation.
>
> I've stated this before, but JAX-RS doesn't mix very well with
> security constraints and <url-pattern> as the Servlet 2.x and 3.0
> specification has very limited url pattern matching (it only
> supports /* wildcards and not even /foo/*/bar). We may need some
> language there too unless you can get the servlet guys to change.
>
I don't see servlet making the necessary changes to support JAX-RS
path templates so path-targeted security ACLs will be necessarily
limited.

In related news its looking like we're going to have to respin the 1.1
MR to account for changes to the Servlet 3 plugability API, managed
beans, and JSR 299. I'll send something out once things settle down
enough for me to be able to draft some spec text.

Marc.