About Question enthuware.ocejws.v6.2.320 :

himaiMinh · Post by **himaiMinh** » Sun Apr 06, 2014 3:35 pm

For the sake of discussion, if the JAX-RS resource is deployed as a servlet, we can still use @RolesAllowed annotation. Here is an example from chapter 15 Security of Jersey user guide:

Code: Select all

@Path("/")
@PermitAll
public class Resource {
    @RolesAllowed("user")
    @GET
    public String get() { return "GET"; }
 
    @RolesAllowed("admin")
    @POST
    public String post(String content) { return content; }
 
    @Path("sub")
    public SubResource getSubResource() {
        return new SubResource();
    }
}

himaiMinh · Post by **himaiMinh** » Sun Apr 06, 2014 4:59 pm

Let me fix my previous post.
After some research from the web sites (http://docs.oracle.com/html/E13981_01/servsecr004.htm and http://pic.dhe.ibm.com/infocenter/wasin ... tions.html),
there are some security annotations defined for EJB and some other annotations defined for servlet.
For example,
@DeclareRole is for Servlet 2.5 or above and EJB 3
@PermitAll, @RolesAllowed and @DenyAll are for EJB 3
@ServletSecurity is for Servlet 3.0
eg. @ServletSecurity (httpMethodConstraint= {@HttpMethodConstraint (value="GET", rolesAllowed="All Role")})

As I can tell, @RolesAllowed cannot be used in JAX-RS deployed as a servlet.

fjwalraven · Post by **fjwalraven** » Mon Apr 07, 2014 9:16 am

Correct.

Enthuware

About Question enthuware.ocejws.v6.2.320 :

About Question enthuware.ocejws.v6.2.320 :

Re: About Question enthuware.ocejws.v6.2.320 :

Re: About Question enthuware.ocejws.v6.2.320 :

Who is online