@ApplicationPath("jax")
@Path("rs")
public class AdditionService extends Application{
@RolesAllowed("student")
@GET
@Path("/add/{num1}/{num2}")
public String addp(....) {...}
}
It is not an EJB, but we can still define the role-based security in web.xml when the resource class is deployed.
The web.xml can be:
Thanks for the explanation.
I understand it now. I miss the point that there is actually a web.xml that has already specified the roles of students and teachers.
In option 1, if AdditionService (a servlet-based resource class) is deployed, the @RolesAllowed won't do anything because @RolesAllowed is only used by EJB 3, but not servlet.
Also, in EJB based web service, the role-based annotations are addition to those security defined in web.xml.
Using an example to compare role-based security annotation and role-based security in web.xml:
1. @RoleAllowed in a specific method is to specify the fine-grained role based security. That means, to specify the role based security of a particular method.
2. Using web.xml is to specify the general role based security. For example, specify who can access to all the @GET methods.
1. @RoleAllowed in a specific method is to specify the fine-grained role based security. That means, to specify the role based security of a particular method.
Yes, fine-grained, method-based security
2. Using web.xml is to specify the general role based security. For example, specify who can access to all the @GET methods.