The article, Securing JAX-RS web services using Annotation says:
@PermitAll
@Stateless
public class AddressBookResource{
@RolesAllowed("admin")
@PUT
public void updateList(String addr){...}
}
Which of the configuration would be required to support the access control for this code?
Option 1. No further configuration is required, J2EE runtime will read annotation and configure web container automatically.
This is wrong. When the JAX-RS resources have authorization constraints associated with them, the JAX-RS runtime relies on the web container to obtain authentication information. This means that the web container must be configured to require authentication data...
Option 2. Developer must configure web container to authenticate access to the resource.
This is correct. Annotations for security follow the declarative security model.Security constraints that are configured in the web.xml file, take precedence over security constraints that are programmatically annotated in the application.... Annotated constraints are additional to any configured security constraints.The JAX-RS runtime environment checks for annotated constraints after the web container runtime environment has checked for security constraints that are configured in the web.xml....
When a JAX-RS resources is accessed that corresponds to one of these constraints, authorization checks are performed. Access checks are performed for the declarative security annotation only after the configured constraints are verified.
The web.xml for this example:
<web-app>
<web-resource-collection>
<url-pattern>/*</url-pattern>
<http-method>PUT</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
....
<login-config>
<auth-method>BASIC</auth-method>
</login-config>
...
Based on this article, web.xml is the first way to declare role-based security constraints. Then, using security annotation is the additional way to declare fine-grained constraints.Procedure
1. Determine if there are security constraints defined by the web.xml ...
2.Security constraints that are configured in the deployment descriptor, the web.xml file, take precedence over security constraints that are programmatically annotated in the application.
3.Determine if you want to add annotations for security, in addition to any constraints in the web.xml file. Decide if you want to add one of the @PermitAll, @DenyAll and @RolesAllowed annotations to provide additional security..