I have found the following that answers my question: -

https://docs.jboss.org/resteasy/docs/4.4.0.Final/userguide/html/Securing_JAX-RS_and_RESTeasy.html

So overall I both need to switch on support for the annotations AND configure a path based security constraint in the web.xml to trigger authentication.

Have there been any discussions on looking into this further? It seems plausible that authentication could be triggered in the event a role is required if authentication has not already been performed: -

https://javaee.github.io/javaee-spec/javadocs/javax/servlet/http/HttpServletRequest.html#authenticate-javax.servlet.http.HttpServletResponse-

Regards,

Darran Lofthouse.

On Fri, Nov 1, 2019 at 5:23 PM Darran Lofthouse <darran.lofthouse@jboss.com> wrote:

Hello,

I am presently in the process of adding MicroProfile JWT support to WildFly, most of the code to activate this is now ready but I just wanted to ask for some pointers as to how RestEasy triggers the need for authentication for a request?

I have a deployed endpoint annotated with @RolesAllowed, I am about to attach a debugger and look into the call in more detail but thought I would ask here as well if there are any pointers.

Regards,
Darran Lofthouse.