Re: [resteasy-dev] @RolesAllowed and interfaces

Greetings. When using resource interfaces, the RolesAllowed annotation is only used if it is found on the interface and not on the implementation class. This took me by surprise because if you use the same annotation on an EJB, it is only valid when it is on the bean implementation, not on the remote or local interfaces. Probably there should be some consistency here with other JEE specs. I use interfaces in order to use a proxy based client from a remote JVM that is migrating from EJB remoting. There is no need for the clients to know which roles are allowed (or their names), so I want to avoid the need to add RolesAllowed to the interfaces. Before submitting a bug report or working on a patch. What is the best approach here? 1- only use RolesAllowed when they are on the implementation class, It will break existing code 2- implementation RolesAllowed override interface RolesAllowed 3- merge implementation RolesAllowed and interface RolesAllowed. Union or intersection of both group of roles? The same questions are valid for @PermitAll and @DenyAll Note: please update the website mailing list link, I subscribed to the sourceforge mailing list yesterday in order to send this email. Noticed the migration notice because I checked today the web archive for the lack of response.