Sorry for replying to myself, do you people prefer a JIRA issue for
discussion? I ask for the lack of response :(
On 05/14/2016 09:00 PM, Robert Marcano wrote:
When using resource interfaces, the RolesAllowed annotation is only used
if it is found on the interface and not on the implementation class.
This took me by surprise because if you use the same annotation on an
EJB, it is only valid when it is on the bean implementation, not on the
remote or local interfaces. Probably there should be some consistency
here with other JEE specs.
I use interfaces in order to use a proxy based client from a remote JVM
that is migrating from EJB remoting. There is no need for the clients to
know which roles are allowed (or their names), so I want to avoid the
need to add RolesAllowed to the interfaces.
Before submitting a bug report or working on a patch. What is the best
1- only use RolesAllowed when they are on the implementation class, It
will break existing code
2- implementation RolesAllowed override interface RolesAllowed
3- merge implementation RolesAllowed and interface RolesAllowed. Union
or intersection of both group of roles?
The same questions are valid for @PermitAll and @DenyAll
Note: please update the website mailing list link, I subscribed to the
sourceforge mailing list yesterday in order to send this email. Noticed
the migration notice because I checked today the web archive for the
lack of response.