[resteasy-dev] @RolesAllowed and interfaces
Robert Marcano
robert at marcanoonline.com
Sat May 14 21:00:48 EDT 2016
Greetings.
When using resource interfaces, the RolesAllowed annotation is only used
if it is found on the interface and not on the implementation class.
This took me by surprise because if you use the same annotation on an
EJB, it is only valid when it is on the bean implementation, not on the
remote or local interfaces. Probably there should be some consistency
here with other JEE specs.
I use interfaces in order to use a proxy based client from a remote JVM
that is migrating from EJB remoting. There is no need for the clients to
know which roles are allowed (or their names), so I want to avoid the
need to add RolesAllowed to the interfaces.
Before submitting a bug report or working on a patch. What is the best
approach here?
1- only use RolesAllowed when they are on the implementation class, It
will break existing code
2- implementation RolesAllowed override interface RolesAllowed
3- merge implementation RolesAllowed and interface RolesAllowed. Union
or intersection of both group of roles?
The same questions are valid for @PermitAll and @DenyAll
Note: please update the website mailing list link, I subscribed to the
sourceforge mailing list yesterday in order to send this email. Noticed
the migration notice because I checked today the web archive for the
lack of response.
More information about the resteasy-dev
mailing list