[resteasy-dev] @RolesAllowed and interfaces
Robert Marcano
robert at marcanoonline.com
Wed May 18 11:34:34 EDT 2016
Sorry for replying to myself, do you people prefer a JIRA issue for
discussion? I ask for the lack of response :(
On 05/14/2016 09:00 PM, Robert Marcano wrote:
> Greetings.
>
> When using resource interfaces, the RolesAllowed annotation is only used
> if it is found on the interface and not on the implementation class.
> This took me by surprise because if you use the same annotation on an
> EJB, it is only valid when it is on the bean implementation, not on the
> remote or local interfaces. Probably there should be some consistency
> here with other JEE specs.
>
> I use interfaces in order to use a proxy based client from a remote JVM
> that is migrating from EJB remoting. There is no need for the clients to
> know which roles are allowed (or their names), so I want to avoid the
> need to add RolesAllowed to the interfaces.
>
> Before submitting a bug report or working on a patch. What is the best
> approach here?
>
> 1- only use RolesAllowed when they are on the implementation class, It
> will break existing code
>
> 2- implementation RolesAllowed override interface RolesAllowed
>
> 3- merge implementation RolesAllowed and interface RolesAllowed. Union
> or intersection of both group of roles?
>
> The same questions are valid for @PermitAll and @DenyAll
>
> Note: please update the website mailing list link, I subscribed to the
> sourceforge mailing list yesterday in order to send this email. Noticed
> the migration notice because I checked today the web archive for the
> lack of response.
More information about the resteasy-dev
mailing list