If I remember correctly, you only need one of the roles in RolesAllowed to be
authorized.
> On 11 Dec 2018, at 06:24, César Hernández Mendoza <cesargu...@gmail.com>
> wrote:
>
> I started to move forward this PR.
>
> I have one question:
> What would be the correct behavior of a request containing a valid token
> that only hast the Group of Claims "crud" but the REST endpoint is
> annotated like this:
>
> @RolesAllowed({"crud", "read-only"})
>
>
> Should the REST endpoint reply with a 403 because the token used in the
> request doesn't have both Group of claims?
> or
> Should the REST endpoint reply correctly if and only if the Token used in
> the request contains Any of this two Group of claims?
>
> After reading: both MP JWT spec and also the section 2.12 of JSR-250 I
> think we have a bug that you can easily reproduce in my PR if you use token
> type "*2*" instead of "1" in the following test:
> https://github.com/apache/tomee/pull/233/files#diff-c8b4606595833238670d666da0b95651R80
>
>
>
> El lun., 3 dic. 2018 a las 9:22, Bruno Baptista (<bruno...@gmail.com>)
> escribió:
>
>> Hi César,
>>
>> Looking forward to review it.
>>
>> Cheers.
>>
>> Bruno Baptista
>> https://twitter.com/brunobat_
>>
>>
>> On 30/11/18 22:44, César Hernández Mendoza wrote:
>>> Hi,
>>>
>>> I'm planning to implement a couple of small improvements on the
>>> MicroProfile JWT example the project already has.
>>> I opened https://issues.apache.org/jira/browse/TOMEE-2304 for this.
>>>
>>> I'll keep you updated with the proposal and progress. Ideas, proposal are
>>> more than welcome!
>>
>
>
> --
> Atentamente:
> César Hernández Mendoza.
