Hi all,
Is it possible to secure rest easy in such a way that you can allow
unauthenticated users to, say, GET a resource, but only permit authenticated
users in the correct roles to POST. Since the resource would using the same
url pattern, presumably the entry in web.xml security constraint
(web-resource-collection) would cover be apply regardless and the client
would be required to authenticate even if they were just trying to do a GET.

An example, in case my attempt at describing the problem in a generic way
fell flat on its face :p

Let's say I have an API that allows you to create a bunch of "widgets". You
can do so by sending an HTTP *POST *to */widgets*, but you must be
authenticated. If you want to look at the list of widgets that people have
created, you can do so by sending an HTTP *GET *to */widgets*, but we you
don't have to be authenticated.


Thanks in advance,
10 Tips for Better Web Security
Learn 10 ways to better secure your business today. Topics covered include:
Web security, SSL, hacker attacks & Denial of Service (DoS), private keys,
security Microsoft Exchange, secure Instant Messaging, and much more.
Resteasy-users mailing list

Reply via email to