What I want to do is to configure a REST service with basic authentication 
and roles authorization using RESTEasy.
Currently, I am confused with the security configuration and I hope 
someone can help me.

REST service : http://localhost:8080/xedu-web/rest/course/{1}

public class CourseRestService {
    private CourseServices service;

    private ServiceContextServices serviceContextServices;

    // @RolesAllowed("users")
"application/json", "application/xml"})
"application/json", "application/xml"})
    public XEDUEICourseSingleResponse find(@PathParam("id") Integer id, 
@QueryParam("serviceContext") EIServiceContext serviceContext) {
        try {
            EISingleResponse<XEDUEICourse> ei = service.findEI(id);
            return new XEDUEICourseSingleResponse(ei);
        } catch (ConversionException ce) {
            throw new BadRequestRestException(ce);
        } catch (Exception e) {
            throw new ComponentRestException(e);


<?xml version="1.0" encoding="UTF-8"?>
<web-app version="3.0"



Request filter:

public class AuthenticationRequestFilter implements ContainerRequestFilter 
    public void filter(ContainerRequestContext ctx) throws IOException {
        User user = null;

        try {
            String[] credentials = readCredentials(ctx);
            String username = credentials[0];
            String password = credentials[1];
            user = authenticate(username, password);
        } catch (AuthenticationException e) {
            switch (e.getErrorCode()) {
                case 401:
                case 403:

        // Set the custom security context
        if (user != null)
            ctx.setSecurityContext(new AppSecurityContext(user, 

The current (correct) behavior is the following:
- when I send a request with a valid credential (user1), the request 
filter authenticates the user and the service returns the resource data.
- when I send a request without credentials, my request filter returns a 
401 code.
- when I send a request with an unknown user, my filter returns a 403 

My question is : how to set up authorization on methods based on roles?
Users and roles are stored in an application database, not on JBoss.

Here's what I did and that did not work:
- I added the annotation @RolesAllowed("users") on my service method.
- I set a custom SecurityContext in my request filter that associates the 
role "users" to the user "user1"
- I added and set the context-param "resteasy.role.based.security" to true 
in web.xml.

The resulting behavior is that my filter is never called, and all requests 
result in a 403 code.
It seems that the role is checked before calling my request filter, so 
that the custom SecurityContext is not yet created.

Lately, I read in the documentation that we must not enable "
resteasy.role.based.security" if we use EJBs, and that is my case. 
However, I didn't found any example or description about what to do in 
that case.
CenturyLink Cloud: The Leader in Enterprise Cloud Services.
Learn Why More Businesses Are Choosing CenturyLink Cloud For
Critical Workloads, Development Environments & Everything In Between.
Get a Quote or Start a Free Trial Today. 
Resteasy-users mailing list

Reply via email to