The user role mapping can come from any user store like an LDAP or a DB. I totally endorse the view of making this extensible to fine grain authorizations at the data level rather then API level.
-----Original Message----- From: Michael Elman [mailto:[email protected]] Sent: Wednesday, July 15, 2009 12:05 PM To: [email protected] Subject: Re: Using @RolesAllowed for Role Based Access Control My initial thought was to use isUserInRole interface regardless how the user/role relationship was defined. Actually the call for isUserInRole must have the ability for an extension, so the users could override it with the specific behavior (most applications that I know, provide their own authorization mechanism, so we should be able to integrate) Btw, I think that web.xml contains the roles definitions, while user/role relationships are defined in container. On Tue, Jul 14, 2009 at 5:58 PM, Nicholas L Gallardo <[email protected]>wrote: > Does the web.xml have stanzas for defining user/role relationships? Or > would this have to come from some other config? > > > > Nicholas Gallardo > WebSphere - REST & WebServices Development [email protected] > Phone: 512-286-6258 > Building: 903 / 5G-016 > [image: Inactive hide details for Michael Elman > <[email protected]>]Michael Elman <[email protected]> > > > > *Michael Elman <[email protected]>* > > 07/14/2009 09:55 AM > Please respond to > [email protected] > > > To > > [email protected] > cc > > > Subject > > Re: Using @RolesAllowed for Role Based Access Control > > We have plans to support the security annotations from JSR 250. But we > didn't discuss it yet. > > On Tue, Jul 14, 2009 at 4:58 PM, Jain, Shashank > Mohan<[email protected]> wrote: > > Do we have support Role Based Access Control for different Restful > endpoints. > > Regards > > Shashank > >
