Correct. The status code should be 403 though - user is authenticated, but not authorized.
On Wed, Jul 15, 2009 at 5:41 PM, Nicholas L Gallardo <[email protected]>wrote: > > My initial thought was to use isUserInRole interface regardless how the > > user/role relationship was defined. > > +1 to that... It's a standard interface that we know MUST be supported by > the various containers. > > > Btw, I think that web.xml contains the roles definitions, while > user/role > >relationships are defined in container. > > Ah, thanks. > > So, just to make sure I'm understanding it correctly. > > 1. The JSR-250 annotation defines what roles will be supported by each > operation. > > 2. At runtime, before we invoke we check for the presence of the annotation > and then check the contents against isUserInRole(). If it passes, all is > good. If it fails... I'm assuming there's a standard error that needs to be > returned for authorization failed (looks like HTTP 401 - > http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html). > > 3. The user will be responsible for defining user->role mapping in a > container specific manner. > > -Nick > > Nicholas Gallardo > WebSphere - REST & WebServices Development > [email protected] > Phone: 512-286-6258 > Building: 903 / 5G-016 > [image: Inactive hide details for Michael Elman <[email protected]>]Michael > Elman <[email protected]> > > > > *Michael Elman <[email protected]>* > > 07/15/2009 01:34 AM > Please respond to > [email protected] > > > To > > [email protected] > cc > > > Subject > > Re: Using @RolesAllowed for Role Based Access Control > My initial thought was to use isUserInRole interface regardless how the > user/role relationship was defined. > Actually the call for isUserInRole must have the ability for an extension, > so the users could override it with the specific behavior (most > applications > that I know, provide their own authorization mechanism, so we should be > able > to integrate) > > Btw, I think that web.xml contains the roles definitions, while user/role > relationships are defined in container. > > > On Tue, Jul 14, 2009 at 5:58 PM, Nicholas L Gallardo <[email protected] > >wrote: > > > Does the web.xml have stanzas for defining user/role relationships? Or > > would this have to come from some other config? > > > > > > > > Nicholas Gallardo > > WebSphere - REST & WebServices Development > > [email protected] > > Phone: 512-286-6258 > > Building: 903 / 5G-016 > > [image: Inactive hide details for Michael Elman <[email protected] > >]Michael > > Elman <[email protected]> > > > > > > > > *Michael Elman <[email protected]>* > > > > 07/14/2009 09:55 AM > > Please respond to > > [email protected] > > > > > > To > > > > [email protected] > > cc > > > > > > Subject > > > > Re: Using @RolesAllowed for Role Based Access Control > > > > We have plans to support the security annotations from JSR 250. But we > > didn't discuss it yet. > > > > On Tue, Jul 14, 2009 at 4:58 PM, Jain, Shashank > > Mohan<[email protected]> wrote: > > > Do we have support Role Based Access Control for different Restful > > endpoints. > > > Regards > > > Shashank > > > > > >
