Good morning,
I'm just starting with some JAX-RS using Apache Wink in my project, and I'm
having trouble with the security annotations.
I'm trying to use a @RolesAllowed annotation on a method to restrict access to
only users in those roles. However, users not in those roles are able to
invoke the method as well. I checked the request's isUserInRole from inside
the method by injecting the request and invoking request.isUserInRole myself
and that behaves as expected, while the @RolesAllowed annotation does not.
Furthermore, I changed the @RolesAllowed annotation to @DenyAll and STILL all
users are able to invoke the method - in my mind, that last test takes out any
variables concerning the request and the isUserInRole method and points
squarely to something I'm doing wrong with the Apache Wink setup or the
annotations.
What could I be doing wrong? What is missing? I have secured the url pattern
/* in web.xml by restricting it to all authenticated users. Here's my method
signature with the annotations:
@GET
@DenyAll
@Produces({ MediaType.APPLICATION_JSON})
public List<InboxField> getCasesBySearch(@Context HttpServletRequest
request, @PathParam("keywords") String keywords) { ...
Thank you so much for your help.
Cameron
