OK, I've found it out by myself. The missing part was configuration of CXF, I've placed this content into WEB-INF/openejb-jar.xml file: <openejb-jar xmlns="http://www.openejb.org/openejb-jar/1.1";> <pojo-deployment class-name="jaxrs-application"> <properties> cxf.jaxrs.providers = json,jaxb,pl.gov.mofnet.giif.auth.handlers.AuthorizationRequestHandler </properties> </pojo-deployment> </openejb-jar>
AuthorizationRequestHandler is my copy of gmatej's class. With settings in place REST service returns status 401 if user invoking it is recognized, but does not have required roles.
