Bryant, Thanks for the tip! I implemented a request handler, and after lots of searching I was finally able to locate the target method so I could look up the annotations. (If anyone cares, that's MessageContext > SearchResult (via MessageContext's attributes) MethodRecord > MethodMetadata > Method).
Now, I'm struggling with how to get a 403 Forbidden response back to the client when necessary based on the method's JSR-250 annotation. I haven't been able to find a javax.ws.rs.core.Response anywhere in the MessageContext. MessageContext does provide setResponseStatusCode() and setResponseEntity(), however calling setResponseStatusCode(403) does not impact the response I receive at the client; I still get a 200 OK response. I can lookup the HttpServletResponse from the MessageContext and set the status code directly using HttpServletResponse.setStatus() and that works fine, however it just seems...wrong. Shouldn't I be setting or updating a javax.ws.rs.core.Response somewhere which will later be mapped to the HttpServletResponse? I'm worried that if I update HttpServletResponse directly, especially this early in the entire process (user request handlers), then that's sort of breaking the paradigm and something else may overwrite what I do to the HttpServletResponse. Any ideas on the "right" way to set or update the Response from a request handler? Thanks again for the help. Cameron -----Original Message----- From: Bryant Luk [mailto:[email protected]] Sent: Monday, July 25, 2011 4:39 PM To: [email protected] Subject: Re: using security annotations (e.g. @RolesAllowed, @DenyAll) Wink as-is does not have a handler for JSR-250 annotations. You can create a request handler to do this if you want. The request handler can look at all the annotations available on a method. Patches would be welcome too. On Fri, Jul 22, 2011 at 9:41 AM, Cameron Dalton <[email protected]> wrote: > Good morning, > > > > I'm just starting with some JAX-RS using Apache Wink in my project, > and I'm having trouble with the security annotations. > > > > I'm trying to use a @RolesAllowed annotation on a method to restrict > access to only users in those roles. However, users not in those > roles are able to invoke the method as well. I checked the request's > isUserInRole from inside the method by injecting the request and > invoking request.isUserInRole myself and that behaves as expected, while the > @RolesAllowed annotation does not. > Furthermore, I changed the @RolesAllowed annotation to @DenyAll and > STILL all users are able to invoke the method - in my mind, that last > test takes out any variables concerning the request and the > isUserInRole method and points squarely to something I'm doing wrong > with the Apache Wink setup or the annotations. > > > > What could I be doing wrong? What is missing? I have secured the url > pattern /* in web.xml by restricting it to all authenticated users. > Here's my method signature with the annotations: > > > > @GET > > @DenyAll > > @Produces({ MediaType.APPLICATION_JSON}) > > public List<InboxField> getCasesBySearch(@Context > HttpServletRequest request, @PathParam("keywords") String keywords) { ... > > > > Thank you so much for your help. > > > > Cameron > >
