context.setResponseEntity(Response.status(Response.Status.FORBIDDEN).build()); should work.
It is kind of strange that you get a 200 OK response. I would have expected a 204 response. Be sure you're not invoking the request handler chain still after you've determined that the method should not be invoked. On Tue, Jul 26, 2011 at 7:46 AM, Cameron Dalton <[email protected]> wrote: > Bryant, > > Thanks for the tip! I implemented a request handler, and after lots of > searching I was finally able to locate the target method so I could look up > the annotations. (If anyone cares, that's MessageContext > SearchResult (via > MessageContext's attributes) MethodRecord > MethodMetadata > Method). > > Now, I'm struggling with how to get a 403 Forbidden response back to the > client when necessary based on the method's JSR-250 annotation. I haven't > been able to find a javax.ws.rs.core.Response anywhere in the MessageContext. > > MessageContext does provide setResponseStatusCode() and setResponseEntity(), > however calling setResponseStatusCode(403) does not impact the response I > receive at the client; I still get a 200 OK response. I can lookup the > HttpServletResponse from the MessageContext and set the status code directly > using HttpServletResponse.setStatus() and that works fine, however it just > seems...wrong. Shouldn't I be setting or updating a > javax.ws.rs.core.Response somewhere which will later be mapped to the > HttpServletResponse? I'm worried that if I update HttpServletResponse > directly, especially this early in the entire process (user request > handlers), then that's sort of breaking the paradigm and something else may > overwrite what I do to the HttpServletResponse. > > Any ideas on the "right" way to set or update the Response from a request > handler? > > Thanks again for the help. > > Cameron > > > -----Original Message----- > From: Bryant Luk [mailto:[email protected]] > Sent: Monday, July 25, 2011 4:39 PM > To: [email protected] > Subject: Re: using security annotations (e.g. @RolesAllowed, @DenyAll) > > Wink as-is does not have a handler for JSR-250 annotations. You can create a > request handler to do this if you want. The request handler can look at all > the annotations available on a method. Patches would be welcome too. > > On Fri, Jul 22, 2011 at 9:41 AM, Cameron Dalton <[email protected]> > wrote: >> Good morning, >> >> >> >> I'm just starting with some JAX-RS using Apache Wink in my project, >> and I'm having trouble with the security annotations. >> >> >> >> I'm trying to use a @RolesAllowed annotation on a method to restrict >> access to only users in those roles. However, users not in those >> roles are able to invoke the method as well. I checked the request's >> isUserInRole from inside the method by injecting the request and >> invoking request.isUserInRole myself and that behaves as expected, while the >> @RolesAllowed annotation does not. >> Furthermore, I changed the @RolesAllowed annotation to @DenyAll and >> STILL all users are able to invoke the method - in my mind, that last >> test takes out any variables concerning the request and the >> isUserInRole method and points squarely to something I'm doing wrong >> with the Apache Wink setup or the annotations. >> >> >> >> What could I be doing wrong? What is missing? I have secured the url >> pattern /* in web.xml by restricting it to all authenticated users. >> Here's my method signature with the annotations: >> >> >> >> @GET >> >> @DenyAll >> >> @Produces({ MediaType.APPLICATION_JSON}) >> >> public List<InboxField> getCasesBySearch(@Context >> HttpServletRequest request, @PathParam("keywords") String keywords) { ... >> >> >> >> Thank you so much for your help. >> >> >> >> Cameron >> >> >
