Re: hasAccessToWebResource method


Will Hopkins
 

Hi Arjan,

As I said on the other thread:
I feel badly about this, but I'm going to say we need to leave it out. It was added after I made clear statements that we couldn't add any more scope to the API, I'm not convinced the approach is the right one (although, equally, I'm not convinced it's wrong), and we're out of time to have the EG weigh in.

Will


On 05/19/2017 10:30 AM, Arjan Tijms wrote:

p.s.

To address some of the concerns that were raised by Will, I could make the following changes:


* Rename the method to hasCallerAccessToWebResource

* Rename the method's argument from "resource" to "urlPattern"

* Remove the overloaded method that defaults to GET, specify that if no parameters are provided for "methods" that GET is assumed. (addressing the "many methods concern somewhat)

* Clarify that all containers in Java EE are allowed to call the method

* Clarify that is the caller is not authenticated at all, and the resource is non-public a false is returned

* Clarify that Section 11.2 of the Servlet spec is meant, instead of just "the servlet spec"


Kind regards,

Arjan Tijms




-- 
Will Hopkins | WebLogic Security Architect | +1.781.442.0310
Oracle Application Development
35 Network Drive, Burlington, MA 01803

Join javaee-security-spec@javaee.groups.io to automatically receive all group messages.