1. javaee-security-spec@javaee.groups.io
Topics

doubt about the web.xml

Daniel Dias
 

Hello people,
 
I have a question regarding web.xml.
 
Is it mandatory to use?
 
Rudy De Busscher
 

Hi Daniel,

web.xml is optional. The Java EE Security API spec didn't change that.

You can define for example the roles and security constraints for URLs within the web.xml, but also with annotations within code.

Regards
Rudy
Daniel Dias
 

Hello, Rudy, 

was what I choosed, but when I use with Jax-RS the same does not work.

was what I thought of, but when I use it with Jax-RS it will not work when I remove the web.xml and add the annotation @RolesAllowed ({USER, ADMIN}) as shown in this section:


--
Daniel Dias dos Santos
Java Developer
SouJava & JCP Member
Linkedin: http://br.linkedin.com/in/danieldiassantos


Em qua, 29 de ago de 2018 às 02:14, Rudy De Busscher <rdebusscher@...> escreveu:

Hi Daniel,

web.xml is optional. The Java EE Security API spec didn't change that.

You can define for example the roles and security constraints for URLs within the web.xml, but also with annotations within code.

Regards
Rudy

Guillermo González de Agüero
 

Hi Daniel,

The @RolesAllowed annotation is not defined by JSR 375 and there was sadly not enough time to better integrate with it or provide a better alternative.

For now, @RolesAllowed are only portable on EJB components, although some servers such as Payara support them on any CDI bean AFAIK. The simpler way to use it is to annotate your resources @Stateless, or creating an interceptor and a CDI extension to tranform @RolesAllowed into an interceptor binding annotation.

Creating such extensions was greatly simplified on CDI 2.0.

El mié., 29 ago. 2018 16:12, Daniel Dias <daniel.dias.analistati@...> escribió:
Hello, Rudy, 

was what I choosed, but when I use with Jax-RS the same does not work.

was what I thought of, but when I use it with Jax-RS it will not work when I remove the web.xml and add the annotation @RolesAllowed ({USER, ADMIN}) as shown in this section:


--
Daniel Dias dos Santos
Java Developer
SouJava & JCP Member
Linkedin: http://br.linkedin.com/in/danieldiassantos


Em qua, 29 de ago de 2018 às 02:14, Rudy De Busscher <rdebusscher@...> escreveu:
Hi Daniel,

web.xml is optional. The Java EE Security API spec didn't change that.

You can define for example the roles and security constraints for URLs within the web.xml, but also with annotations within code.

Regards
Rudy

Daniel Dias
 

Hi Guillermo, 

Thanks for the explanation, I think I got a little better understanding of how it works.
--
Daniel Dias dos Santos
Java Developer
SouJava & JCP Member
Linkedin: http://br.linkedin.com/in/danieldiassantos


Em qua, 29 de ago de 2018 às 11:31, Guillermo González de Agüero <z06.guillermo@...> escreveu:

Hi Daniel,

The @RolesAllowed annotation is not defined by JSR 375 and there was sadly not enough time to better integrate with it or provide a better alternative.

For now, @RolesAllowed are only portable on EJB components, although some servers such as Payara support them on any CDI bean AFAIK. The simpler way to use it is to annotate your resources @Stateless, or creating an interceptor and a CDI extension to tranform @RolesAllowed into an interceptor binding annotation.

Creating such extensions was greatly simplified on CDI 2.0.

El mié., 29 ago. 2018 16:12, Daniel Dias <daniel.dias.analistati@...> escribió:
Hello, Rudy, 

was what I choosed, but when I use with Jax-RS the same does not work.

was what I thought of, but when I use it with Jax-RS it will not work when I remove the web.xml and add the annotation @RolesAllowed ({USER, ADMIN}) as shown in this section:


--
Daniel Dias dos Santos
Java Developer
SouJava & JCP Member
Linkedin: http://br.linkedin.com/in/danieldiassantos


Em qua, 29 de ago de 2018 às 02:14, Rudy De Busscher <rdebusscher@...> escreveu:
Hi Daniel,

web.xml is optional. The Java EE Security API spec didn't change that.

You can define for example the roles and security constraints for URLs within the web.xml, but also with annotations within code.

Regards
Rudy

Arjan Tijms
 

>The @RolesAllowed annotation is not defined by JSR 375 and there was sadly not enough time to better integrate with it or provide a better alternative.

Indeed, we should really address this for JSR 375.Next

>For now, @RolesAllowed are only portable on EJB components, although some servers such as Payara support them on any CDI bean AFAIK. 

We have a duo solution in place. @RolesAllowed is by default supported on any JAX-RS resource, and is "http facing", means that if the user is not authenticated it triggers the configured authentication mechanism.

For business beans we have an annotation in the Payara API called RolesPermitted (https://github.com/payara/Payara/blob/master/api/payara-api/src/main/java/fish/payara/cdi/auth/roles/RolesPermitted.java#L64) That one is backed by a regular CDI interceptor.

For JSR 375.Next we should probably have a combination of these two.

Kind regards,
Arjan
1 - 6 of 6