How @RolesAllowed annotation is workin in Java [closed]
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I know that @RolesAllowd annotation can be used to provide role-based access control to REST endpoints and I am currently using that with RestEASY.
I need to know how it is working behind the scenes. Can anybody please explain to me how Java validates the roles mentioned in the annotation.
So far I managed to figure out that the roles are stored in the UserPrincipal of the HttpServletRequest.
Solution
If you are using RESTEasy outside of an EJB container, and have enabled resteasy.role.based.security, then according to the RESTEasy documentation,
How does Resteasy do authorization? Well, its really simple. It just sees if a method is annotated with @RolesAllowed and then just does HttpServletRequest.isUserInRole. If one of the @RolesAllowed passes, then allow the request, otherwise, a response is sent back with a 401 (Unauthorized) response code.
The implementation of HttpServletRequest (and therefore what the source of isUserInRole is) varies by provider/container; Apache may have different implementation than Oracle. Some providers, such as Apache, also have multiple implementations of HttpServletRequest.
If you are in an EJB container, then the container will be provide the functionality. And again, depending on the container, the implementation may differ slightly.
