By default, the servlet specification will not require access over HTTPS to any user con-
straints you declare in your web.xml file. If you want to enforce HTTPS access for these con-
straints, you can specify a <user-data-constraint> within your <security-constraint>
definitions. Let's modify our previous example to enforce HTTPS:
<web-resource-name> customer creation </web-resource-name>
<url-pattern> /services/customers </url-pattern>
<http-method> POST </http-method>
<role-name> admin </role-name>
<transport-guarantee> CONFIDENTIAL </transport-guarantee>
All you have to do is declare a <transport-guarantee> element within a <user-data-
constraint> that has a value of CONFIDENTIAL . If a user tries to access the URL pattern
with HTTP, she will be redirected to an HTTPS-based URL.
Java EE defines a common set of annotations that can define authorization metadata. The
JAX-RS specification suggests, but does not require, vendor implementations to support
these annotations in a non-Java EE 6 environment. These annotations live in the
javax.annotation.security package and are @RolesAllowed , @DenyAll , @PermitAll ,
and @RunAs .
The @RolesAllowed annotation defines the roles permitted to execute a specific operation.
When placed on a JAX-RS annotated class, it defines the default access control list for all
HTTP operations defined in the JAX-RS class. If placed on a JAX-RS method, the constraint
applies only to the method that is annotated.