Java Reference
In-Depth Information
The
@PermitAll
annotation specifies that any authenticated user is permitted to invoke your
operation. As with
@RolesAllowed
, you can use this annotation on the class to define the de-
fault for the entire class or you can use it on a per-method basis. Let's look at an example:
@Path
(
"/customers"
)
@RolesAllowed
({
"ADMIN"
,
"CUSTOMER"
})
public
public class
class
CustomerResource
CustomerResource
{
@GET
@Path
(
"{id}"
)
@Produces
(
"application/xml"
)
public
public
Customer
getCustomer
(
@PathParam
(
"id"
)
int
int
id
) {...}
@RolesAllowed
(
"ADMIN"
)
@POST
@Consumes
(
"application/xml"
)
public
public
void
void
createCustomer
(
Customer cust
) {...}
@PermitAll
@GET
@Produces
(
"application/xml"
)
public
public
Customer
[]
getCustomers
() {}
}
Our
CustomerResource
class is annotated with
@RolesAllowed
to specify that, by default,
only
ADMIN
and
CUSTOMER
users can execute HTTP operations and paths defined in that
class. The
getCustomer()
method is not annotated with any security annotations, so it in-
herits this default behavior. The
createCustomer()
method is annotated with
@RolesAl-
lowed
to override the default behavior. For this method, we only want to allow
ADMIN
access.
The
getCustomers()
method is annotated with
@PermitAll
. This overrides the default be-
havior so that any authenticated user can access that URI and operation.
In practice, I don't like to specify security metadata using annotations. Security generally
does not affect the behavior of the business logic being executed and falls more under the do-
main of configuration. Administrators may want to add or remove role constraints periodic-
ally. You don't want to have to recompile your whole application when they want to make a
simple change. So, if I can avoid it, I usually use
web.xml
to define my authorization
metadata.
There are some advantages to using annotations, though. For one, it is a workaround for do-
ing fine-grained constraints that are just not possible in
web.xml
because of the limited ex-
pression capabilities of
<url-pattern>
. Also, because you can apply constraints per method
using these annotations, you can fine-tune authorization per media type. For example: