No @RolesAllowed available for Webservices
The JEE specification is growing into a nice and easy to use specification. But some features, like Webservices and RolesAllowed, are not good enough yet. To be more precise. @RolesAllowed is not supported for plain Webservices (not doubling as EJB’s) until version 3.0 in the Servlet Specification.
After much reading on this subject, I have come to the conclusion that a pragmatic solution is required. My solution is just to inspect the principals based upon the logged in user and check myself if the user is allowed to continue. But you can also define the webservice as EJB.
(more…)