Jersey custom SecurityContext on EJB jax-rs resource

Question

I am trying to implement my own ContainerRequestFilter and configure SecurityContext. It works well on jax-rs resources but EJB jax-rs throws

Answer 1

You can use JAX-RS SecurityContext as an API not SPI. It is uncommon for an application developer to provide a SecurityContext implementation. If you do you have to know that it has only "local JAX-RS validity" since it is a JAX-RS specific API. Neither Servlet/Web container nor EJB container work with it. They don't have to as Java SE and EE have more general security support.

If you want your security checks to works in a Java EE application (i.e. HttpServletRequest.isUserInRole(...), EJBContext.isCallerInRole(...) or javax.annotation.security annotations on EJBs) you need to secure your Servlet layer using Java EE features. This means to use for example in web.xml. You can use * as meaning "all authenticated" user can call the REST API:

    
        /rest/admin/*
    
    
        adminRole
    


    
        /rest/orders/*
    
    
        * 
    

When your Java EE application is secured as shown above we can enable javax.annotation.security annotations in JAX-RS using the Jersey-specific feature called RolesAllowedDynamicFeature.

Register the feature:

@ApplicationPath("/rest")
public class MyApplication extends ResourceConfig {
    public MyApplication() {
        super(AdminResource.class);
        register(RolesAllowedDynamicFeature.class);
    }
}

Secure your resources:

@Path("/admin")
@RolesAllowed("adminRole")
public class AdminResource {
    @GET
    public String get() { return "GET"; }
    ...
}

See Jersey User guide for more details about securing JAX-RS applications.

So you were close. You don't need to implement a SecurityContext yourself. You must not implement it if you deal with secured EJBs. And finally you need to secure your JAX-RS layer as common Web/Servlet application. I'm sure you already have secured your Web/HTML pages.