Hi all,

First post here, so feel free to redirect if necessary.

I am working on a REST API based on RestEasy 3.0.6 in a Wildfly 8.0.0.Final-SNAPSHOT environment.  

Iíve implemented @RolesAllowed based security as recommended in the documentation, using the resteasy.role.based.security feature, and the relevant ServletDispatcher and SecurityConstraints.

From a security perspective, Iím using a custom JASPI ServerAuthModule and LoginModule. As part of the Wildfly JASPI implementation, the JASPIAuthenticationMechanism.isMandatory() determines whether the servlet is protected by querying the ServletSecurity constraints. Currently, this fails as the ServletSecurityInfo does not contain the @RolesAllowed annotation(s).

I was wondering if the RestEasy role based security implementation could be improved to update the ServletSecurityInfo, so that:
i) RestEasy aligned with the more recent Servlet standards, and 
ii) any dependencies (such as JASPIAuthenticationMechanism) would naturally work, and
iii) much of the container plumbing could be removed from most modern (Servlet 3.0+) RestEasy deployments

I am happy to have a look at implementing such an enhancement, but would appreciate some guidance on:
a) whether this approach is reasonable,
b) appropriate points of the RestEasy internals which would make sense to start the integration (presumably partly in the scan processing, and partly in the dispatch)