[Resteasy-developers] @RolesAllowed and interfaces

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Greetings.

When using resource interfaces, the RolesAllowed annotation is only used 
if it is found on the interface and not on the implementation class. 
This took me by surprise because if you use the same annotation on an 
EJB, it is only valid when it is on the bean implementation, not on the 
remote or local interfaces. Probably there should be some consistency 
here with other JEE specs.

I use interfaces in order to use a proxy based client from a remote JVM 
that is migrating from EJB remoting. There is no need for the clients to 
know which roles are allowed (or their names), so I want to avoid the 
need to add RolesAllowed to the interfaces.

Before submitting a bug report or working on a patch. What is the best 
approach here?

1- only use RolesAllowed when they are on the implementation class, It 
will break existing code

2- implementation RolesAllowed override interface RolesAllowed

3- merge implementation RolesAllowed and interface RolesAllowed. Union 
or intersection of both group of roles?

The same questions are valid for @PermitAll and @DenyAll