REST Authentication: CDI safe? Which scope for CDI @Produces?

Question

I'm using ReastEasy in a JBoss-7 environment and currently implementing security features. I'm using HTTP Basic with an SSL connection. Adding and evaluating the header parameter is easy (Thanks to Passing parameters in the message header with a REST API):

@Provider @ServerInterceptor
public class RestSecurityInterceptor implements PreProcessInterceptor
{
  @EJB MyBean fUser;
  private MyUser user;  

  @Override
  public ServerResponse preProcess(HttpRequest request, ResourceMethod method)
                                                     throws UnauthorizedException
  {
     // do some some stuff. If the request is authenticated I get a MyUser      
    user = ...
  }

  @Named @Produces @SessionScoped
  public MyUser getCurrentUser() {return user;}
}

This works fine, also the @Produces and @Inject in my REST service work like a charm.

@Path("/rest")
public class MyService extends Application
{
  @Inject private MyUser currentUser;

  @GET @Path("/test")
  public String test()
  {
    return "Hello "+currentUser.getName();
  }
}

Now my question: Is it safe to implement the security for REST this way (I don't want a discussion about HTTP Basic pro/cons, let's focus on CDI)? Especially I'm wondering if I can use CDI like described and if I have chosen the right scope with @SessionScoped?

Answer 1

Session scope won't work. There have already been a few questions about REST and the session scope. The session scope is not active for JAX-RS nor JAX-WS calls.