Client not authorized for this invocation JAX-RS EJB error

Question

I have been searching for a solution to this for a while, here goes...

I followed this tutorial to auto generate a jax-rs web service from a database: https://netbeans.org/kb/docs/websvc/rest.html

This works great, but when I try to secure the application by annotating the resource methods with @RolesAllowed("myRole"), I get this exception...

"WARNING: EJB5184:A system exception occurred during an invocation on EJB LicenceFacadeREST, method: public java.util.List resources.LicenceFacadeREST.findAll() WARNING: javax.ejb.AccessLocalException: Client not authorized for this invocation"

I have narrowed it down to the EJB JACC policy check failing. When I do not use EJB/JPA in a resource class, the exception isn't thrown even when the @RolesAllowed annotation is present.

The full glassfish stack trace in fine print can be found here http://pastebin.com/AUPKWaqe

Answer 1

Here's some extra information, I followed the Jersey security guide below. https://jersey.java.net/documentation/latest/security.html#d0e10816

I used the ContainerRequestFilter to authenticate, here I'd set a custom implementation of SecurityContext if the authentication was successful which the rolesalloweddynamic feature would use along with the rolesallowed annotations to authorise access to a specific resource. These three components allowed me to authenticate and authorise on an application level, not on a container level.

This worked great until my application was converted from a servlet to a EJB/servlet (I added a stateless ejb annotation to a jax-rs resource class). EJB uses the rolesallowed annotation to restrict access to its bean methods at a container level, therefore it conflicted with my application level authentication/authorisation.

I'm still searching for a comphrensive solution, even if it's disabling EJB level method security so I can leave it to the ContainerRequestFilter to authenticate and the rolesalloweddynamicfeature to authorise.