You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomee.apache.org by "mark.cavender" <ma...@sbcglobal.net> on 2015/10/08 16:31:45 UTC
restful web secruity for TOMEE
Hi,
I am writing a the security for a web app/ restful services system. I am
using a FORM login for the web app with a custom DataSourceRealm. I have
also restricted the URL so that only certain roles can use it. What I am
noticing with that the RESTful services is the @RolesAllowed annotation
isn't working. I have made the RESTful service a stateless session bean
with the @Stateless annotation, but it still doesn't work. I have also
injected a SessionContext into the service and used the
session.isCallerInRole routine, and it returns false. Is there something
that I am missing? Do I need to configure some additional thing for my web
services? Thanks in advance,
Mark
--
View this message in context: http://tomee-openejb.979440.n4.nabble.com/restful-web-secruity-for-TOMEE-tp4676451.html
Sent from the TomEE Users mailing list archive at Nabble.com.
Re: restful web secruity for TOMEE
Posted by Romain Manni-Bucau <rm...@gmail.com>.
Hi
@RolesAllowed is a JAAS annotation so you need a JAASRealm in your
application (more likely server.xml but context.xml works as well).
Romain Manni-Bucau
@rmannibucau <https://twitter.com/rmannibucau> | Blog
<http://rmannibucau.wordpress.com> | Github <https://github.com/rmannibucau> |
LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber
<http://www.tomitribe.com>
2015-10-08 16:31 GMT+02:00 mark.cavender <ma...@sbcglobal.net>:
> Hi,
>
> I am writing a the security for a web app/ restful services system. I am
> using a FORM login for the web app with a custom DataSourceRealm. I have
> also restricted the URL so that only certain roles can use it. What I am
> noticing with that the RESTful services is the @RolesAllowed annotation
> isn't working. I have made the RESTful service a stateless session bean
> with the @Stateless annotation, but it still doesn't work. I have also
> injected a SessionContext into the service and used the
> session.isCallerInRole routine, and it returns false. Is there something
> that I am missing? Do I need to configure some additional thing for my web
> services? Thanks in advance,
>
>
> Mark
>
>
>
> --
> View this message in context:
> http://tomee-openejb.979440.n4.nabble.com/restful-web-secruity-for-TOMEE-tp4676451.html
> Sent from the TomEE Users mailing list archive at Nabble.com.
>
Re: restful web secruity for TOMEE
Posted by Arthur Portas <ar...@itsector.pt>.
Awesome answer! Thanks for making it clear!
2015-10-12 10:45 GMT+01:00 Romain Manni-Bucau <rm...@gmail.com>:
> Hmm, form authentication is not linked to remote calls. There is not http
> session with remote calls but form authentication relies on it.
>
>
> Romain Manni-Bucau
> @rmannibucau <https://twitter.com/rmannibucau> | Blog
> <http://rmannibucau.wordpress.com> | Github <
> https://github.com/rmannibucau> |
> LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber
> <http://www.tomitribe.com>
>
> 2015-10-12 11:43 GMT+02:00 Arthur Portas <ar...@itsector.pt>:
>
> > In my case, i have at JVM level a Custom Login Module with login config
> as
> > '<auth-method>FORM</auth-method>'
> > I'm not calling rest webservices, only remote EJB's. Once tried to use
> > security annotations with no success,
> > but changing to '<auth-method>BASIC</auth-method>' it worked.
> >
> > 2015-10-12 10:33 GMT+01:00 Romain Manni-Bucau <rm...@gmail.com>:
> >
> > > Not sure what "JAAS form auth" means. JAAS is setup either at JVM level
> > or
> > > webapp level using JAASRealm but this is not directly linked the the
> form
> > > itself, tomcat just reuses its security pipeline.
> > >
> > >
> > > Romain Manni-Bucau
> > > @rmannibucau <https://twitter.com/rmannibucau> | Blog
> > > <http://rmannibucau.wordpress.com> | Github <
> > > https://github.com/rmannibucau> |
> > > LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber
> > > <http://www.tomitribe.com>
> > >
> > > 2015-10-12 11:30 GMT+02:00 Arthur Portas <ar...@itsector.pt>:
> > >
> > > > Hum...i've read somewhere that security annotations in TomEE
> currently
> > > only
> > > > work with JAAS basic auth.
> > > > I'm using TomEE 1.7.2 and JAAS Form auth and could not get it working
> > > with
> > > > security annotations.
> > > >
> > > >
> > > > 2015-10-09 23:14 GMT+01:00 Romain Manni-Bucau <rmannibucau@gmail.com
> >:
> > > >
> > > > > Hi
> > > > >
> > > > > Maybe share a project to reproduce on github, this sounds like
> > > something
> > > > > which works.
> > > > >
> > > > > Tip: a maven project with tomee maven plugin ready to run is the
> best
> > > way
> > > > > to get a fast answer ;)
> > > > >
> > > > > Romain
> > > > >
> > > > > 2015-10-09 21:35 GMT+02:00 mark.cavender <
> > mark.cavender@sbcglobal.net
> > > >:
> > > > >
> > > > > > Thanks for the quick reply. OK, I wrote a JAASLogin and am
> using a
> > > > > > JAASRealm. The @RolesAllowed still isn't working in my REST
> > service.
> > > > > I'm
> > > > > > wondering if I am confusing some things. My configuration is as
> > > > follows:
> > > > > >
> > > > > > 1) I have declared the RESTful service as: @Stateless
> > > > > > @DeclareRoles({"viewer","poster"}) and declared a method as
> > > > > > @RolesAllowed({"poster"})
> > > > > >
> > > > > > 2) in the web.xml I restricted the URL of the restful call to
> > users
> > > > with
> > > > > > roles of viewer and poster, although I have also tried to do it
> as
> > an
> > > > > > asterick "*" as well.
> > > > > >
> > > > > > 3) In the RESTful method, I can look at the request in the
> > debugger
> > > > and
> > > > > > see
> > > > > > that I only have the viewer role, but it still lets me in the
> > method
> > > > even
> > > > > > though it is restricted to the poster role. Do you see any flaws
> > in
> > > my
> > > > > > logic? Thanks in advance,
> > > > > >
> > > > > > Mark
> > > > > >
> > > > > >
> > > > > >
> > > > > > --
> > > > > > View this message in context:
> > > > > >
> > > > >
> > > >
> > >
> >
> http://tomee-openejb.979440.n4.nabble.com/restful-web-secruity-for-TOMEE-tp4676451p4676462.html
> > > > > > Sent from the TomEE Users mailing list archive at Nabble.com.
> > > > > >
> > > > >
> > > >
> > >
> >
>
Re: restful web secruity for TOMEE
Posted by Romain Manni-Bucau <rm...@gmail.com>.
Hmm, form authentication is not linked to remote calls. There is not http
session with remote calls but form authentication relies on it.
Romain Manni-Bucau
@rmannibucau <https://twitter.com/rmannibucau> | Blog
<http://rmannibucau.wordpress.com> | Github <https://github.com/rmannibucau> |
LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber
<http://www.tomitribe.com>
2015-10-12 11:43 GMT+02:00 Arthur Portas <ar...@itsector.pt>:
> In my case, i have at JVM level a Custom Login Module with login config as
> '<auth-method>FORM</auth-method>'
> I'm not calling rest webservices, only remote EJB's. Once tried to use
> security annotations with no success,
> but changing to '<auth-method>BASIC</auth-method>' it worked.
>
> 2015-10-12 10:33 GMT+01:00 Romain Manni-Bucau <rm...@gmail.com>:
>
> > Not sure what "JAAS form auth" means. JAAS is setup either at JVM level
> or
> > webapp level using JAASRealm but this is not directly linked the the form
> > itself, tomcat just reuses its security pipeline.
> >
> >
> > Romain Manni-Bucau
> > @rmannibucau <https://twitter.com/rmannibucau> | Blog
> > <http://rmannibucau.wordpress.com> | Github <
> > https://github.com/rmannibucau> |
> > LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber
> > <http://www.tomitribe.com>
> >
> > 2015-10-12 11:30 GMT+02:00 Arthur Portas <ar...@itsector.pt>:
> >
> > > Hum...i've read somewhere that security annotations in TomEE currently
> > only
> > > work with JAAS basic auth.
> > > I'm using TomEE 1.7.2 and JAAS Form auth and could not get it working
> > with
> > > security annotations.
> > >
> > >
> > > 2015-10-09 23:14 GMT+01:00 Romain Manni-Bucau <rm...@gmail.com>:
> > >
> > > > Hi
> > > >
> > > > Maybe share a project to reproduce on github, this sounds like
> > something
> > > > which works.
> > > >
> > > > Tip: a maven project with tomee maven plugin ready to run is the best
> > way
> > > > to get a fast answer ;)
> > > >
> > > > Romain
> > > >
> > > > 2015-10-09 21:35 GMT+02:00 mark.cavender <
> mark.cavender@sbcglobal.net
> > >:
> > > >
> > > > > Thanks for the quick reply. OK, I wrote a JAASLogin and am using a
> > > > > JAASRealm. The @RolesAllowed still isn't working in my REST
> service.
> > > > I'm
> > > > > wondering if I am confusing some things. My configuration is as
> > > follows:
> > > > >
> > > > > 1) I have declared the RESTful service as: @Stateless
> > > > > @DeclareRoles({"viewer","poster"}) and declared a method as
> > > > > @RolesAllowed({"poster"})
> > > > >
> > > > > 2) in the web.xml I restricted the URL of the restful call to
> users
> > > with
> > > > > roles of viewer and poster, although I have also tried to do it as
> an
> > > > > asterick "*" as well.
> > > > >
> > > > > 3) In the RESTful method, I can look at the request in the
> debugger
> > > and
> > > > > see
> > > > > that I only have the viewer role, but it still lets me in the
> method
> > > even
> > > > > though it is restricted to the poster role. Do you see any flaws
> in
> > my
> > > > > logic? Thanks in advance,
> > > > >
> > > > > Mark
> > > > >
> > > > >
> > > > >
> > > > > --
> > > > > View this message in context:
> > > > >
> > > >
> > >
> >
> http://tomee-openejb.979440.n4.nabble.com/restful-web-secruity-for-TOMEE-tp4676451p4676462.html
> > > > > Sent from the TomEE Users mailing list archive at Nabble.com.
> > > > >
> > > >
> > >
> >
>
Re: restful web secruity for TOMEE
Posted by Arthur Portas <ar...@itsector.pt>.
In my case, i have at JVM level a Custom Login Module with login config as
'<auth-method>FORM</auth-method>'
I'm not calling rest webservices, only remote EJB's. Once tried to use
security annotations with no success,
but changing to '<auth-method>BASIC</auth-method>' it worked.
2015-10-12 10:33 GMT+01:00 Romain Manni-Bucau <rm...@gmail.com>:
> Not sure what "JAAS form auth" means. JAAS is setup either at JVM level or
> webapp level using JAASRealm but this is not directly linked the the form
> itself, tomcat just reuses its security pipeline.
>
>
> Romain Manni-Bucau
> @rmannibucau <https://twitter.com/rmannibucau> | Blog
> <http://rmannibucau.wordpress.com> | Github <
> https://github.com/rmannibucau> |
> LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber
> <http://www.tomitribe.com>
>
> 2015-10-12 11:30 GMT+02:00 Arthur Portas <ar...@itsector.pt>:
>
> > Hum...i've read somewhere that security annotations in TomEE currently
> only
> > work with JAAS basic auth.
> > I'm using TomEE 1.7.2 and JAAS Form auth and could not get it working
> with
> > security annotations.
> >
> >
> > 2015-10-09 23:14 GMT+01:00 Romain Manni-Bucau <rm...@gmail.com>:
> >
> > > Hi
> > >
> > > Maybe share a project to reproduce on github, this sounds like
> something
> > > which works.
> > >
> > > Tip: a maven project with tomee maven plugin ready to run is the best
> way
> > > to get a fast answer ;)
> > >
> > > Romain
> > >
> > > 2015-10-09 21:35 GMT+02:00 mark.cavender <mark.cavender@sbcglobal.net
> >:
> > >
> > > > Thanks for the quick reply. OK, I wrote a JAASLogin and am using a
> > > > JAASRealm. The @RolesAllowed still isn't working in my REST service.
> > > I'm
> > > > wondering if I am confusing some things. My configuration is as
> > follows:
> > > >
> > > > 1) I have declared the RESTful service as: @Stateless
> > > > @DeclareRoles({"viewer","poster"}) and declared a method as
> > > > @RolesAllowed({"poster"})
> > > >
> > > > 2) in the web.xml I restricted the URL of the restful call to users
> > with
> > > > roles of viewer and poster, although I have also tried to do it as an
> > > > asterick "*" as well.
> > > >
> > > > 3) In the RESTful method, I can look at the request in the debugger
> > and
> > > > see
> > > > that I only have the viewer role, but it still lets me in the method
> > even
> > > > though it is restricted to the poster role. Do you see any flaws in
> my
> > > > logic? Thanks in advance,
> > > >
> > > > Mark
> > > >
> > > >
> > > >
> > > > --
> > > > View this message in context:
> > > >
> > >
> >
> http://tomee-openejb.979440.n4.nabble.com/restful-web-secruity-for-TOMEE-tp4676451p4676462.html
> > > > Sent from the TomEE Users mailing list archive at Nabble.com.
> > > >
> > >
> >
>
Re: restful web secruity for TOMEE
Posted by Romain Manni-Bucau <rm...@gmail.com>.
Not sure what "JAAS form auth" means. JAAS is setup either at JVM level or
webapp level using JAASRealm but this is not directly linked the the form
itself, tomcat just reuses its security pipeline.
Romain Manni-Bucau
@rmannibucau <https://twitter.com/rmannibucau> | Blog
<http://rmannibucau.wordpress.com> | Github <https://github.com/rmannibucau> |
LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber
<http://www.tomitribe.com>
2015-10-12 11:30 GMT+02:00 Arthur Portas <ar...@itsector.pt>:
> Hum...i've read somewhere that security annotations in TomEE currently only
> work with JAAS basic auth.
> I'm using TomEE 1.7.2 and JAAS Form auth and could not get it working with
> security annotations.
>
>
> 2015-10-09 23:14 GMT+01:00 Romain Manni-Bucau <rm...@gmail.com>:
>
> > Hi
> >
> > Maybe share a project to reproduce on github, this sounds like something
> > which works.
> >
> > Tip: a maven project with tomee maven plugin ready to run is the best way
> > to get a fast answer ;)
> >
> > Romain
> >
> > 2015-10-09 21:35 GMT+02:00 mark.cavender <ma...@sbcglobal.net>:
> >
> > > Thanks for the quick reply. OK, I wrote a JAASLogin and am using a
> > > JAASRealm. The @RolesAllowed still isn't working in my REST service.
> > I'm
> > > wondering if I am confusing some things. My configuration is as
> follows:
> > >
> > > 1) I have declared the RESTful service as: @Stateless
> > > @DeclareRoles({"viewer","poster"}) and declared a method as
> > > @RolesAllowed({"poster"})
> > >
> > > 2) in the web.xml I restricted the URL of the restful call to users
> with
> > > roles of viewer and poster, although I have also tried to do it as an
> > > asterick "*" as well.
> > >
> > > 3) In the RESTful method, I can look at the request in the debugger
> and
> > > see
> > > that I only have the viewer role, but it still lets me in the method
> even
> > > though it is restricted to the poster role. Do you see any flaws in my
> > > logic? Thanks in advance,
> > >
> > > Mark
> > >
> > >
> > >
> > > --
> > > View this message in context:
> > >
> >
> http://tomee-openejb.979440.n4.nabble.com/restful-web-secruity-for-TOMEE-tp4676451p4676462.html
> > > Sent from the TomEE Users mailing list archive at Nabble.com.
> > >
> >
>
Re: restful web secruity for TOMEE
Posted by Arthur Portas <ar...@itsector.pt>.
Hum...i've read somewhere that security annotations in TomEE currently only
work with JAAS basic auth.
I'm using TomEE 1.7.2 and JAAS Form auth and could not get it working with
security annotations.
2015-10-09 23:14 GMT+01:00 Romain Manni-Bucau <rm...@gmail.com>:
> Hi
>
> Maybe share a project to reproduce on github, this sounds like something
> which works.
>
> Tip: a maven project with tomee maven plugin ready to run is the best way
> to get a fast answer ;)
>
> Romain
>
> 2015-10-09 21:35 GMT+02:00 mark.cavender <ma...@sbcglobal.net>:
>
> > Thanks for the quick reply. OK, I wrote a JAASLogin and am using a
> > JAASRealm. The @RolesAllowed still isn't working in my REST service.
> I'm
> > wondering if I am confusing some things. My configuration is as follows:
> >
> > 1) I have declared the RESTful service as: @Stateless
> > @DeclareRoles({"viewer","poster"}) and declared a method as
> > @RolesAllowed({"poster"})
> >
> > 2) in the web.xml I restricted the URL of the restful call to users with
> > roles of viewer and poster, although I have also tried to do it as an
> > asterick "*" as well.
> >
> > 3) In the RESTful method, I can look at the request in the debugger and
> > see
> > that I only have the viewer role, but it still lets me in the method even
> > though it is restricted to the poster role. Do you see any flaws in my
> > logic? Thanks in advance,
> >
> > Mark
> >
> >
> >
> > --
> > View this message in context:
> >
> http://tomee-openejb.979440.n4.nabble.com/restful-web-secruity-for-TOMEE-tp4676451p4676462.html
> > Sent from the TomEE Users mailing list archive at Nabble.com.
> >
>
Re: restful web secruity for TOMEE
Posted by Romain Manni-Bucau <rm...@gmail.com>.
openejb-jar.xml but this will not solve your issue "by design"
Romain Manni-Bucau
@rmannibucau <https://twitter.com/rmannibucau> | Blog
<http://rmannibucau.wordpress.com> | Github <https://github.com/rmannibucau> |
LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber
<http://www.tomitribe.com>
2015-10-13 19:51 GMT+02:00 mark.cavender <ma...@sbcglobal.net>:
> I will setup a project on GitHub, but I just read an article,
> https://docs.wso2.com/display/AS530/Developing+JAX-RS+Applications, that
> seemed to say that I need to setup a SecureAnnotationsInterceptor to get
> Apache CXF to honor the @Roles allowed annotation. It talks about setting
> up a cxf-servlet.xml file with the following configuration:
>
>
>
>
> <bean id="authorizationInterceptor"
> class="org.apache.cxf.interceptor.security.SecureAnnotationsInterceptor">
> <property name="securedObject" ref="serviceBean"/>
> </bean>
> <jaxrs:server id="customerService" address="/customers">
>
>
>
> <jaxrs:inInterceptors>
> <ref bean="authorizationInterceptor"/>
> </jaxrs:inInterceptors>
>
> <jaxrs:serviceBeans>
> <ref bean="serviceBean"/>
> </jaxrs:serviceBeans>
>
> So my question is, where would I set up this configuration in a TOMEE app?
> Do I just put it under the WEB-INF of the app, or does it go into one of
> the
> existing files beans.xml, open-ebj-jars.xml? Thanks in advance,
>
>
> Mark
>
>
>
> --
> View this message in context:
> http://tomee-openejb.979440.n4.nabble.com/restful-web-secruity-for-TOMEE-tp4676451p4676490.html
> Sent from the TomEE Users mailing list archive at Nabble.com.
>
Re: restful web secruity for TOMEE
Posted by "mark.cavender" <ma...@sbcglobal.net>.
I will setup a project on GitHub, but I just read an article,
https://docs.wso2.com/display/AS530/Developing+JAX-RS+Applications, that
seemed to say that I need to setup a SecureAnnotationsInterceptor to get
Apache CXF to honor the @Roles allowed annotation. It talks about setting
up a cxf-servlet.xml file with the following configuration:
<bean id="authorizationInterceptor"
class="org.apache.cxf.interceptor.security.SecureAnnotationsInterceptor">
<property name="securedObject" ref="serviceBean"/>
</bean>
<jaxrs:server id="customerService" address="/customers">
<jaxrs:inInterceptors>
<ref bean="authorizationInterceptor"/>
</jaxrs:inInterceptors>
<jaxrs:serviceBeans>
<ref bean="serviceBean"/>
</jaxrs:serviceBeans>
So my question is, where would I set up this configuration in a TOMEE app?
Do I just put it under the WEB-INF of the app, or does it go into one of the
existing files beans.xml, open-ebj-jars.xml? Thanks in advance,
Mark
--
View this message in context: http://tomee-openejb.979440.n4.nabble.com/restful-web-secruity-for-TOMEE-tp4676451p4676490.html
Sent from the TomEE Users mailing list archive at Nabble.com.
Re: restful web secruity for TOMEE
Posted by Romain Manni-Bucau <rm...@gmail.com>.
2015-10-13 19:11 GMT+02:00 hwaastad <he...@waastad.org>:
> Hi,
> what you might consider is to let the form auth return a token.
>
> a custom login module would then authorize token and fill the
> securitycontext.
> I've been using thi. Kind of topology in several projects, authorizing the
> token in webfiler (login).
>
> If you are in position to use tomee 7, then adding jwt to the mix u can let
> the token even carry all groups and handle auth in a
> containerrequestfilter...
>
>
if not a plan old servlet filter does the same ;)
> Have fun :-)
>
>
>
>
>
> --
> View this message in context:
> http://tomee-openejb.979440.n4.nabble.com/restful-web-secruity-for-TOMEE-tp4676451p4676485.html
> Sent from the TomEE Users mailing list archive at Nabble.com.
>
Re: restful web secruity for TOMEE
Posted by hwaastad <he...@waastad.org>.
Hi,
what you might consider is to let the form auth return a token.
a custom login module would then authorize token and fill the
securitycontext.
I've been using thi. Kind of topology in several projects, authorizing the
token in webfiler (login).
If you are in position to use tomee 7, then adding jwt to the mix u can let
the token even carry all groups and handle auth in a
containerrequestfilter...
Have fun :-)
--
View this message in context: http://tomee-openejb.979440.n4.nabble.com/restful-web-secruity-for-TOMEE-tp4676451p4676485.html
Sent from the TomEE Users mailing list archive at Nabble.com.
Re: restful web secruity for TOMEE
Posted by Romain Manni-Bucau <rm...@gmail.com>.
Hi
Maybe share a project to reproduce on github, this sounds like something
which works.
Tip: a maven project with tomee maven plugin ready to run is the best way
to get a fast answer ;)
Romain
2015-10-09 21:35 GMT+02:00 mark.cavender <ma...@sbcglobal.net>:
> Thanks for the quick reply. OK, I wrote a JAASLogin and am using a
> JAASRealm. The @RolesAllowed still isn't working in my REST service. I'm
> wondering if I am confusing some things. My configuration is as follows:
>
> 1) I have declared the RESTful service as: @Stateless
> @DeclareRoles({"viewer","poster"}) and declared a method as
> @RolesAllowed({"poster"})
>
> 2) in the web.xml I restricted the URL of the restful call to users with
> roles of viewer and poster, although I have also tried to do it as an
> asterick "*" as well.
>
> 3) In the RESTful method, I can look at the request in the debugger and
> see
> that I only have the viewer role, but it still lets me in the method even
> though it is restricted to the poster role. Do you see any flaws in my
> logic? Thanks in advance,
>
> Mark
>
>
>
> --
> View this message in context:
> http://tomee-openejb.979440.n4.nabble.com/restful-web-secruity-for-TOMEE-tp4676451p4676462.html
> Sent from the TomEE Users mailing list archive at Nabble.com.
>
Re: restful web secruity for TOMEE
Posted by "mark.cavender" <ma...@sbcglobal.net>.
Thanks for the quick reply. OK, I wrote a JAASLogin and am using a
JAASRealm. The @RolesAllowed still isn't working in my REST service. I'm
wondering if I am confusing some things. My configuration is as follows:
1) I have declared the RESTful service as: @Stateless
@DeclareRoles({"viewer","poster"}) and declared a method as
@RolesAllowed({"poster"})
2) in the web.xml I restricted the URL of the restful call to users with
roles of viewer and poster, although I have also tried to do it as an
asterick "*" as well.
3) In the RESTful method, I can look at the request in the debugger and see
that I only have the viewer role, but it still lets me in the method even
though it is restricted to the poster role. Do you see any flaws in my
logic? Thanks in advance,
Mark
--
View this message in context: http://tomee-openejb.979440.n4.nabble.com/restful-web-secruity-for-TOMEE-tp4676451p4676462.html
Sent from the TomEE Users mailing list archive at Nabble.com.