11.6. JAX-RS Web Service Security

11.6.1. Enable Role-Based Security for a RESTEasy JAX-RS Web Service

Task Summary

RESTEasy supports the @RolesAllowed, @PermitAll, and @DenyAll annotations on JAX-RS methods. However, it does not recognize these annotations by default. Follow these steps to configure the web.xml file and enable role-based security.


Do not activate role-based security if the application uses EJBs. The EJB container will provide the functionality, instead of RESTEasy.

Procedure 11.1. Task

  1. Open the web.xml file for the application in a text editor.
  2. Add the following <context-param> to the file, within the web-app tags:
  3. Declare all roles used within the RESTEasy JAX-RS WAR file, using the <security-role> tags:
  4. Authorize access to all URLs handled by the JAX-RS runtime for all roles:

Role-based security has been enabled within the application, with a set of defined roles.

Example 11.1. Example Role-Based Security Configuration




