Another quote from: https://access.redhat.com/site/document ... urity.htmlJava EE security services can be implemented for web applications in the following ways:
Metadata annotations (or simply, annotations) are used to specify information about security within a class file. When the application is deployed, this information can either be used by or overridden by the application deployment descriptor.
New in Java EE 6 and Servlet specification 3.0, the @RolesAllowed, @DenyAll, @PermitAll, and @TransportProtected annotations are supported for Servlet.
RESTEasy supports the @RolesAllowed, @PermitAll, and @DenyAll annotations on JAX-RS methods. However, it does not recognize these annotations by default. Follow these steps to configure the web.xml file and enable role-based security.
Do not activate role-based security if the application uses EJBs. The EJB container will provide the functionality, instead of RESTEasy.
If the root class is not an EJB, but a servlet-based service, the @RolesAllowed works according to this quote.
(However, I did not see any @RolesAllowed , @DenyAll, @PermitAll annotation documented in JSR-340).