I want to create an authorization filter in JAX-RS based application.
That filter would identify the Resource class being referred by HTTP request URI. resource would have custom annotation with possible roles and operations.
Based on the class being referred, the filter would decide the possible operations allowed on that resource.
Hence what is the mechanism to identify which resource and method is going to be executed by JAX-RS ?
I think what your looking for is a ContainerRequestFilter. This would allow you to intercept every request and authorize the request by validating an access key or what ever method your using to identify the users authorization. Here's an example of using the ContainerRequestFilter in Jersey though I see this Filter defined in the JAX-RS docs so it is likely in other implementations.
Not knowing the exact requirements, it would be hard to recommend a specific approach to managing roles and approved usage, also this might very depending on how complicated your roles might be. If the roles are pretty static you might want to consider using an annotation to mark protected endpoints and rely on the code to dictate access. You could perhaps, also use the annotations to tie to keys/roles in a database (annotation params would allow greater flexibility). Whatever you choose I wouldn't code it entirely in the Filter.
Since I mentioned the annotations, here's some suggestions on how to search your code for annotations. Spring will also help you do this for any Spring Bean.
Edit: I almost forgot, you can also inspect your rest service classes for the JAX-RS annotations which would be one way to figure out which class would be called based on the uri. I'm thinking there might be another way about this as well though, I can't recall it at the moment.
