RolesPermitted Support

Since Payara Server and 5.182

The Payara API provides a @RolesPermitted annotation that creates an authorisation interceptor for usage with CDI beans. This largely works in the same way as the @RolesAllowed common annotation, which in Java EE is primarily used by EJB.


The authorisation interceptor is defined through the @RolesPermitted annotation. Specifying this on an interceptable method of a CDI bean will make that method eligible for interception by the roles permitted interceptor. This interceptor will check that the caller of a method is any or all of the specified roles. If this holds, the call to the method proceeds. If not, an exception of type CallerAccessException is thrown.

The annotation can alternatively be placed at the class level of a CDI bean, in which case it will apply to all interceptable methods of that bean.


Here’s an example that protects a single method:

public class TestRolesPermitted {

    Principal principal;

    public String getUserName() {
        return principal.getName();

See this sample project for a more detailed example.


The @RolesPermitted annotation has several configuration options.

They are detailed below.

Table 1. Configuration Options
Option Required Description Requirements



The roles which are allowed to access this method.




Whether accessing caller must be in any one of the given roles (OR) or all given roles (AND). Defaults to OR.


Dynamic Roles

The @RolesPermitted annotation also allows to dynamically specify security roles permitted to access methods in an application by using a predefined expression language (EL) as a dynamic role expression that interacts with the business method’s parameters annotated with javax.inject.Named annotation.


Here’s an example that protects a single method by defining dynamically resolved role name. The @Named("customer") annotation is used to define the parameter name and reference the parameter value in dynamic role expression.

public void updateCustomer(@Named("customer") Customer customer){

Multiple parameters can also be used in EL expression of dynamic security roles:

@RolesPermitted("#{self.findRole(customer, product)}")
public void updateCustomer(@Named("customer") Customer customer, @Named("product") Product product){

public String findRole(Customer customer, Product product) {
    return customer.type + "_" + product.model

If the parameter name is not defined using the Named annotation and the method has a single parameter then param is used as the default parameter name:

public void updateCustomer(Customer customer){

Extra Resources

See @RolesAllowed for the original annotation on which this annotation is based.

results matching ""

    No results matching ""