If I use MP JWT to secure my JAX-RS resource, but leave some methods unconstrained, I expect access to them will be granted to everyone. E.g. the unconstrained method in this example:
However, access is denied. This is caused by this piece of code from MPJWTAuthExtensionArchivePreparer.generateSecurityConstraints:
Here, localRoles defaults to null, which is same as @DenyAll, and class-level @DenyAll is just implicitly assumed. That's wrong; we should explicitly check if there's a class-level @DenyAll, and if not, it means there's no class-level constraint and the unconstrained method shouldn't be secured at all.
(Actually that's just my assumption. I'm no EJB security expert. Could someone confirm how EJB security works in this case? I think the behavior is modeled after EJB security, so should be as similar as possible.)