Meeds-io · rdenarie · Jan 7, 2026 · Jan 6, 2026
diff --git a/exo.ws.rest.core/pom.xml b/exo.ws.rest.core/pom.xml
@@ -79,6 +79,11 @@ Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
          <artifactId>exo.ws.testframework</artifactId>
          <scope>test</scope>
       </dependency>
+      <dependency>
+         <groupId>io.meeds.core</groupId>
+         <artifactId>exo.core.component.security.core</artifactId>
+         <scope>test</scope>
+      </dependency>
       <dependency>
          <groupId>junit</groupId>
          <artifactId>junit</artifactId>

diff --git a/.../src/main/java/org/exoplatform/services/rest/impl/method/OptionsRequestMethodInvoker.java b/.../src/main/java/org/exoplatform/services/rest/impl/method/OptionsRequestMethodInvoker.java
@@ -17,13 +17,17 @@
 package org.exoplatform.services.rest.impl.method;
 
 import org.exoplatform.services.rest.ApplicationContext;
+import org.exoplatform.services.rest.impl.ApplicationContextImpl;
 import org.exoplatform.services.rest.impl.header.MediaTypeHelper;
 import org.exoplatform.services.rest.method.MethodInvoker;
 import org.exoplatform.services.rest.resource.GenericMethodResource;
 import org.exoplatform.services.rest.wadl.WadlProcessor;
 import org.exoplatform.services.rest.wadl.research.Application;
 
+import javax.ws.rs.WebApplicationException;
+import javax.ws.rs.core.MediaType;
 import javax.ws.rs.core.Response;
+import javax.ws.rs.core.SecurityContext;
 
 /**
  * @author <a href="mailto:andrew00x@gmail.com">Andrey Parfonov</a>
@@ -37,6 +41,17 @@ public class OptionsRequestMethodInvoker implements MethodInvoker
     */
    public Object invokeMethod(Object resource, GenericMethodResource genericMethodResource, ApplicationContext context)
    {
+
+      SecurityContext securityContext = ApplicationContextImpl.getCurrent().getSecurityContext();
+      String role = "users";
+
+      if (!securityContext.isUserInRole(role)) {
+         // user is not in allowed roles
+         throw new WebApplicationException(Response.status(Response.Status.FORBIDDEN).entity(
+             "You do not have access rights to this resource, please contact your administrator. ").type(
+             MediaType.TEXT_PLAIN).build());
+      }
+
       Application wadlApplication =
          new WadlProcessor().process(genericMethodResource.getParentResource(), context.getBaseUri());
       return Response.ok(wadlApplication, MediaTypeHelper.WADL_TYPE).build();

diff --git a/....rest.core/src/test/java/org/exoplatform/services/rest/impl/method/OptionsMethodTest.java b/....rest.core/src/test/java/org/exoplatform/services/rest/impl/method/OptionsMethodTest.java
@@ -16,16 +16,22 @@
  */
 package org.exoplatform.services.rest.impl.method;
 
+import jakarta.servlet.http.HttpServletRequest;
 import org.exoplatform.services.rest.BaseTest;
+import org.exoplatform.services.rest.impl.EnvironmentContext;
+import org.exoplatform.services.test.mock.MockHttpServletRequest;
+import org.exoplatform.services.test.mock.MockPrincipal;
 
 import java.lang.annotation.ElementType;
 import java.lang.annotation.Retention;
 import java.lang.annotation.RetentionPolicy;
 import java.lang.annotation.Target;
+import java.security.Principal;
 
 import javax.ws.rs.GET;
 import javax.ws.rs.HttpMethod;
 import javax.ws.rs.Path;
+import javax.ws.rs.core.SecurityContext;
 
 /**
  * Created by The eXo Platform SAS. <br>
@@ -77,9 +83,48 @@ public void testOptionsMethod() throws Exception
 
       Resource2 resource2 = new Resource2();
       registry(resource2);
-      assertEquals(200, launcher.service("OPTIONS", "/b", "", null, null, null).getStatus());
-      assertNotNull(launcher.service("OPTIONS", "/b", "", null, null, null).getResponse().getMetadata());
+      assertEquals(403, launcher.service("OPTIONS", "/b", "", null, null, null).getStatus());
 
+
+      EnvironmentContext envctx = new EnvironmentContext();
+      HttpServletRequest httpRequest = new MockHttpServletRequest("/b", null, 0, "OPTIONS", null);
+      envctx.put(HttpServletRequest.class, httpRequest);
+      envctx.put(SecurityContext.class, new MockSecurityContext("john"));
+
+      assertEquals(200, launcher.service("OPTIONS", "/b", "", null, null, envctx).getStatus());
+      assertNotNull(launcher.service("OPTIONS", "/b", "", null, null, envctx).getResponse().getMetadata());
+
+   }
+
+   protected static class MockSecurityContext implements SecurityContext {
+
+      private final String username;
+
+      public MockSecurityContext(String username) {
+         this.username = username;
+      }
+
+      public Principal getUserPrincipal() {
+         return new MockPrincipal(username);
+      }
+
+      public boolean isUserInRole(String role) {
+         if(username == null) {
+            return false;
+         }
+         if (role == null) {
+            return false;
+         }
+         return true;
+      }
+
+      public boolean isSecure() {
+         return false;
+      }
+
+      public String getAuthenticationScheme() {
+         return null;
+      }
    }
 
 }