Skip to content

Commit

Permalink
QDCOS-114-Authorize-web-endpoints-fixes
Browse files Browse the repository at this point in the history
Signed-off-by: Michal Maléř <[email protected]>

Fixes

Signed-off-by: Michal Maléř <[email protected]>

Update docs/src/main/asciidoc/security-authorization-of-web-endpoints-reference.adoc

Co-authored-by: Michelle Purcell <[email protected]>
  • Loading branch information
MichalMaler and michelle-purcell committed Jan 23, 2023
1 parent ed47ae6 commit ab7270a
Showing 1 changed file with 5 additions and 5 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ and pull requests should be submitted there:
https://github.com/quarkusio/quarkus/tree/main/docs/src/main/asciidoc
////
[id="security-authorization-of-web-endpoints-reference"]
= Authorization of Web Endpoints
= Authorization of web endpoints
include::_attributes.adoc[]
:categories: security,web

Expand Down Expand Up @@ -65,7 +65,7 @@ This is an exact path match as it does not end with `*`.
`roles1` is an example name; you can call the permission sets whatever you want.


=== Matching on paths, methods
=== Matching on paths and methods

Permission sets can also specify paths and methods as a comma-separated list.
If a path ends with the `*` wildcard, the query it generates matches all sub-paths.
Expand Down Expand Up @@ -163,12 +163,12 @@ quarkus.http.auth.permission.roles2.policy=admin-policy1

TIP: Given the above permission set, `GET /api/foo` would match both permission sets' paths, requiring both the `user` and `admin` roles.

=== Configuration Properties to Deny access
=== Configuration properties to deny access

The following configuration settings alter the RBAC Deny behavior:
The following configuration settings alter the role-based access control (RBAC) denying behavior:

`quarkus.security.jaxrs.deny-unannotated-endpoints=true|false`::
If set to true, the access will be denied for all JAX-RS endpoints by default, so if a JAX-RS endpoint does not have any security annotations, it will default to the `@DenyAll` behavior.
If set to true, access is denied for all JAX-RS endpoints by default. If a JAX-RS endpoint does not have any security annotations, it defaults to the `@DenyAll` behavior.
This is useful to ensure you cannot accidentally expose an endpoint that is supposed to be secured.
Defaults to `false`.

Expand Down

0 comments on commit ab7270a

Please sign in to comment.