Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

PanacheEntityResource not propagating javax.annotation.security #28995

Closed
punkratz312 opened this issue Nov 2, 2022 · 7 comments · Fixed by #29009
Closed

PanacheEntityResource not propagating javax.annotation.security #28995

punkratz312 opened this issue Nov 2, 2022 · 7 comments · Fixed by #29009
Labels
area/panache area/security kind/bug Something isn't working
Milestone
2.13.6.Final

Comments

@punkratz312
Copy link

punkratz312 commented Nov 2, 2022
edited
Loading

security is not respected

we have custom endpoints and generated one with PanacheEntityResource.

all have security annotations. the security has no effect on PanacheEntityResource:

Pasted Graphic 1

@Denyall but is still reachable:

Pasted Graphic 4

Expected behavior

work like intended as on the custom resources

Actual behavior

security is not respected

How to Reproduce?

No response

Output of uname -a or ver

No response

Output of java -version

No response

GraalVM version (if different from Java)

No response

Quarkus version or git rev

No response

Build tool (ie. output of mvnw --version or gradlew --version)

No response

Additional information

No response
@punkratz312 punkratz312 added the kind/bug Something isn't working label Nov 2, 2022
@quarkus-bot
Copy link

quarkus-bot bot commented Nov 2, 2022

/cc @FroMage, @Sgitario, @loicmathieu, @sberyozkin

Sgitario added a commit to Sgitario/quarkus that referenced this issue Nov 2, 2022
@Sgitario
Propagate the javax.annotation.security annotations in REST Data
44c0eb3 
With these changes, the REST Data with Panache extension will propagate the Security annotations within the package `javax.annotation.security` that are defined on your resource interfaces:

```java
import javax.annotation.security.DenyAll;
import javax.annotation.security.RolesAllowed;

@Denyall
@ResourceProperties
public interface PeopleResource extends PanacheEntityResource<Person, Long> {
    @RolesAllowed("superuser")
    boolean delete(Long id);
}
```

Additionally, if you are only interested in specifying the roles that are allowed to use the resources, the `@ResourceProperties` and `@MethodProperties` annotations have the field `rolesAllowed` to list the security roles permitted to access the resource or operation.

Fix quarkusio#28995
@Sgitario Sgitario mentioned this issue Nov 2, 2022
Merged
Sgitario added a commit to Sgitario/quarkus that referenced this issue Nov 2, 2022
@Sgitario
Propagate the javax.annotation.security annotations in REST Data
e1ae1d8 
With these changes, the REST Data with Panache extension will propagate the Security annotations within the package `javax.annotation.security` that are defined on your resource interfaces:

```java
import javax.annotation.security.DenyAll;
import javax.annotation.security.RolesAllowed;

@Denyall
@ResourceProperties
public interface PeopleResource extends PanacheEntityResource<Person, Long> {
    @RolesAllowed("superuser")
    boolean delete(Long id);
}
```

Additionally, if you are only interested in specifying the roles that are allowed to use the resources, the `@ResourceProperties` and `@MethodProperties` annotations have the field `rolesAllowed` to list the security roles permitted to access the resource or operation.

Fix quarkusio#28995
@punkratz312
Copy link
Author

thanks for the fix.

what about javax.transaction.Transactional ?

we dont have dedicated tests yet for this scenario.
if the annotation inheritance flow is discontuned and must be whilelisted maybe this one is missing too?

image

@quarkus-bot quarkus-bot bot added this to the 2.15 - main milestone Nov 3, 2022
@punkratz312
Copy link
Author

@geoand
would you please consider releasing this critical security fix in 2.14 already?
we need to release our product very soon and would highly appreciate the bugfix. thanks

@geoand
Copy link
Contributor

geoand commented Nov 3, 2022
edited
Loading

@Sgitario should the fix for this be backported to 2.14 and perhaps 2.13?

If so, please add the proper labels to the PR

@Sgitario
Copy link
Contributor

Sgitario commented Nov 3, 2022

Label to backport it to 2.14 added.

@punkratz312
Copy link
Author

punkratz312 commented Nov 3, 2022
edited
Loading

thank you very much, awesome. i'm sure we have chosen the right framework for our product.

@geoand
Copy link
Contributor

geoand commented Nov 3, 2022

Thanks for your kind words :)

@gsmet gsmet modified the milestones: 2.15 - main, 2.14.1.Final Nov 5, 2022
gsmet pushed a commit to gsmet/quarkus that referenced this issue Nov 5, 2022
@Sgitario @gsmet
Propagate the javax.annotation.security annotations in REST Data
bf36906 
With these changes, the REST Data with Panache extension will propagate the Security annotations within the package `javax.annotation.security` that are defined on your resource interfaces:

```java
import javax.annotation.security.DenyAll;
import javax.annotation.security.RolesAllowed;

@Denyall
@ResourceProperties
public interface PeopleResource extends PanacheEntityResource<Person, Long> {
    @RolesAllowed("superuser")
    boolean delete(Long id);
}
```

Additionally, if you are only interested in specifying the roles that are allowed to use the resources, the `@ResourceProperties` and `@MethodProperties` annotations have the field `rolesAllowed` to list the security roles permitted to access the resource or operation.

Fix quarkusio#28995

(cherry picked from commit e1ae1d8)
iocanel pushed a commit to iocanel/quarkus that referenced this issue Nov 7, 2022
@Sgitario @iocanel
Propagate the javax.annotation.security annotations in REST Data
d11001d 
With these changes, the REST Data with Panache extension will propagate the Security annotations within the package `javax.annotation.security` that are defined on your resource interfaces:

```java
import javax.annotation.security.DenyAll;
import javax.annotation.security.RolesAllowed;

@Denyall
@ResourceProperties
public interface PeopleResource extends PanacheEntityResource<Person, Long> {
    @RolesAllowed("superuser")
    boolean delete(Long id);
}
```

Additionally, if you are only interested in specifying the roles that are allowed to use the resources, the `@ResourceProperties` and `@MethodProperties` annotations have the field `rolesAllowed` to list the security roles permitted to access the resource or operation.

Fix quarkusio#28995
@gsmet gsmet modified the milestones: 2.14.1.Final, 2.13.6.Final Dec 14, 2022
gsmet pushed a commit to gsmet/quarkus that referenced this issue Dec 14, 2022
@Sgitario @gsmet
Propagate the javax.annotation.security annotations in REST Data
2717fa1 
With these changes, the REST Data with Panache extension will propagate the Security annotations within the package `javax.annotation.security` that are defined on your resource interfaces:

```java
import javax.annotation.security.DenyAll;
import javax.annotation.security.RolesAllowed;

@Denyall
@ResourceProperties
public interface PeopleResource extends PanacheEntityResource<Person, Long> {
    @RolesAllowed("superuser")
    boolean delete(Long id);
}
```

Additionally, if you are only interested in specifying the roles that are allowed to use the resources, the `@ResourceProperties` and `@MethodProperties` annotations have the field `rolesAllowed` to list the security roles permitted to access the resource or operation.

Fix quarkusio#28995

(cherry picked from commit e1ae1d8)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/panache area/security kind/bug Something isn't working
Projects
None yet
Milestone
2.13.6.Final
Development

Successfully merging a pull request may close this issue.

Propagate the javax.annotation.security annotations in REST Data Sgitario/quarkus
4 participants
@gsmet @geoand @Sgitario @punkratz312