Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Enhancements and fixes for the Authorization of Web Endpoints section #30549

Merged
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -3,8 +3,8 @@ This guide is maintained in the main Quarkus repository
and pull requests should be submitted there:
https://github.com/quarkusio/quarkus/tree/main/docs/src/main/asciidoc
////
[id="security-authorization-of-web-endpoints-reference"]
= Authorization of Web Endpoints
[id="security-authorize-web-endpoints-reference"]
= Authorize web endpoints
include::_attributes.adoc[]
:categories: security,web

Expand Down Expand Up @@ -65,7 +65,7 @@ This is an exact path match as it does not end with `*`.
`roles1` is an example name; you can call the permission sets whatever you want.


=== Matching on paths, methods
=== Matching on paths and methods

Permission sets can also specify paths and methods as a comma-separated list.
If a path ends with the `*` wildcard, the query it generates matches all sub-paths.
Expand Down Expand Up @@ -163,12 +163,12 @@ quarkus.http.auth.permission.roles2.policy=admin-policy1

TIP: Given the above permission set, `GET /api/foo` would match both permission sets' paths, requiring both the `user` and `admin` roles.

=== Configuration Properties to Deny access
=== Configuration properties to deny access

The following configuration settings alter the RBAC Deny behavior:
The following configuration settings alter the role-based access control (RBAC) denying behavior:

`quarkus.security.jaxrs.deny-unannotated-endpoints=true|false`::
If set to true, the access will be denied for all JAX-RS endpoints by default, so if a JAX-RS endpoint does not have any security annotations, it will default to the `@DenyAll` behavior.
If set to true, access is denied for all JAX-RS endpoints by default. If a JAX-RS endpoint does not have any security annotations, it defaults to the `@DenyAll` behavior.
This is useful to ensure you cannot accidentally expose an endpoint that is supposed to be secured.
Defaults to `false`.

Expand Down
4 changes: 2 additions & 2 deletions docs/src/main/asciidoc/security-keycloak-authorization.adoc
Original file line number Diff line number Diff line change
Expand Up @@ -388,11 +388,11 @@ Note that, depending on how many resources you have in Keycloak the time taken t

In the default configuration, Keycloak is responsible for managing the roles and deciding who can access which routes.

To configure the protected routes using the `@RolesAllowed` annotation or the `application.properties` file, check the xref:security-oidc-bearer-authentication-concept.adoc[Using OpenID Connect Adapter to Protect JAX-RS Applications] and xref:security-authorization-of-web-endpoints-reference.adoc[Security Authorization] guides. For more details, check the xref:security-overview-concept.adoc[Security guide].
To configure the protected routes using the `@RolesAllowed` annotation or the `application.properties` file, check the xref:security-oidc-bearer-authentication-concept.adoc[Using OpenID Connect Adapter to Protect JAX-RS Applications] and xref:security-authorize-web-endpoints-reference.adoc[Security Authorization] guides. For more details, check the xref:security-overview-concept.adoc[Security guide].

== Access to Public Resources

If you'd like to access a public resource without `quarkus-keycloak-authorization` trying to apply its policies to it then you need to create a `permit` HTTP Policy configuration in `application.properties` as documented in the xref:security-authorization-of-web-endpoints-reference.adoc[Security Authorization] guide.
If you'd like to access a public resource without `quarkus-keycloak-authorization` trying to apply its policies to it then you need to create a `permit` HTTP Policy configuration in `application.properties` as documented in the xref:security-authorize-web-endpoints-reference.adoc[Security Authorization] guide.

Disabling a policy check using a Keycloak Authorization Policy such as:

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -191,7 +191,7 @@ The `quarkus.oidc.client-id` property references the `client_id` issued by the O
The `quarkus.oidc.application-type` property is set to `web-app` in order to tell Quarkus that you want to enable the OpenID Connect Authorization Code Flow, so that your users are redirected to the OpenID Connect Provider to authenticate.

For last, the `quarkus.http.auth.permission.authenticated` permission is set to tell Quarkus about the paths you want to protect. In this case,
all paths are being protected by a policy that ensures that only `authenticated` users are allowed to access. For more details check xref:security-authorization-of-web-endpoints-reference.adoc[Security Authorization Guide].
all paths are being protected by a policy that ensures that only `authenticated` users are allowed to access. For more details check xref:security-authorize-web-endpoints-reference.adoc[Security Authorization Guide].

=== Starting and Configuring the Keycloak Server

Expand Down
2 changes: 1 addition & 1 deletion docs/src/main/asciidoc/security-overview-concept.adoc
Original file line number Diff line number Diff line change
Expand Up @@ -238,7 +238,7 @@ If you use `Basic` or `Form` HTTP-based authentication then you must add an `Ide
== Authorization

Quarkus also supports role-based access control (RBAC).
For more information about RBAC and other authorization options in Quarkus, see xref:security-authorization-of-web-endpoints-reference.adoc[Security authorization].
For more information about RBAC and other authorization options in Quarkus, see xref:security-authorize-web-endpoints-reference.adoc[Security authorization].

== Quarkus Security customization

Expand Down