forked from quarkusio/quarkus
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
RESTEasy Reactive - Prevent repeated security checks
closes: quarkusio#26536
- Loading branch information
1 parent
d924e6f
commit 55d7353
Showing
8 changed files
with
172 additions
and
9 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
16 changes: 16 additions & 0 deletions
16
.../src/test/java/io/quarkus/resteasy/reactive/server/test/security/RolesAllowedService.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,16 @@ | ||
package io.quarkus.resteasy.reactive.server.test.security; | ||
|
||
import javax.annotation.security.RolesAllowed; | ||
import javax.enterprise.context.ApplicationScoped; | ||
|
||
@ApplicationScoped | ||
public class RolesAllowedService { | ||
|
||
public static final String SERVICE_HELLO = "Hello from Service!"; | ||
|
||
@RolesAllowed("admin") | ||
public String hello() { | ||
return SERVICE_HELLO; | ||
} | ||
|
||
} |
21 changes: 21 additions & 0 deletions
21
...t/java/io/quarkus/resteasy/reactive/server/test/security/RolesAllowedServiceResource.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,21 @@ | ||
package io.quarkus.resteasy.reactive.server.test.security; | ||
|
||
import javax.annotation.security.RolesAllowed; | ||
import javax.inject.Inject; | ||
import javax.ws.rs.GET; | ||
import javax.ws.rs.Path; | ||
|
||
@Path("/roles-service") | ||
public class RolesAllowedServiceResource { | ||
|
||
@Inject | ||
RolesAllowedService rolesAllowedService; | ||
|
||
@Path("/hello") | ||
@RolesAllowed({ "user", "admin" }) | ||
@GET | ||
public String getServiceHello() { | ||
return rolesAllowedService.hello(); | ||
} | ||
|
||
} |
80 changes: 80 additions & 0 deletions
80
...in/java/io/quarkus/resteasy/reactive/server/runtime/StandardSecurityCheckInterceptor.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,80 @@ | ||
package io.quarkus.resteasy.reactive.server.runtime; | ||
|
||
import static io.quarkus.security.spi.runtime.SecurityHandlerConstants.EXECUTED; | ||
import static io.quarkus.security.spi.runtime.SecurityHandlerConstants.SECURITY_HANDLER; | ||
|
||
import java.lang.reflect.Method; | ||
|
||
import javax.annotation.Priority; | ||
import javax.annotation.security.DenyAll; | ||
import javax.annotation.security.PermitAll; | ||
import javax.annotation.security.RolesAllowed; | ||
import javax.inject.Inject; | ||
import javax.interceptor.AroundInvoke; | ||
import javax.interceptor.Interceptor; | ||
import javax.interceptor.InvocationContext; | ||
|
||
import org.jboss.resteasy.reactive.server.core.CurrentRequestManager; | ||
|
||
import io.quarkus.security.Authenticated; | ||
import io.quarkus.security.spi.runtime.AuthorizationController; | ||
import io.quarkus.security.spi.runtime.MethodDescription; | ||
|
||
/** | ||
* Security checks for RBAC annotations on endpoints are done by | ||
* the {@link io.quarkus.resteasy.reactive.server.runtime.security.EagerSecurityHandler}, | ||
* this interceptor propagates the information to the SecurityHandler to prevent repeated checks. The {@link DenyAll} | ||
* security check is performed just once. | ||
*/ | ||
public abstract class StandardSecurityCheckInterceptor { | ||
|
||
public static final String STANDARD_SECURITY_CHECK_INTERCEPTOR = StandardSecurityCheckInterceptor.class.getName(); | ||
|
||
@Inject | ||
AuthorizationController controller; | ||
|
||
@AroundInvoke | ||
public Object intercept(InvocationContext ic) throws Exception { | ||
if (controller.isAuthorizationEnabled() && CurrentRequestManager.get() != null | ||
&& alreadyDoneByEagerSecurityHandler( | ||
CurrentRequestManager.get().getProperty(STANDARD_SECURITY_CHECK_INTERCEPTOR), ic.getMethod())) { | ||
ic.getContextData().put(SECURITY_HANDLER, EXECUTED); | ||
} | ||
return ic.proceed(); | ||
} | ||
|
||
private boolean alreadyDoneByEagerSecurityHandler(Object methodWithFinishedChecks, Method method) { | ||
// compare methods: EagerSecurityHandler only intercept endpoints, we still want SecurityHandler run for CDI beans | ||
return methodWithFinishedChecks != null && MethodDescription.ofMethod(method).equals(methodWithFinishedChecks); | ||
} | ||
|
||
/** | ||
* Prevent the SecurityHandler from performing {@link RolesAllowed} security checks | ||
*/ | ||
@Interceptor | ||
@RolesAllowed("") | ||
@Priority(Interceptor.Priority.PLATFORM_BEFORE) | ||
public static final class RolesAllowedInterceptor extends StandardSecurityCheckInterceptor { | ||
|
||
} | ||
|
||
/** | ||
* Prevent the SecurityHandler from performing {@link javax.annotation.security.PermitAll} security checks | ||
*/ | ||
@Interceptor | ||
@PermitAll | ||
@Priority(Interceptor.Priority.PLATFORM_BEFORE) | ||
public static final class PermitAllInterceptor extends StandardSecurityCheckInterceptor { | ||
|
||
} | ||
|
||
/** | ||
* Prevent the SecurityHandler from performing {@link Authenticated} security checks | ||
*/ | ||
@Interceptor | ||
@Authenticated | ||
@Priority(Interceptor.Priority.PLATFORM_BEFORE) | ||
public static final class AuthenticatedInterceptor extends StandardSecurityCheckInterceptor { | ||
|
||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
15 changes: 15 additions & 0 deletions
15
...y/runtime-spi/src/main/java/io/quarkus/security/spi/runtime/SecurityHandlerConstants.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,15 @@ | ||
package io.quarkus.security.spi.runtime; | ||
|
||
public class SecurityHandlerConstants { | ||
|
||
/** | ||
* Invocation context data key used by the SecurityHandler to save a security checks state | ||
*/ | ||
public static final String SECURITY_HANDLER = "io.quarkus.security.securityHandler"; | ||
|
||
/** | ||
* The SecurityHandler keep a state of security checks in the Invocation context data to prevent repeated checks. | ||
* `executed` means the check has already been done. | ||
*/ | ||
public static final String EXECUTED = "executed"; | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters