Add Interceptor based @RolesAllowed

jakartaee / security

Jakarta Security

https://projects.eclipse.org/projects/ee4j.security

Other

45 stars 39 forks source link

Add Interceptor based @RolesAllowed #295

Open arjantijms opened 11 months ago

arjantijms commented 11 months ago

The Jakarta platform included the @RolesAllowed annotation (via commons annotation), but it's only used and defined by Enterprise Beans in Jakarta (and in JWT in MicroProfile).

We would like to introduce an interceptor based version of this, that largely does what @RolesAllowed does, but owned by Jakarta Security, being an interceptor (so can be composed and will be automatically applied by CDI), and having some additional features not directly supported by @RolesAllowed.

Specifically needed is the distinction to throw an exception when the caller of the annotated method is not the correct role, or to trigger authenticate (in a web context). See SecurityContext#authenticate for details on triggering authentication.

OndroMih commented 10 months ago

Would it be OK to also support the existing @RolesAllowed annotation, which is in the Common annotations spec? Or, maybe even better, to modify the existing RolesAllowed annotation directly in the Commons annotations spec to make it an interceptor binding annotation, and add some optoinal attributes, e.g. to set the behavior when the caller doesn't have the required role.

I think that it's better to reuse the existing annotation if possible, rather than introducing a new annotation. Even if that means we need to make the change in the Common annotations spec.

arjantijms commented 10 months ago

The new annotation could have extra attributes to set the "trigger authentication mechanism" or "throw exception" when not authenticated.

We don't necessarily need to update common annotations to support the existing RolesAllowed though. A CDI extension can pick it up, and then add an interceptor manually. With binding this just happens automatically, and without binding we need to do it ourselves.

OndroMih commented 10 months ago

Yes, that's true.

Then I would be for using the existing @RolesAllowed annotation and activate an interceptor from a CDI extension. We can support additional properties via another annotation, like:

@RolesAllowed("admin")
@ActionWhenDenied(TRIGGER_AUTH)
public class AdminCommands { ...
}

arjantijms commented 10 months ago

That's certainly an option to be considered; an extra annotation to finetune behaviour.