Open ChMThiel opened 5 days ago
/cc @pedroigor (bearer-token)
cc @FroMage
I think we should do that. Will put this on my list. One thing I am not sure is id
you used in params = "id"
. In your example, it refers to @PathParam("id")
, but so far, params
always refer to the formal parameter name. I think it could be confusing. Maybe we could do either aBeanParam.organizationUnitId
or simply organizationUnitId
. The latter could be ambiguous. I'd prefer aBeanParam.organizationUnitId
. Thoughts?
IMHO the parameter-naming conventions should be the same, regardless if it is a directly defined method-parameter or capsulated in a BeanParam. In my tests, i used the same String used as @PathParam-name in the @PermissionAllowed-params:
@GET
@Path("{id}/2params")
@PermissionsAllowed(value = "read", permission = OrganizationUnitIdPermission.class, params = "id")
public OrganizationUnit find2(@PathParam("id") UUID aOrganizationUnitId, @QueryParam("second") UUID aSecondUUIDParam) {
...
}
I just checked: using aOrganizationUnit
as params also works.
I don't know if that is correct by any definition, but it's convinient :wink:
In my tests, i used the same String used as @PathParam-name in the @PermissionAllowed-params:
yeah, honestly, I really hoped your example was a typo. I wrote decent Javadoc to it that describes expected behavior https://github.com/quarkusio/quarkus-security/blob/main/src/main/java/io/quarkus/security/PermissionsAllowed.java#L156
I think I forgot to add validation exception when id
is not found and there is at least one UUID
. The aOrganizationUnitId
is chosen because it has the first parameter type assignable to UUID
and inside your OrganizationUnitIdPermission
you have matching name in constructor: UUID aOrganizationUnitId
TL;DR; it's documented and works for you as expected, but I think we need to inform user if he specifically types id
and it's not found.
I'll add it when I get to implementing this issue (which won't be immediately). It's more of user experience improvement than bug.
I'd expect you can just drop params = id
and it will work anyway on the same principle, but aOrganizationUnitId
would be right value if you don't want to rely on order of params.
TL;DR; it's documented and works for you as expected, but I think we need to inform user if he specifically types
id
and it's not found.
👍
Seeing this, I'm curious about how you populate your user's permissions. Out of curiosity, @ChMThiel how do you add the permissions to you user identity for all the aOrganizationUnitId
? Are these coming from Keycloak or a DB or what exactly?
I'd prefer aBeanParam.organizationUnitId. Thoughts?
@michalvavrik agreed.
Seeing this, I'm curious about how you populate your user's permissions. Out of curiosity, @ChMThiel how do you add the permissions to you user identity for all the
aOrganizationUnitId
? Are these coming from Keycloak or a DB or what exactly?
We are currently workin on a POC for restricting User's access to certain OrganizationUnits. Which user may acces what will be stored in a DB.
OK, so you have those stored in your DB, so they're in your model. Thanks.
Description
A JAX-RS endpoint can be secured with a custom Permission with @PermissionAllowed annotation. Which parameters of the JAX-RS-method are passed to the Permission-constructor can be defined with the params-property of the PermissionAllowed annotation.
In following example the path-param 'id' UUID-param is passed to the Permission-class constructor-param 'aOrganizationUnitId'.
This works currently not with @BeanParam parameters. The attempt to secure a BeanParam-JAX-RS method like here:
fails with
There is afaik no way to bind the beanParam-property of the JAX-RS-method to the constructor-param of the Permission.
Implementation ideas
No response