Provide redirect support for UI auth, Qute template redirection

[GregJohnStewart]

Description

I am using Qute to implement a web ui in the following way:

@Slf4j
@Path("/")
@Tags({@Tag(name = "UI")})
@RequestScoped
@Produces(MediaType.TEXT_HTML)
public class Index extends UiProvider {

    @Inject
    @Location("webui/pages/index")
    Template index;
    @Inject
    @Location("webui/pages/overview")
    Template overview;

    @Inject
    UserService userService;

    @Inject
    JsonWebToken jwt;

    @GET
    @PermitAll
    @Produces(MediaType.TEXT_HTML)
    public TemplateInstance index(
            @Context SecurityContext securityContext
    ) {
        logRequestContext(jwt, securityContext);
        return index.instance();
    }

    @GET
    @Path("overview")
    @RolesAllowed("user")
    @Produces(MediaType.TEXT_HTML)
    public TemplateInstance overview(
            @Context SecurityContext securityContext
    ) {
        logRequestContext(jwt, securityContext);
        return overview.instance();
    }
}

I am getting jwt authentication through a cookie and restricting access to web pages via @RolesAllowed. This works as intended, except for a user whose cookie or token expires and tries to go to /overview, the page simply doesn't load at all. Ideally there would be a way to specify "if no auth, redirect to this URL", so the user would be able to login. I know I could rework how I am using the JWT's to implement by hand, but I feel like this shouldn't be necessary.

Additionally, on a similar note, it is hard to do redirects when using Qute templates. With a normal endpoint, returning a Response, I could return the applicable response. When returning a straight TemplateBuilder though, that makes it hard. I could probably throw a custom exception and handle it and provide the redirect there, but that feels annoying and might want an easier way to do it.

Implementation ideas

No-Auth Redirection idea:

    @GET
    @Path("overview")
    @RolesAllowed("user")

    @UnauthRedirect("/login") // suggested annotation, provides a url/ endpoint to go to to when not authrorized (no jwt/ no role/ expired, etc)

    @Produces(MediaType.TEXT_HTML)
    public TemplateInstance overview(
            @Context SecurityContext securityContext
    ) {
        logRequestContext(jwt, securityContext);
        return overview.instance();
    }

Redirect for Qute idea:

Create an exception that is automatically handled to redirect the user of the webui to a different endpoint

@GET
    @Path("overview")
    @RolesAllowed("user")
    @Produces(MediaType.TEXT_HTML)
    public TemplateInstance overview(
            @Context SecurityContext securityContext,
            String someParameter
    ) {
        logRequestContext(jwt, securityContext);

        if(someParameter.equals("BAD")){
            throw new UiRedirect("/path/or/url");
        }

        return overview.instance();
    }

[quarkus-bot]

/cc @mkouba

[mkouba]

Hm, this is more a question of RESTEeasy/Qute integration. And I'm not an expert in this area. @FroMage and @geoand might have some ideas...

[geoand]

@FroMage is working on something that I think would address this.

[sberyozkin]

@GregJohnStewart
Are you managing it from SPA ? If yes then it would be better to handle HTTP errors at the SPA level, example, catch 401 and redirect the user to the login page of if it is 403 then show something useful to the user.
If it a direct browser access is required then you can enable the proactive authentication - which will let you capture the authentication exceptions with JAX-RS ExceptionMapper and return Response.seeOther from there (my understanding Steph is doing something similar in his project).

[GregJohnStewart]

@sberyozkin SPA? And that might be an option, except this service also has regular rest endpoints I would rather not have redirected.

Similarly, the proactive seems to be a blanket for the entire service, where I would prefer a more programmatic, per-endpoint approach

[sberyozkin]

@GregJohnStewart
In case of SPA you'd not get the regular endpoints invoked so you'd not get those errors.
With ExceptionMapper you can have UriInfo injected and make it per endpoint specific.
A dedicated annotation can be of interest as well, sure - but a workaround is possible now

[sberyozkin]

Note though it would not make much sense to redirect in case of 403 IMHO. So an annotation to deal with 401s would not help to cover what happens with 403 - the token is valid, the user just has no required role - so a message would be better IMHO in case of 403s - which can be sorted by the use of ExceptionMapper or at the SPA level and if you do that then managing 401s at that level may not seem like a bad idea after all :-).

[GregJohnStewart]

@sberyozkin remember that we are talking specifically for web UI's :)
As a user I want to be sent to a login screen rather than come up to a blank screen

[sberyozkin]

@GregJohnStewart

As a user I want to be sent to a login screen rather than come up to a blank screen

Not sure which of my comments assumed it ?

[GregJohnStewart]

@sberyozkin Sorry, didn't mean to sound snarky. I had assumed your previous message was more general rest focused.