Description
Description
Sometimes, users would like to do something like
@RolesAllowed("a")
@Path("service")
public class Service {
@RolesAllowed("b")
@GET
public String get() {}
}
and have get() method allowed to be accessed by identities with both a and b roles, in cases where there are a lot of methods, and where adding a to every method where a is needed can be error prone and tedious.
Users can already do it with HTTP policy configurations:
https://quarkus.io/guides/security-authorize-web-endpoints-reference#shared-permission-checks
But going this route duplicates an effort already done with declaring @Path and @RolesAllowed annotations... We had a rather long discussion with Michal awhile back and I thought we eventually agreed it could make sense to optimize it for the security based annotations only.
Implementation ideas
Try to do it similarly to how mapping of the roles can be done - users have an option to use HTTP policy configuration which works best when no security annotations are used, but also they can create a simple map such as quarkus.http.auth.roles-mapping.admin=Admin1 and now a security identity with the admin role will be allowed to access any JAX-RS method with RolesAllowed("Admin1").
Perhaps:
quarkus.http.auth.shared-roles=a,b,c
which means that whenever an annotation like @RolesAllowed("a") is seen, it is applied to all subpaths under a given path.
Starting with supporting sharing class-level @RolesAllowed this way to start with would be a good start IMHO, as shown in the issue description.
Later we can do the same for PermissionsAllowed, @AuthorizationPolicy.
Activity