Closed
Description
openedon Sep 12, 2024
Description
A JAX-RS endpoint can be secured with a custom Permission with @PermissionAllowed annotation. Which parameters of the JAX-RS-method are passed to the Permission-constructor can be defined with the params-property of the PermissionAllowed annotation.
In following example the path-param 'id' UUID-param is passed to the Permission-class constructor-param 'aOrganizationUnitId'.
@GET
@Path("{id}/2params")
@PermissionsAllowed(value = "read", permission = OrganizationUnitIdPermission.class, params = "id")
public OrganizationUnit find2(@PathParam("id") UUID aOrganizationUnitId, @QueryParam("second") UUID aSecondUUIDParam) {
...
}
public class OrganizationUnitIdPermission extends Permission {
private final UUID organizationUnitId;
public OrganizationUnitIdPermission(String aName, String[] aActions, UUID aOrganizationUnitId) {
super(aName);
organizationUnitId = aOrganizationUnitId;
}
...This works currently not with @BeanParam parameters. The attempt to secure a BeanParam-JAX-RS method like here:
@GET
@Path("{id}/beanparam")
@PermissionsAllowed(value = "read", permission = OrganizationUnitIdPermission.class, params = "id")
public OrganizationUnit findBeanParam(@BeanParam PermissionParam aBeanParam) {
return new OrganizationUnit().setName("TESTDUMMY");
}
public class PermissionParam {
@PathParam("id") UUID organizationUnitId;
@QueryParam("second") UUID secondUUIDParam;
}fails with
Failed to build quarkus application: io.quarkus.builder.BuildException: Build failure: Build failed due to errors
[error]: Build step io.quarkus.security.deployment.SecurityProcessor#gatherSecurityChecks threw an exception: java.lang.RuntimeException: No 'findBeanParam' formal parameter name matches 'io.gec.smom.sample.boundary.OrganizationUnitIdPermission' constructor parameter name 'aOrganizationUnitId' specified via '@PermissionsAllowed#params'
at io.quarkus.security.deployment.PermissionSecurityChecks$PermissionSecurityChecksBuilder$PermissionCacheKey.userDefinedConstructorParamIndexes(PermissionSecurityChecks.java:652)
at io.quarkus.security.deployment.PermissionSecurityChecks$PermissionSecurityChecksBuilder$PermissionCacheKey.<init>(PermissionSecurityChecks.java:621)
at io.quarkus.security.deployment.PermissionSecurityChecks$PermissionSecurityChecksBuilder.createPermission(PermissionSecurityChecks.java:408)
at io.quarkus.security.deployment.PermissionSecurityChecks$PermissionSecurityChecksBuilder.createPermissionPredicates(PermissionSecurityChecks.java:149)
at io.quarkus.security.deployment.SecurityProcessor.gatherSecurityAnnotations(SecurityProcessor.java:733)
at io.quarkus.security.deployment.SecurityProcessor.gatherSecurityChecks(SecurityProcessor.java:580)
at java.base/java.lang.invoke.MethodHandle.invokeWithArguments(MethodHandle.java:733)
at io.quarkus.deployment.ExtensionLoader$3.execute(ExtensionLoader.java:854)
at io.quarkus.builder.BuildContext.run(BuildContext.java:256)
at org.jboss.threads.ContextHandler$1.runWith(ContextHandler.java:18)
at org.jboss.threads.EnhancedQueueExecutor$Task.doRunWith(EnhancedQueueExecutor.java:2516)
at org.jboss.threads.EnhancedQueueExecutor$Task.run(EnhancedQueueExecutor.java:2495)
at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1521)
at java.base/java.lang.Thread.run(Thread.java:1570)
at org.jboss.threads.JBossThread.run(JBossThread.java:483)
There is afaik no way to bind the beanParam-property of the JAX-RS-method to the constructor-param of the Permission.
Implementation ideas
No response
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
