英文:
How to map permissions to roles through PermissionsAllowed and @RolesAllowed annotations
问题
指南指出权限可以映射到角色,但当我同时使用@PermissionsAllowed和@RolesAllowed注解来实现相同的功能时,程序出现错误。这让我困惑,为什么使用配置文件可以正常工作,但使用注解会出错。有人能告诉我如何使用注解在指南中实现相同的效果吗?
英文:
the guides:security-authorize-web-endpoints-reference
@PermissionsAllowed(value = {"create", "update"}, inclusive=true)
@POST
@Path("/modify/inclusive")
public String createOrUpdate(Long id) {
return id + " modified";
}
@PermissionsAllowed({"see:detail", "see:all", "read"})
@GET
@Path("/id/{id}")
public String getItem(String id) {
return "item-detail-" + id;
}
quarkus.http.auth.policy.role-policy1.permissions.user=see:all
quarkus.http.auth.policy.role-policy1.permissions.admin=create,update,read
quarkus.http.auth.permission.roles1.paths=/crud/modify/*,/crud/id/*
quarkus.http.auth.permission.roles1.policy=role-policy1
Add permission see with action all to SecurityIdentity that holds role user. Similarly as for @PermissionsAllowed annotation, io.quarkus.security.StringPermission is used by default.
Permissions create, update and read are mapped to the role admin.
The guides say that permissions can be mapped to roles,
But when I use both @PermissionsAllowed and @RolesAllowed annotations to achieve the same function, a program error occurs. This confuses me, why using the configuration file works fine, but using the annotation gives an error
Can anyone tell me how to use annotations to achieve the same effect in guides
code and error:
public class ReadyResource {
@Inject private ApplicationConfig applicationConfig;
@GET()
@Path("ready2")
@PermissionsAllowed("read")
@RolesAllowed("User")
@Produces(MediaType.APPLICATION_JSON)
public Result<ApplicationConfig> getReady2() {
return Result.ofSuccess(applicationConfig);
}
}
2023-05-14 13:19:05,464 ERROR [io.qua.dep.dev.IsolatedDevModeMain] (main) Failed to start quarkus: java.lang.RuntimeException: io.quarkus.builder.BuildException: Build failure: Build failed due to errors
[error]: Build step io.quarkus.security.deployment.SecurityProcessor#gatherSecurityChecks threw an exception: java.lang.IllegalStateException: Method hello of class org.acme.GreetingResource2 is annotated with multiple security annotations
at io.quarkus.security.deployment.PermissionSecurityChecks$PermissionSecurityChecksBuilder.gatherPermissionsAllowedAnnotations(PermissionSecurityChecks.java:216)
at io.quarkus.security.deployment.SecurityProcessor.gatherSecurityAnnotations(SecurityProcessor.java:673)
at io.quarkus.security.deployment.SecurityProcessor.gatherSecurityChecks(SecurityProcessor.java:527)
at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:104)
at java.base/java.lang.reflect.Method.invoke(Method.java:578)
at io.quarkus.deployment.ExtensionLoader$3.execute(ExtensionLoader.java:909)
at io.quarkus.builder.BuildContext.run(BuildContext.java:282)
at org.jboss.threads.ContextHandler$1.runWith(ContextHandler.java:18)
at org.jboss.threads.EnhancedQueueExecutor$Task.run(EnhancedQueueExecutor.java:2513)
at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1538)
at java.base/java.lang.Thread.run(Thread.java:1623)
at org.jboss.threads.JBossThread.run(JBossThread.java:501)
答案1
得分: 2
+1 to Sergey comment
> 但是当我同时使用@PermissionsAllowed和@RolesAllowed注释来实现相同的功能时,程序出现错误。这让我感到困惑,为什么使用配置文件可以正常工作,但使用注释会出错。
你没有分享错误消息,但我非常确定你看到的是验证错误,这是因为安全注释如@PermissionsAllowed,@RolesAllowed等不能在同一个方法或类上组合使用。
> 这让我感到困惑,为什么使用配置文件可以正常工作,但使用注释会出错。有人可以告诉我如何使用注释来实现相同的效果吗?
目前没有办法通过注释将角色映射到权限,你可以随时在Quarkus项目中提出问题。注释的作用是表示“此方法/类应该受保护”,让我们看看它们的JavaDoc,其中详细介绍了这一点:
- https://github.com/jakartaee/common-annotations-api/blob/master/api/src/main/java/jakarta/annotation/security/RolesAllowed.java
- https://github.com/quarkusio/quarkus-security/blob/main/src/main/java/io/quarkus/security/PermissionsAllowed.java
英文:
+1 to Sergey comment
> But when I use both @PermissionsAllowed and @RolesAllowed annotations to achieve the same function, a program error occurs. This confuses me, why using the configuration file works fine, but using the annotation gives an error
You didn't share error message, but I am pretty sure it is validation error you see and it comes from fact that security annotations like @PermissionsAllowed, @RolesAllowed and others can't be combined on the same method or class.
> This confuses me, why using the configuration file works fine, but using the annotation gives an error. Can anyone tell me how to use annotations to achieve the same effect in guides
Currently there is no way to map roles to permissions via annotations, you can always open issue in Quarkus project. Annotations are there to say this method/class should be secured, let's have a look at their JavaDoc that goes into detail
答案2
得分: 1
As long as @RolesAllowed is not used in combination with other security annotations on the same method or class, everything works fine.
This restriction is just too inconvenient.
英文:
As long as @RolesAllowed is not used in combination with other security annotations on the same method or class, everything works fine
This restriction is just too inconvenient.
@Path("/hello1")
@RolesAllowed("user")
public class GreetingResource1 {
@GET
/**
* work properly
*/
@PermissionsAllowed("see:read")
@Produces(MediaType.TEXT_PLAIN)
public String hello() {
return "Hello RESTEasy";
}
}
答案3
得分: 1
I'll provide the translated content without code:
我似乎没有足够的声誉来添加评论 :-),所以我会在这里回答你,JackyAnn:
只要在相同的方法或类上未与其他安全注解结合使用 @RolesAllowed,一切都正常运作。
这个限制实在太不方便了。
你的示例也不会起作用,因为只应用了 @PermissionsAllowed,而没有应用 @RolesAllowed,这个行为遵循 Jakarta 文档中的规定,如果同时应用于类和方法级别,方法级别的值将覆盖类级别的值,如果两者冲突。
目前,你有三个选项:
- 仅使用
@RolesAllowed - 仅使用
@PermissionsAllowed并将角色映射到权限(权限可能更容易变化,每个应用实例可以有不同的角色与权限之间的映射) - 结合使用 HTTP 角色安全策略,其中你指定所需的角色以及
@PermissionsAllowed,你在其中指定所需的权限(Quarkus 文档中也有这个示例)
我听到你对不便之处的看法,但这是主观的。
英文:
I don't seem to be reputable enough to add comment :-), so I'll answer you JackyAnn here:
> As long as @RolesAllowed is not used in combination with other security annotations on the same method or class, everything works fine
> This restriction is just too inconvenient.
>
@Path("/hello1")
@RolesAllowed("user")
public class GreetingResource1 {
@GET
/**
* work properly
*/
@PermissionsAllowed("see:read")
@Produces(MediaType.TEXT_PLAIN)
public String hello() {
return "Hello RESTEasy";
}
}
your example won't work either as only @PermissionsAllowed is applied, not @RolesAllowed, this behavior follows Jakarta documented behavior https://github.com/jakartaee/common-annotations-api/blob/0e6318ac2716c463b33cceff191c9639c73e80ca/api/src/main/java/jakarta/annotation/security/RolesAllowed.java#L29 that If applied at both the class and methods level, the method value overrides the class value if the two conflict.
Currently, you have 3 options:
- use only
@RolesAllowed - use only
@PermissionsAllowedand map roles to permissions (permissions are somehow more volatile and you can have different mapping for roles <-> permissions per each app instance) - combine HTTP Roles Security Policy where you specify required role and
@PermissionsAllowedwhere you specify required permission (that example is also in Quarkus doc)
And I hear you about inconvenience, but that's matter of opinion.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论