JIRA links:
- https://issues.redhat.com/browse/QUARKUS-2788 - Support setting the RolesAllowed in the Panache REST Data extension
- https://issues.redhat.com/browse/QUARKUS-2786 - Propagate the javax.annotation.security annotations in REST Data
Quarkus documentation:
- https://quarkus.io/version/main/guides/rest-data-panache
- https://quarkus.io/version/main/guides/security-overview-concept
- https://quarkus.io/version/main/guides/spring-data-rest
Related test plans:
- https://github.com/quarkus-qe/quarkus-test-plans/blob/main/QUARKUS-2390.md
- https://github.com/quarkus-qe/quarkus-test-plans/blob/main/QUARKUS-2388.md
This test plan covers 2 JIRA tickets which are closely related (see JIRA links above).
Both topics deal with integration of REST Data Panache and annotation-based security supported by Quarkus and provided
by annotations within the package javax.annotation.security
:
- QUARKUS-2786 enables propagation of the security annotations defined on Panache resource
(
PanacheEntityResource
,PanacheRepositoryResource
) into generated JAX-RS resources.- This works for extensions built on top of
quarkus-rest-data-panache
:quarkus-hibernate-orm-rest-data-panache
quarkus-hibernate-reactive-rest-data-panache
(experimental)quarkus-mongodb-rest-data-panache
(experimental)quarkus-spring-data-rest
- the feature is not documented in the extension's guide
- This works for extensions built on top of
- QUARKUS-2788 adds
rolesAllowed
attribute into the@ResourceProperties
and@MethodProperties
annotations (provided byquarkus-rest-data-panache
), which can serve as an alternative way of specifying access permission to the resources.- This also works for all extensions built on top of
quarkus-rest-data-panache
exceptquarkus-spring-data-rest
, since the annotations are not applicable to Spring repositories.
- This also works for all extensions built on top of
No existing test coverage which would actually test resource access has been found. The upstream integration tests only verify security scheme via OpenAPI integration.
Add a set of secured resources + security scenario + OpenShift security scenario into existing modules in Quarkus QE TS:
quarkus-hibernate-orm-rest-data-panache
- modulesql-db/panache-flyway
quarkus-spring-data-rest
- modulespring/spring-data
The set of resources and their related tests could be inspired by the security coverage in module security/basic
.
It should in any case cover all positive and negative test cases that arise from usage of the security annotations:
@RolesAllowed
@DenyAll
@PermitAll
io.quarkus.rest.data.panache.ResourceProperties#rolesAllowed
(not applicable toquarkus-spring-data-rest
)io.quarkus.rest.data.panache.MethodProperties#rolesAllowed
(not applicable toquarkus-spring-data-rest
)
Coverage for experimental extensions - for the future, not within the scope of this plan:
quarkus-hibernate-reactive-rest-data-panache
quarkus-mongodb-rest-data-panache
2 new scenarios (in 2 modules), each one will increase the execution time by circa: 2 / 5 / 4 / 8 minutes in JVM / native / OpenShift JVM / OpenShift native mode.
No other impacts are expected.