From 18e893eb756e076b9a4097ea8874e30ce3b574be Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?David=20Kr=C3=A1l?= Date: Wed, 14 Aug 2024 10:15:28 +0200 Subject: [PATCH] Required authorization propagated from the class level (#9137) Signed-off-by: David Kral --- .../security/SecurityDefinition.java | 1 + .../annotation/SecondAdminResource.java | 60 +++++++++++++++++++ .../security/pathparams/AdminTest.java | 30 ++++++++-- 3 files changed, 85 insertions(+), 6 deletions(-) create mode 100644 tests/integration/security/security-annotation/src/main/java/io/helidon/tests/integration/security/annotation/SecondAdminResource.java diff --git a/microprofile/security/src/main/java/io/helidon/microprofile/security/SecurityDefinition.java b/microprofile/security/src/main/java/io/helidon/microprofile/security/SecurityDefinition.java index c64555a3c97..4e3df064f93 100644 --- a/microprofile/security/src/main/java/io/helidon/microprofile/security/SecurityDefinition.java +++ b/microprofile/security/src/main/java/io/helidon/microprofile/security/SecurityDefinition.java @@ -85,6 +85,7 @@ public String toString() { SecurityDefinition copyMe() { SecurityDefinition result = new SecurityDefinition(); result.requiresAuthentication = this.requiresAuthentication; + result.requiresAuthorization = this.requiresAuthorization; result.failOnFailureIfOptional = this.failOnFailureIfOptional; result.authnOptional = this.authnOptional; result.authenticator = this.authenticator; diff --git a/tests/integration/security/security-annotation/src/main/java/io/helidon/tests/integration/security/annotation/SecondAdminResource.java b/tests/integration/security/security-annotation/src/main/java/io/helidon/tests/integration/security/annotation/SecondAdminResource.java new file mode 100644 index 00000000000..a969cdf6fb2 --- /dev/null +++ b/tests/integration/security/security-annotation/src/main/java/io/helidon/tests/integration/security/annotation/SecondAdminResource.java @@ -0,0 +1,60 @@ +/* + * Copyright (c) 2024 Oracle and/or its affiliates. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package io.helidon.tests.integration.security.annotation; + +import io.helidon.security.annotations.Authenticated; +import io.helidon.security.annotations.Authorized; + +import jakarta.annotation.security.RolesAllowed; +import jakarta.ws.rs.GET; +import jakarta.ws.rs.Path; + +/** + * An admin resource that should not be accessible without proper credentials. + */ +@Authenticated +@Authorized(false) +@Path("/admin2") +public class SecondAdminResource { + + + /** + * The resource. + * + * @return admin secret. + */ + @GET + @Authorized + @RolesAllowed("admin") + public String admin() { + return "admin"; + } + + + /** + * The resource. + * + * @return admin secret. + */ + @GET + @Path("/unauthorized") + @RolesAllowed("admin") + public String unauthorizedAdmin() { + return "unauthorized admin"; + } + +} diff --git a/tests/integration/security/security-annotation/src/test/java/io/helidon/tests/integration/security/pathparams/AdminTest.java b/tests/integration/security/security-annotation/src/test/java/io/helidon/tests/integration/security/pathparams/AdminTest.java index a1c5e9310b9..df8b657a5d2 100644 --- a/tests/integration/security/security-annotation/src/test/java/io/helidon/tests/integration/security/pathparams/AdminTest.java +++ b/tests/integration/security/security-annotation/src/test/java/io/helidon/tests/integration/security/pathparams/AdminTest.java @@ -33,13 +33,32 @@ class AdminTest { @Test void testProtectedAdminEndpoint(WebTarget target) { - try (Response response = target.path("/admin") + testProtectedAdmin(target, "/admin"); + } + + @Test + void testProtectedAdmin2Endpoint(WebTarget target) { + testProtectedAdmin(target, "/admin2"); + } + + @Test + void testUnauthorizedAdminEndpoint(WebTarget target) { + testUnprotectedAdmin(target, "/admin/unauthorized"); + } + + @Test + void testUnauthorizedAdmin2Endpoint(WebTarget target) { + testUnprotectedAdmin(target, "/admin2/unauthorized"); + } + + private void testProtectedAdmin(WebTarget target, String endpoint) { + try (Response response = target.path(endpoint) .request() .header("Authorization", basic("fail")) .get()) { assertThat(response.getStatus(), is(Status.FORBIDDEN_403.code())); } - try (Response response = target.path("/admin") + try (Response response = target.path(endpoint) .request() .header("Authorization", basic("success")) .get()) { @@ -48,16 +67,15 @@ void testProtectedAdminEndpoint(WebTarget target) { } } - @Test - void testUnauthorizedAdminEndpoint(WebTarget target) { - try (Response response = target.path("/admin/unauthorized") + private void testUnprotectedAdmin(WebTarget target, String endpoint) { + try (Response response = target.path(endpoint) .request() .header("Authorization", basic("fail")) .get()) { assertThat(response.getStatus(), is(Status.OK_200.code())); assertThat(response.readEntity(String.class), is("unauthorized admin")); } - try (Response response = target.path("/admin/unauthorized") + try (Response response = target.path(endpoint) .request() .header("Authorization", basic("success")) .get()) {