Version
- Workspace
- tessl
- Visibility
- Public
- Created
- Last updated
'%3e%3cpath%20d='m7.15%205.779.281.877c-.001.502.003.991.124%201.48l.116-.082.229-1.265c.723%201.422%202.78%203.325%202.53%205.008-.022.154-.082.3-.158.435.349-.014.375-.38.578-.56.187%201.005.17%201.975-.22%202.932l1.428%203.159c-.007.07-.626.285-.744.226-.087-.044-.629-1.506-.742-1.754-.103-.224-.457-1.044-.592-1.165-.592-.534-2.033-.183-2.773-.256l.488-.115.148-.109c-.68-.08-1.363-.34-1.85-.815.531.046%201.052.121%201.592.087.1-.006.378-.02.432-.114-1.338-.016-2.398-.569-3.16-1.62-1.03-1.422-1.646-3.215-2.658-4.662-.203-.289-.474-.68-.776-.847-.015-.092.076-.054.137-.049.375.034.778.157%201.148.234l1.26.462c-.404-.737-1.332-.637-1.984-.994-.759-.416-1.2-1.386-1.487-2.149-.258-.68-.536-1.495-.492-2.217.282.262.529.573.896.73.087-.102-.838-1.102-.867-1.323C-.051.673.656-.051%201.328.003c1.128.09%202.44%201.953%202.87%202.886.074.069.145-.23.149-.25.029-.154.01-.306.054-.452.67.932%201.64%201.722%202.122%202.768l.626%201.778V5.78Z'/%3e%3cpath%20d='m10.851%206.733.626-1.778c.483-1.047%201.451-1.836%202.122-2.769.045.147.025.299.054.452.005.021.075.32.149.25.43-.932%201.742-2.796%202.87-2.885.672-.054%201.38.67%201.294%201.31-.03.22-.954%201.221-.867%201.322.367-.156.614-.467.896-.729.044.722-.234%201.536-.49%202.218-.288.763-.73%201.733-1.488%202.149-.652.356-1.58.256-1.984.993l1.26-.461c.37-.077.772-.2%201.148-.234.06-.006.152-.044.136.049-.301.166-.573.557-.775.847-.794%201.135-1.347%202.488-2.049%203.68-.635%201.081-1.285%202.087-2.613%202.432.148-.768.005-1.562-.173-2.316l-.32-.092c-.219-1.088-.84-2.001-1.466-2.908l.919-1.475.229%201.265.116.082c.12-.489.125-.979.123-1.48l.283-.877v.955ZM8.017%2014.984c-.238.57-.531%201.119-.78%201.686-.089.204-.446%201.24-.518%201.295-.145.114-.622-.087-.777-.2l1.207-2.78h.868ZM12.008%2013.75c-.059.174-.949.7-1.04.617l.12-.5.92-.117Z'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='a'%3e%3cpath%20fill='%23fff'%20d='M0%200h18v18H0z'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e){kind=small}
docs
reference
architecture.mdbuild-spi.mdcaching.mdcompression.mdconditional-endpoints.mdconfiguration.mdcontext-injection.mddeclarative-responses.mdexception-mapping.mdfile-uploads.mdfilters.mdhandler-chain.mdjackson-serialization.mdjakarta-rest.mdmultipart-forms.mdobservability.mdparameter-annotations.mdqute-integration.mdreactive-programming.mdresource-management.mdrest-client.mdrest-data-panache.mdrest-links.mdrest-response.mdsecurity.mdserver-multipart.mdserver-spi.mdstreaming.mdwebsockets.md
tessl/maven-io-quarkus--quarkus-rest
tessl install tessl/maven-io-quarkus--quarkus-rest@3.15.0A Jakarta REST implementation utilizing build time processing and Vert.x for high-performance REST endpoints with reactive programming support, security integration, and cloud-native features.
security-setup.mddocs/guides/
Security Setup Guide
This guide shows how to secure your Quarkus REST endpoints with authentication and authorization.
Add Security Extension
<dependency>
<groupId>io.quarkus</groupId>
<artifactId>quarkus-security</artifactId>
</dependency>Role-Based Access Control (RBAC)
Secure Endpoints
import jakarta.annotation.security.RolesAllowed;
import jakarta.annotation.security.PermitAll;
import jakarta.annotation.security.DenyAll;
@Path("/api")
public class SecureResource {
@GET
@Path("/public")
@PermitAll
public String publicEndpoint() {
return "Public data";
}
@GET
@Path("/user")
@RolesAllowed("user")
public String userEndpoint() {
return "User data";
}
@GET
@Path("/admin")
@RolesAllowed("admin")
public String adminEndpoint() {
return "Admin data";
}
@GET
@Path("/restricted")
@DenyAll
public String restrictedEndpoint() {
return "Never accessible";
}
}Multiple Roles
@DELETE
@Path("/users/{id}")
@RolesAllowed({"admin", "superuser"})
public Response deleteUser(@PathParam("id") Long id) {
userService.delete(id);
return Response.noContent().build();
}Class-Level Security
@Path("/admin")
@RolesAllowed("admin") // Applies to all methods
public class AdminResource {
@GET
@Path("/dashboard")
public String dashboard() {
return "Admin dashboard";
}
@GET
@Path("/public-info")
@PermitAll // Override class-level
public String publicInfo() {
return "Public admin info";
}
}Basic Authentication
Add Extension
<dependency>
<groupId>io.quarkus</groupId>
<artifactId>quarkus-elytron-security-properties-file</artifactId>
</dependency>Configure Users
src/main/resources/application.properties:
quarkus.security.users.embedded.enabled=true
quarkus.security.users.embedded.plain-text=true
quarkus.security.users.embedded.users.alice=alice123
quarkus.security.users.embedded.users.bob=bob456
quarkus.security.users.embedded.roles.alice=user
quarkus.security.users.embedded.roles.bob=adminTest
curl -u alice:alice123 http://localhost:8080/api/user
curl -u bob:bob456 http://localhost:8080/api/adminJWT Authentication
Add Extension
<dependency>
<groupId>io.quarkus</groupId>
<artifactId>quarkus-smallrye-jwt</artifactId>
</dependency>Configure
mp.jwt.verify.publickey.location=META-INF/resources/publicKey.pem
mp.jwt.verify.issuer=https://your-issuer.comUse JWT Claims
import org.eclipse.microprofile.jwt.JsonWebToken;
@Path("/secure")
public class JwtResource {
@Inject
JsonWebToken jwt;
@GET
@RolesAllowed("user")
public Response getUserInfo() {
String username = jwt.getName();
Set<String> groups = jwt.getGroups();
return Response.ok()
.entity(new UserInfo(username, groups))
.build();
}
}OIDC/OAuth2
Add Extension
<dependency>
<groupId>io.quarkus</groupId>
<artifactId>quarkus-oidc</artifactId>
</dependency>Configure
quarkus.oidc.auth-server-url=https://your-oidc-provider.com/realms/your-realm
quarkus.oidc.client-id=your-client-id
quarkus.oidc.credentials.secret=your-client-secretSecure Endpoints
@Path("/protected")
@Authenticated // Requires any authenticated user
public class ProtectedResource {
@Inject
SecurityIdentity securityIdentity;
@GET
public Response getInfo() {
String username = securityIdentity.getPrincipal().getName();
Set<String> roles = securityIdentity.getRoles();
return Response.ok()
.entity(new UserInfo(username, roles))
.build();
}
}Permission-Based Access
import io.quarkus.security.PermissionsAllowed;
@Path("/documents")
public class DocumentResource {
@GET
@Path("/{id}")
@PermissionsAllowed("document:read")
public Document get(@PathParam("id") Long id) {
return documentService.findById(id);
}
@PUT
@Path("/{id}")
@PermissionsAllowed({"document:write", "document:update"})
public Response update(@PathParam("id") Long id, Document doc) {
documentService.update(id, doc);
return Response.ok().build();
}
@DELETE
@Path("/{id}")
@PermissionsAllowed(
value = {"document:delete", "admin:all"},
logical = PermissionsAllowed.LogicalOperation.OR
)
public Response delete(@PathParam("id") Long id) {
documentService.delete(id);
return Response.noContent().build();
}
}Access Security Context
import jakarta.ws.rs.core.SecurityContext;
@Path("/user")
public class UserResource {
@GET
@Path("/info")
public Response getUserInfo(@Context SecurityContext securityContext) {
Principal principal = securityContext.getUserPrincipal();
String username = principal != null ? principal.getName() : "anonymous";
boolean isAdmin = securityContext.isUserInRole("admin");
boolean isSecure = securityContext.isSecure();
return Response.ok()
.entity(new UserInfo(username, isAdmin, isSecure))
.build();
}
}Programmatic Security
import io.quarkus.security.identity.SecurityIdentity;
@Path("/secure")
public class SecureResource {
@Inject
SecurityIdentity securityIdentity;
@GET
@Path("/check")
public Response checkPermissions() {
if (securityIdentity.isAnonymous()) {
return Response.status(401).build();
}
if (securityIdentity.hasRole("admin")) {
return Response.ok("Admin access").build();
}
return Response.ok("User access").build();
}
}HTTP Security Policies
Configure path-based security in application.properties:
# Require authentication for all /api/* paths
quarkus.http.auth.policy.api-policy.roles-allowed=user
# Apply policy to path patterns
quarkus.http.auth.permission.api.paths=/api/*
quarkus.http.auth.permission.api.policy=api-policy
# Public paths
quarkus.http.auth.permission.public.paths=/public/*
quarkus.http.auth.permission.public.policy=permitCORS Configuration
quarkus.http.cors=true
quarkus.http.cors.origins=https://example.com
quarkus.http.cors.methods=GET,POST,PUT,DELETE
quarkus.http.cors.headers=accept,authorization,content-type
quarkus.http.cors.exposed-headers=Content-Disposition
quarkus.http.cors.access-control-max-age=24HProactive vs Lazy Authentication
# Proactive (default): Authenticate all requests
quarkus.http.auth.proactive=true
# Lazy: Authenticate only when security annotations present
quarkus.http.auth.proactive=falseNext Steps
- Reactive Programming - Secure reactive endpoints
- REST Clients - Secure client calls
- Common Scenarios - Security examples