or run

tessl search
Log in

Version

Workspace
tessl
Visibility
Public
Created
Last updated
Describes
mavenpkg:maven/io.quarkus/quarkus-resteasy-reactive@3.15.x

docs

guides

building-rest-apis.mdquick-start.mdreactive-programming.mdrest-clients.mdsecurity-setup.md
index.md
tile.json

tessl/maven-io-quarkus--quarkus-resteasy-reactive

tessl install tessl/maven-io-quarkus--quarkus-resteasy-reactive@3.15.0

A Jakarta REST implementation utilizing build time processing and Vert.x for high-performance REST endpoints with reactive capabilities in cloud-native environments.

security-setup.mddocs/guides/

Security Setup Guide

Learn how to secure your Quarkus REST endpoints with authentication and authorization.

Add Security Extension

<dependency>
    <groupId>io.quarkus</groupId>
    <artifactId>quarkus-security</artifactId>
</dependency>

Role-Based Access Control

Basic Role Protection

import jakarta.annotation.security.RolesAllowed;

@Path("/admin")
@RolesAllowed("admin")
public class AdminResource {
    
    @GET
    public List<User> listUsers() {
        return userService.findAll();
    }
}

Method-Level Security

@Path("/items")
public class ItemResource {
    
    @GET
    @PermitAll
    public List<Item> list() {
        return itemService.findAll();
    }
    
    @POST
    @RolesAllowed("user")
    public Item create(Item item) {
        return itemService.create(item);
    }
    
    @DELETE
    @Path("/{id}")
    @RolesAllowed("admin")
    public Response delete(@RestPath Long id) {
        itemService.delete(id);
        return Response.noContent().build();
    }
}

Permission-Based Access

import io.quarkus.security.PermissionsAllowed;

@GET
@Path("/{id}")
@PermissionsAllowed("item:read")
public Item get(@RestPath Long id) {
    return itemService.findById(id);
}

@PUT
@Path("/{id}")
@PermissionsAllowed("item:write")
public Item update(@RestPath Long id, Item item) {
    return itemService.update(id, item);
}

Authentication Required

import io.quarkus.security.Authenticated;

@Path("/profile")
@Authenticated
public class ProfileResource {
    
    @GET
    public UserProfile get(@Context SecurityContext ctx) {
        String username = ctx.getUserPrincipal().getName();
        return profileService.findByUsername(username);
    }
}

JWT Authentication

Add JWT Extension

<dependency>
    <groupId>io.quarkus</groupId>
    <artifactId>quarkus-smallrye-jwt</artifactId>
</dependency>

Configuration

# JWT configuration
mp.jwt.verify.publickey.location=META-INF/resources/publicKey.pem
mp.jwt.verify.issuer=https://your-issuer.com

Secured Endpoint

import org.eclipse.microprofile.jwt.JsonWebToken;

@Path("/secure")
public class SecureResource {
    
    @Inject
    JsonWebToken jwt;
    
    @GET
    @RolesAllowed("user")
    public String getSecure() {
        return "Hello, " + jwt.getName();
    }
}

OIDC Authentication

Add OIDC Extension

<dependency>
    <groupId>io.quarkus</groupId>
    <artifactId>quarkus-oidc</artifactId>
</dependency>

Configuration

# OIDC configuration
quarkus.oidc.auth-server-url=https://your-oidc-server.com/realms/your-realm
quarkus.oidc.client-id=your-client-id
quarkus.oidc.credentials.secret=your-client-secret

Security Context

Access User Information

@GET
@Path("/me")
@Authenticated
public UserInfo getCurrentUser(@Context SecurityContext ctx) {
    String username = ctx.getUserPrincipal().getName();
    boolean isAdmin = ctx.isUserInRole("admin");
    
    return new UserInfo(username, isAdmin);
}

Custom Security

Security Identity Augmentor

import io.quarkus.security.identity.SecurityIdentityAugmentor;
import io.quarkus.security.identity.SecurityIdentity;
import io.quarkus.security.runtime.QuarkusSecurityIdentity;

@ApplicationScoped
public class CustomSecurityAugmentor implements SecurityIdentityAugmentor {
    
    @Override
    public Uni<SecurityIdentity> augment(SecurityIdentity identity, 
                                         AuthenticationRequestContext context) {
        // Add custom roles or attributes
        return Uni.createFrom().item(
            QuarkusSecurityIdentity.builder(identity)
                .addRole("custom-role")
                .build()
        );
    }
}

Request Filters for Authentication

@ServerRequestFilter(priority = Priorities.AUTHENTICATION)
public Optional<RestResponse<String>> authenticate(HttpHeaders headers) {
    String authHeader = headers.getHeaderString("Authorization");
    
    if (authHeader == null || !authHeader.startsWith("Bearer ")) {
        return Optional.of(RestResponse.status(401, "Missing or invalid token"));
    }
    
    String token = authHeader.substring(7);
    if (!tokenService.isValid(token)) {
        return Optional.of(RestResponse.status(401, "Invalid token"));
    }
    
    return Optional.empty();
}

Configuration Security

Deny Unannotated Endpoints

# Require security annotations on all endpoints
quarkus.security.jaxrs.deny-unannotated-endpoints=true

Default Roles

# Set default roles for all endpoints
quarkus.security.jaxrs.default-roles-allowed=user

Testing Secured Endpoints

@QuarkusTest
@TestSecurity(user = "testUser", roles = {"user", "admin"})
class SecuredResourceTest {
    
    @Test
    void testSecuredEndpoint() {
        given()
            .when().get("/admin/users")
            .then()
            .statusCode(200);
    }
}

Best Practices

  1. Always Secure Sensitive Endpoints: Use @RolesAllowed or @Authenticated
  2. Use Permission-Based Access: More flexible than role-based
  3. Validate Tokens: Always validate JWT tokens properly
  4. Use HTTPS: Never send credentials over HTTP
  5. Implement Rate Limiting: Protect against brute force attacks
  6. Log Security Events: Monitor authentication failures
  7. Use Strong Secrets: For JWT signing and OIDC client secrets

Next Steps

  • Implement Reactive Programming
  • Build REST Clients with authentication
  • Review Common Scenarios
  • Check CSRF Protection