Skip to content

Commit

Permalink
Merge branch 'main' into quarkusio#36376
Browse files Browse the repository at this point in the history
  • Loading branch information
MaciejDromin authored Dec 6, 2023
2 parents 48ebc43 + b7887aa commit e2e529d
Show file tree
Hide file tree
Showing 29 changed files with 473 additions and 55 deletions.
8 changes: 4 additions & 4 deletions bom/application/pom.xml
Original file line number Diff line number Diff line change
Expand Up @@ -106,7 +106,7 @@
<hibernate-reactive.version>2.2.0.Final</hibernate-reactive.version>
<hibernate-validator.version>8.0.1.Final</hibernate-validator.version>
<!-- When updating, align hibernate-search.version-for-documentation in docs/pom.xml -->
<hibernate-search.version>7.0.0.CR2</hibernate-search.version>
<hibernate-search.version>7.0.0.Final</hibernate-search.version>
<narayana.version>7.0.0.Final</narayana.version>
<agroal.version>2.1</agroal.version>
<jboss-transaction-spi.version>8.0.0.Final</jboss-transaction-spi.version>
Expand Down Expand Up @@ -182,12 +182,12 @@
<okhttp.version>3.14.9</okhttp.version><!-- keep in sync with okio -->
<okio.version>1.17.6</okio.version><!-- keep in sync with okhttp -->
<hibernate-quarkus-local-cache.version>0.3.0</hibernate-quarkus-local-cache.version>
<flapdoodle.mongo.version>4.9.2</flapdoodle.mongo.version>
<flapdoodle.mongo.version>4.11.1</flapdoodle.mongo.version>
<quarkus-spring-api.version>5.2.SP7</quarkus-spring-api.version>
<quarkus-spring-data-api.version>2.1.SP2</quarkus-spring-data-api.version>
<quarkus-spring-security-api.version>5.4.Final</quarkus-spring-security-api.version>
<quarkus-spring-boot-api.version>2.1.SP1</quarkus-spring-boot-api.version>
<mockito.version>5.3.1</mockito.version>
<mockito.version>5.8.0</mockito.version>
<jna.version>5.8.0</jna.version><!-- should satisfy both testcontainers and mongodb -->
<antlr.version>4.13.0</antlr.version><!-- needs to align with same property in build-parent/pom.xml -->
<quarkus-security.version>2.0.2.Final</quarkus-security.version>
Expand All @@ -203,7 +203,7 @@
<commons-compress.version>1.25.0</commons-compress.version>
<commons-text.version>1.11.0</commons-text.version>
<gson.version>2.10.1</gson.version>
<log4j2-jboss-logmanager.version>1.1.1.Final</log4j2-jboss-logmanager.version>
<log4j2-jboss-logmanager.version>1.1.2.Final</log4j2-jboss-logmanager.version>
<log4j2-api.version>2.22.0</log4j2-api.version>
<log4j-jboss-logmanager.version>1.3.0.Final</log4j-jboss-logmanager.version>
<avro.version>1.11.3</avro.version>
Expand Down
2 changes: 1 addition & 1 deletion build-parent/pom.xml
Original file line number Diff line number Diff line change
Expand Up @@ -109,7 +109,7 @@
<keycloak.docker.image>quay.io/keycloak/keycloak:${keycloak.version}</keycloak.docker.image>
<keycloak.docker.legacy.image>quay.io/keycloak/keycloak:${keycloak.wildfly.version}-legacy</keycloak.docker.legacy.image>

<unboundid-ldap.version>6.0.10</unboundid-ldap.version>
<unboundid-ldap.version>6.0.11</unboundid-ldap.version>

<assertj.version>3.24.2</assertj.version>

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -184,7 +184,7 @@ public static Set<String> configFiles(Path configFilesLocation) throws IOExcepti
Set<String> configFiles = new HashSet<>();
try (DirectoryStream<Path> candidates = Files.newDirectoryStream(configFilesLocation, CONFIG_FILES_FILTER)) {
for (Path candidate : candidates) {
configFiles.add(candidate.toString());
configFiles.add(candidate.toUri().getPath());
}
}
return configFiles;
Expand Down
6 changes: 2 additions & 4 deletions docs/src/main/asciidoc/kafka.adoc
Original file line number Diff line number Diff line change
Expand Up @@ -1952,10 +1952,8 @@ mp.messaging.outgoing.fruit-out.compression.type=snappy
----

In JVM mode, it will work out of the box.
However, to compile your application to a native executable, you need to:

1. Uses GraalVM 21.+
2. Add `quarkus.kafka.snappy.enabled=true` to your `application.properties`
However, to compile your application to a native executable, you need to
add `quarkus.kafka.snappy.enabled=true` to your `application.properties`.

In native mode, Snappy is disabled by default as the use of Snappy requires embedding a native library and unpacking it when the application starts.

Expand Down
4 changes: 2 additions & 2 deletions docs/src/main/asciidoc/scheduler-reference.adoc
Original file line number Diff line number Diff line change
Expand Up @@ -164,7 +164,7 @@ So for example a Property Expression with the default value `"off"` can be used
void myMethod() { }
----


[#identity]
=== Identity

By default, a unique identifier is generated for each scheduled method.
Expand Down Expand Up @@ -417,7 +417,7 @@ If the xref:smallrye-metrics.adoc[SmallRye Metrics extension] is present, then a

== OpenTelemetry Tracing

If `quarkus.scheduler.tracing.enabled` is set to `true` and the xref:opentelemetry.adoc[OpenTelemetry extension] is present then the `@io.opentelemetry.instrumentation.annotations.WithSpan` annotation is added automatically to every `@Scheduled` method. As a result, each execution of this method has a new `io.opentelemetry.api.trace.Span` associated.
If `quarkus.scheduler.tracing.enabled` is set to `true` and the xref:opentelemetry.adoc[OpenTelemetry extension] is present then every job execution, either defined with the `@Scheduled` annotation or scheduled programmatically, automatically creates a span named after the job's <<identity>>.

[[virtual_threads]]
== Run @Scheduled methods on virtual threads
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -87,9 +87,9 @@ import io.vertx.ext.web.RoutingContext;
@ApplicationScoped
public class CustomNamedHttpSecPolicy implements HttpSecurityPolicy {
@Override
public Uni<CheckResult> checkPermission(RoutingContext request, Uni<SecurityIdentity> identity,
public Uni<CheckResult> checkPermission(RoutingContext event, Uni<SecurityIdentity> identity,
AuthorizationRequestContext requestContext) {
if (customRequestAuthorization(request)) {
if (customRequestAuthorization(event)) {
return Uni.createFrom().item(CheckResult.PERMIT);
}
return Uni.createFrom().item(CheckResult.DENY);
Expand All @@ -99,6 +99,11 @@ public class CustomNamedHttpSecPolicy implements HttpSecurityPolicy {
public String name() {
return "custom"; <1>
}
private static boolean customRequestAuthorization(RoutingContext event) {
// here comes your own security check
return !event.request().path().endsWith("denied");
}
}
----
<1> Named HTTP Security policy will only be applied to requests matched by the `application.properties` path matching rules.
Expand Down Expand Up @@ -376,8 +381,6 @@ The following <<subject-example>> demonstrates an endpoint that uses both Jakart
----
import java.security.Principal;
import jakarta.annotation.security.DenyAll;
import jakarta.annotation.security.PermitAll;
import jakarta.annotation.security.RolesAllowed;
import jakarta.ws.rs.GET;
import jakarta.ws.rs.Path;
Expand Down Expand Up @@ -617,7 +620,7 @@ quarkus.http.auth.permission.roles1.paths=/crud/modify/*,/crud/id/*
quarkus.http.auth.permission.roles1.policy=role-policy1
quarkus.http.auth.policy.role-policy2.permissions.user=list
quarkus.http.auth.policy.role-policy2.permission-class=org.acme.crud.CRUDResource.CustomPermission <4>
quarkus.http.auth.policy.role-policy2.permission-class=org.acme.crud.CRUDResource$CustomPermission <4>
quarkus.http.auth.permission.roles2.paths=/crud/list
quarkus.http.auth.permission.roles2.policy=role-policy2
----
Expand All @@ -626,7 +629,7 @@ Similarly, for the `@PermissionsAllowed` annotation, `io.quarkus.security.String
<2> Permissions `create`, `update`, and `read` are mapped to the role `admin`.
<3> The role policy `role-policy1` allows only authenticated requests to access `/crud/modify` and `/crud/id` sub-paths.
For more information about the path-matching algorithm, see <<matching-multiple-paths>> later in this guide.
<4> You can also specify a custom implementation of the `java.security.Permission` class.
<4> You can specify a custom implementation of the `java.security.Permission` class.
Your custom class must define exactly one constructor that accepts the permission name and optionally some actions, for example, `String` array.
In this scenario, the permission `list` is added to the `SecurityIdentity` instance as `new CustomPermission("list")`.

Expand All @@ -638,6 +641,8 @@ Later, Quarkus instantiates your custom permission with actual arguments, with w

[source,java]
----
package org.acme.library;
import java.security.Permission;
import java.util.Arrays;
import java.util.Set;
Expand Down Expand Up @@ -665,7 +670,7 @@ public class LibraryPermission extends Permission {
return false;
}
...
// here comes your own implementation of the `java.security.Permission` class methods
public static abstract class Library {
Expand All @@ -684,7 +689,7 @@ public class LibraryPermission extends Permission {
}
public static class TvLibrary extends MediaLibrary {
...
// TvLibrary specific implementation of the 'isParentLibraryOf' method
}
}
----
Expand All @@ -699,8 +704,11 @@ The following example shows how the `LibraryPermission` class can be used:

[source,java]
----
package org.acme.library;
import io.quarkus.security.PermissionsAllowed;
import jakarta.enterprise.context.ApplicationScoped;
import org.acme.library.LibraryPermission.Library;
@ApplicationScoped
public class LibraryService {
Expand Down Expand Up @@ -729,6 +737,15 @@ The permission constructor and the annotated method must have the parameter `lib

[source,java]
----
package org.acme.library;
import io.quarkus.security.PermissionsAllowed;
import jakarta.inject.Inject;
import jakarta.ws.rs.PUT;
import jakarta.ws.rs.Path;
import jakarta.ws.rs.PathParam;
import org.acme.library.LibraryPermission.Library;
@Path("/library")
public class LibraryResource {
Expand Down Expand Up @@ -759,9 +776,6 @@ Similarly to the `CRUDResource` example, the following example shows how you can
package org.acme.library;
import io.quarkus.runtime.annotations.RegisterForReflection;
import java.security.Permission;
import java.util.Arrays;
import java.util.Set;
@RegisterForReflection <1>
public class MediaLibraryPermission extends LibraryPermission {
Expand All @@ -782,10 +796,12 @@ quarkus.http.auth.policy.role-policy3.permission-class=org.acme.library.MediaLib
quarkus.http.auth.permission.roles3.paths=/library/*
quarkus.http.auth.permission.roles3.policy=role-policy3
----

<1> Grants the permission `media-library`, which permits `read`, `write`, and `list` actions.
Because `MediaLibrary` is the `TvLibrary` class parent, a user with the `admin` role is also permitted to modify `TvLibrary`.

TIP: The `/library/*` path can be tested from a Keycloak provider Dev UI page, because the user `alice` which is created
automatically by the xref:security-openid-connect-dev-services.adoc[Dev Services for Keycloak] has an `admin` role.

The examples provided so far use role-to-permission mapping.
You can also add permissions to the `SecurityIdentity` instance programmatically.
In the following example, xref:security-customization.adoc#security-identity-customization[`SecurityIdentity` is customized] to add the same permission that was previously granted with the HTTP role-based policy.
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -20,8 +20,6 @@ See also, xref:security-authentication-mechanisms.adoc#other-supported-authentic

If you want to protect your service applications by using OIDC Bearer token authentication, see xref:security-oidc-bearer-token-authentication.adoc[OIDC Bearer token authentication].

:sectnums!:

== Prerequisites

:prerequisites-docker:
Expand Down Expand Up @@ -91,6 +89,7 @@ import jakarta.ws.rs.GET;
import jakarta.ws.rs.Path;
import jakarta.ws.rs.Produces;
import org.eclipse.microprofile.jwt.Claims;
import org.eclipse.microprofile.jwt.JsonWebToken;
import io.quarkus.oidc.IdToken;
Expand Down Expand Up @@ -132,7 +131,7 @@ public class TokenResource {
.append("<ul>");
Object userName = this.idToken.getClaim("preferred_username");
Object userName = this.idToken.getClaim(Claims.preferred_username);
if (userName != null) {
response.append("<li>username: ").append(userName.toString()).append("</li>");
Expand Down Expand Up @@ -191,15 +190,15 @@ To start a Keycloak server, use Docker and run the following command:
docker run --name keycloak -e KEYCLOAK_ADMIN=admin -e KEYCLOAK_ADMIN_PASSWORD=admin -p 8180:8080 quay.io/keycloak/keycloak:{keycloak.version} start-dev
----

where `keycloak.version` should be set to `17.0.0` or higher.
where `keycloak.version` should be set to `23.0.0` or higher.

You should be able to access your Keycloak Server at http://localhost:8180[localhost:8180].

To access the Keycloak Administration Console, log in as the `admin` user.
Username should be `admin` and password `admin`.

Import the link:{quickstarts-tree-url}/security-openid-connect-web-authentication-quickstart/config/quarkus-realm.json[realm configuration file] to create a new realm.
For more information, see the Keycloak documentation about how to https://www.keycloak.org/docs/latest/server_admin/index.html#_create-realm[create a new realm].
For more information, see the Keycloak documentation about how to https://www.keycloak.org/docs/latest/server_admin/index.html#configuring-realms[create and configure a new realm].

== Run the application in dev and JVM modes

Expand Down Expand Up @@ -254,11 +253,13 @@ To authenticate to the application, type the following credentials when at the K
* Username: *alice*
* Password: *alice*

After clicking the `Login` button, you are redirected back to the application.
After clicking the `Login` button, you are redirected back to the application and a session cookie will be created.

The session for this demo is short-lived and you will be asked to re-authenticate on every page refresh. Please follow the Keycloak https://www.keycloak.org/docs/latest/server_admin/#_timeouts[session timeout] documentation to learn how to increase the session timeouts. For example, you can access Keycloak Admin console directly from Dev UI by selecting a `Keycloak Admin` link if you use xref:security-oidc-code-flow-authentication.adoc#integration-testing-keycloak-devservices[Dev Services for Keycloak] in dev mode:

For more information about writing the integration tests that depend on `Dev Services for Keycloak`, see the <<security-oidc-code-flow-authentication.adoc#integration-testing-keycloak-devservices, Dev Services for Keycloak>> section.
image::dev-ui-oidc-keycloak-card.png[alt=Dev UI OpenID Connect Card,role="center"]

:sectnums!:
For more information about writing the integration tests that depend on `Dev Services for Keycloak`, see the xref:security-oidc-code-flow-authentication.adoc#integration-testing-keycloak-devservices[Dev Services for Keycloak] section.

== Summary

Expand Down
Loading

0 comments on commit e2e529d

Please sign in to comment.