Merge pull request quarkusio#19955 from geoand/quarkusio#19896

Make @testsecurity work correctly with unannotated JAX-RS endpoints security feature
geoand · Sep 8, 2021 · f3c09b0 · f3c09b0
2 parents 0f810e1 + b9359bf
commit f3c09b0
Show file tree

Hide file tree

Showing 3 changed files with 12 additions and 5 deletions.
diff --git a/docs/src/main/asciidoc/security-authorization.adoc b/docs/src/main/asciidoc/security-authorization.adoc
@@ -152,7 +152,7 @@ There are three configuration settings that alter the RBAC Deny behavior:
 
 `quarkus.security.jaxrs.deny-unannotated-endpoints=true|false`::
 If set to true, the access will be denied for all JAX-RS endpoints by default, so if a JAX-RS endpoint does not have any security annotations
-then it will default to `@DenyAll` behaviour. This is useful to ensure you cannot accidently expose an endpoint that is supposed to be secured. Defaults to `false`.
+then it will default to `@DenyAll` behaviour. This is useful to ensure you cannot accidentally expose an endpoint that is supposed to be secured. Defaults to `false`.
 
 `quarkus.security.jaxrs.default-roles-allowed=role1,role2`::
 Defines the default role requirements for unannotated endpoints. The role '**' is a special role that means any authenticated user. This cannot be combined with

diff --git a/...ity/runtime/src/main/java/io/quarkus/security/runtime/interceptor/DenyAllInterceptor.java b/...ity/runtime/src/main/java/io/quarkus/security/runtime/interceptor/DenyAllInterceptor.java
@@ -7,6 +7,8 @@
 import javax.interceptor.Interceptor;
 import javax.interceptor.InvocationContext;
 
+import io.quarkus.security.spi.runtime.AuthorizationController;
+
 /**
  *
  * @author Michal Szynkiewicz, [email protected]
@@ -19,8 +21,15 @@ public class DenyAllInterceptor {
     @Inject
     SecurityHandler handler;
 
+    @Inject
+    AuthorizationController controller;
+
     @AroundInvoke
     public Object intercept(InvocationContext ic) throws Exception {
-        return handler.handle(ic);
+        if (controller.isAuthorizationEnabled()) {
+            return handler.handle(ic);
+        } else {
+            return ic.proceed();
+        }
     }
 }
diff --git a/...security/spi/src/main/java/io/quarkus/security/spi/AdditionalSecuredClassesBuildItem.java b/...security/spi/src/main/java/io/quarkus/security/spi/AdditionalSecuredClassesBuildItem.java
@@ -13,10 +13,8 @@
  * Contains classes that need to have @DenyAll on all methods that don't have security annotations
  */
 public final class AdditionalSecuredClassesBuildItem extends MultiBuildItem {
+
     public final Collection<ClassInfo> additionalSecuredClasses;
-    /**
-     * The roles alloe
-     */
     public final Optional<List<String>> rolesAllowed;
 
     public AdditionalSecuredClassesBuildItem(Collection<ClassInfo> additionalSecuredClasses) {