diff --git a/docs/src/main/asciidoc/security-authorization.adoc b/docs/src/main/asciidoc/security-authorization.adoc index 0284e17665005..eae6eaa8444ce 100644 --- a/docs/src/main/asciidoc/security-authorization.adoc +++ b/docs/src/main/asciidoc/security-authorization.adoc @@ -152,7 +152,7 @@ There are three configuration settings that alter the RBAC Deny behavior: `quarkus.security.jaxrs.deny-unannotated-endpoints=true|false`:: If set to true, the access will be denied for all JAX-RS endpoints by default, so if a JAX-RS endpoint does not have any security annotations -then it will default to `@DenyAll` behaviour. This is useful to ensure you cannot accidently expose an endpoint that is supposed to be secured. Defaults to `false`. +then it will default to `@DenyAll` behaviour. This is useful to ensure you cannot accidentally expose an endpoint that is supposed to be secured. Defaults to `false`. `quarkus.security.jaxrs.default-roles-allowed=role1,role2`:: Defines the default role requirements for unannotated endpoints. The role '**' is a special role that means any authenticated user. This cannot be combined with diff --git a/extensions/security/runtime/src/main/java/io/quarkus/security/runtime/interceptor/DenyAllInterceptor.java b/extensions/security/runtime/src/main/java/io/quarkus/security/runtime/interceptor/DenyAllInterceptor.java index 9b408b7d6c87d..66f92e3ec1449 100644 --- a/extensions/security/runtime/src/main/java/io/quarkus/security/runtime/interceptor/DenyAllInterceptor.java +++ b/extensions/security/runtime/src/main/java/io/quarkus/security/runtime/interceptor/DenyAllInterceptor.java @@ -7,6 +7,8 @@ import javax.interceptor.Interceptor; import javax.interceptor.InvocationContext; +import io.quarkus.security.spi.runtime.AuthorizationController; + /** * * @author Michal Szynkiewicz, michal.l.szynkiewicz@gmail.com @@ -19,8 +21,15 @@ public class DenyAllInterceptor { @Inject SecurityHandler handler; + @Inject + AuthorizationController controller; + @AroundInvoke public Object intercept(InvocationContext ic) throws Exception { - return handler.handle(ic); + if (controller.isAuthorizationEnabled()) { + return handler.handle(ic); + } else { + return ic.proceed(); + } } } diff --git a/extensions/security/spi/src/main/java/io/quarkus/security/spi/AdditionalSecuredClassesBuildItem.java b/extensions/security/spi/src/main/java/io/quarkus/security/spi/AdditionalSecuredClassesBuildItem.java index 5a1e138548253..342012156657d 100644 --- a/extensions/security/spi/src/main/java/io/quarkus/security/spi/AdditionalSecuredClassesBuildItem.java +++ b/extensions/security/spi/src/main/java/io/quarkus/security/spi/AdditionalSecuredClassesBuildItem.java @@ -13,10 +13,8 @@ * Contains classes that need to have @DenyAll on all methods that don't have security annotations */ public final class AdditionalSecuredClassesBuildItem extends MultiBuildItem { + public final Collection additionalSecuredClasses; - /** - * The roles alloe - */ public final Optional> rolesAllowed; public AdditionalSecuredClassesBuildItem(Collection additionalSecuredClasses) {