Add simple form base app in security-authentication-mechanisms guide #39079
Conversation
quarkus-bot
bot
added
area/docstyle
| @GET | ||
| @Path("hello") | ||
| @RolesAllowed("user") | ||
| public String hello(@Context SecurityContext security) { |
There was a problem hiding this comment.
We don't really use JAX-RS SecurityContext in our security examples, but SecurityIdentity which has more options for checks and is injected directly into the endpoint.
Also, there is nearly an identical code example for the MTLS below. We should probably have a dedicated small section describing how to access the security identity and refer to it.
There was a problem hiding this comment.
Theoretically in this example is not necessary use SecurityContext/SecurityIdentity but just return simple string like Successfully logged in.
Or I can create that small section but where should I put it?
There was a problem hiding this comment.
@jedla97 Since you agreed to remove the code example, it is ok, we can add something later
| return "Hello " + security.getUserPrincipal().getName(); | ||
| } | ||
|
|
||
| @GET |
There was a problem hiding this comment.
IMHO we can just drop this example, for the user facing application one would not return Strings but for example here produce HTML with Qute. This specific doc's goal is to give an overview of the authentication mechanisms only.
Perhaps it is time to introduce a dedicated doc related to the form authentication
This comment has been minimized.
This comment has been minimized.
|
|
||
| [IMPORTANT] | ||
| ==== | ||
| Configuring user names, secrets, and roles in the application.properties file is appropriate only for testing scenarios. For securing a production application, it is crucial to use a database to store this information. |
There was a problem hiding this comment.
LDAP is also an option, it also uses DB indirectly, but may be it is worth saying database or LDAP and link to the basic authentication with JPA doc for an example.
|
🙈 The PR is closed and the preview is expired. |
|
|
||
| [NOTE] | ||
| ==== | ||
| Endpoind for verification `j_security_check` and name of parameters for username (`j_username`) and password (`j_password`) can be changed by setting it's configuration properties. |
There was a problem hiding this comment.
A few typos, but IMHO this note is unnecessary, the configuration section follows just below and it is clear all of these properties can be changed
There was a problem hiding this comment.
Thanks @jedla97, LGTM, I'm only proposing to try to minimize the new text as this overview of the authentication mechanisms doc should only give some basic overview of a specific mechanism as opposed to for example being a tutorial on the Form authentication.
IMHO it will make sense to create a dedicated Form authentication doc later with a Form auth tutorial, and a quickstart, as it looks like Form authentication is starting to dominate in this doc
|
@sberyozkin I tried to keep it at minimum. I'll update all the comments just one have question.
It would be nice to have it separate, for me it was that I just missing where to start with form. As I believe that lots of small projects or small learning projects don't need complex security as using oidc for example. |
Sure you are right, I'd only like to avoid the doc which is meant to give an overview of the available mechanisms provide a form authentication tutorial. |
@sberyozkin Yes it does!
Just for clarification, who should create the follow-up? I can work on this a bit, but I'm not sure I'll cover all the technical details correctly. If it should be similar to this for example I can do it. |
Status for workflow
|
Fixes #37645
Adding simple app example for form-base security which I was missing when reading the guide