Skip to content

Commit

Permalink
Merge pull request quarkusio#37560 from fedinskiy/fix/spring-security…
Browse files Browse the repository at this point in the history
…-docs

Multiple changes for spring-security guide
  • Loading branch information
geoand authored Dec 6, 2023
2 parents 09e5f4c + a79783f commit b7887aa
Showing 1 changed file with 37 additions and 17 deletions.
54 changes: 37 additions & 17 deletions docs/src/main/asciidoc/spring-security.adoc
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,9 @@ The solution is located in the `spring-security-quickstart` link:{quickstarts-tr
First, we need a new project. Create a new project with the following command:

:create-app-artifact-id: spring-security-quickstart
:create-app-group-id: org.acme.spring.security
:create-app-extensions: spring-web,spring-security,quarkus-elytron-security-properties-file,resteasy-reactive-jackson
:create-app-code:
include::{includes}/devtools/create-app.adoc[]

This command generates a project which imports the `spring-web`, `spring-security` and `security-properties-file` extensions.
Expand Down Expand Up @@ -81,7 +83,7 @@ For more information about `security-properties-file`, you can check out the gui
== GreetingController

The Quarkus Maven plugin automatically generated a controller with the Spring Web annotations to define our REST endpoint (instead of the Jakarta REST ones used by default).
First create a `src/main/java/org/acme/spring/web/GreetingController.java`, a controller with the Spring Web annotations to define our REST endpoint, as follows:
First create a `src/main/java/org/acme/spring/security/GreetingController.java`, a controller with the Spring Web annotations to define our REST endpoint, as follows:

[source,java]
----
Expand All @@ -97,7 +99,7 @@ public class GreetingController {
@GetMapping
public String hello() {
return "hello";
return "Hello Spring";
}
}
----
Expand All @@ -117,15 +119,14 @@ import static io.restassured.RestAssured.given;
import static org.hamcrest.CoreMatchers.is;
@QuarkusTest
public class GreetingControllerTest {
class GreetingControllerTest {
@Test
public void testHelloEndpoint() {
void testHelloEndpoint() {
given()
.when().get("/greeting")
.then()
.statusCode(200)
.body(is("hello"));
.body(is("Hello Spring"));
}
}
Expand All @@ -141,6 +142,7 @@ Open your browser to http://localhost:8080/greeting.

The result should be: `{"message": "hello"}`.

[#secure]
== Modify the controller to secure the `hello` method

In order to restrict access to the `hello` method to users with certain roles, the `@Secured` annotation will be utilized.
Expand Down Expand Up @@ -220,6 +222,16 @@ public class GreetingControllerTest {

== Test the changes

=== Automatically

Press `r`, while in DevMode, or run the application with:

include::{includes}/devtools/test.adoc[]

All tests should succeed.

=== Manually

Access allowed::

Open your browser again to http://localhost:8080/greeting and introduce `scott` and `jb0ss` in the dialog displayed.
Expand All @@ -239,15 +251,14 @@ You don't have authorization to view this page.
HTTP ERROR 403
----

== Run the application as a native executable

You can generate the native executable with:

include::{includes}/devtools/build-native.adoc[]
[TIP]
====
Some browsers save credentials for basic authentication. If the dialog is not displayed, try to clear saved logins or use the Private mode
====

== Supported Spring Security functionalities
== Supported Spring Security annotations

Quarkus currently only supports a subset of the functionalities that Spring Security provides with more features being planned. More specifically, Quarkus supports the security related features of role-based authorization semantics
Quarkus currently only supports a subset of the functionality that Spring Security provides with more features being planned. More specifically, Quarkus supports the security related features of role-based authorization semantics
(think of `@Secured` instead of `@RolesAllowed`).

=== Annotations
Expand All @@ -256,13 +267,15 @@ The table below summarizes the supported annotations:

.Supported Spring Security annotations
|===
|Name|Comments
|Name|Comments|Spring documentation

|@Secured
|
| See <<secure, above>>
| link:https://docs.spring.io/spring-security/reference/servlet/authorization/method-security.html#use-secured[Authorizing Method Invocation with @Secured]

|@PreAuthorize
|See next section for more details
|link:https://docs.spring.io/spring-security/reference/servlet/authorization/method-security.html#use-preauthorize[Authorizing Method Invocation with @PreAuthorize]

|===

Expand Down Expand Up @@ -320,6 +333,7 @@ public class Person {
this.name = name;
}
// this syntax requires getters for field access
public String getName() {
return name;
}
Expand Down Expand Up @@ -373,7 +387,6 @@ An example of the `PersonChecker` could be:
@Component
public class PersonChecker {
@Override
public boolean check(Person person, String username) {
return person.getName().equals(username);
}
Expand Down Expand Up @@ -407,8 +420,11 @@ Some examples of allowed expressions are:
}
----
[IMPORTANT]
====
Currently, expressions do not support parentheses for logical operators and are evaluated from left to right
====

Also to be noted that currently parentheses are not supported and expressions are evaluated from left to right when needed.

== Important Technical Note

Expand All @@ -428,6 +444,10 @@ The following table shows how Spring Security annotations can be converted to Ja
|@RolesAllowed("admin")
|

|@PreAuthorize
|No direct replacement
|Quarkus handles complex authorisation differently, see link:https://quarkus.io/guides/security-authorize-web-endpoints-reference[this guide] for details

|===

== More Spring guides
Expand Down

0 comments on commit b7887aa

Please sign in to comment.