Skip to content

Commit

Permalink
Support permission checkers for WebSockets Next
Browse files Browse the repository at this point in the history
  • Loading branch information
michalvavrik committed Jan 22, 2025
1 parent 7bf5b30 commit e7cd9c7
Show file tree
Hide file tree
Showing 11 changed files with 944 additions and 83 deletions.
179 changes: 147 additions & 32 deletions docs/src/main/asciidoc/websockets-next-reference.adoc
Original file line number Diff line number Diff line change
Expand Up @@ -185,8 +185,12 @@ public class MyWebSocket {

==== Request context

If an endpoint is annotated with `@RequestScoped`, or with a security annotation (such as `@RolesAllowed`), or depends directly or indirectly on a `@RequestScoped` bean, or on a bean annotated with a security annotation, then each WebSocket endpoint callback method execution is associated with a new _request context_.
The request context is active during endpoint callback invocation.
Each WebSocket endpoint callback method execution is associated with a new CDI _request context_ if the endpoint is:

* Annotated with the `@RequestScoped` annotation.
* Has a method annotated with a security annotation such as `@RolesAllowed`.
* Depends directly or indirectly on a `@RequestScoped` bean.
* Depends directly or indirectly on a CDI beans secured with a standard security annotation.

TIP: It is also possible to set the `quarkus.websockets-next.server.activate-request-context` config property to `always`. In this case, the request context is always activated when an endpoint callback is invoked.

Expand Down Expand Up @@ -783,6 +787,68 @@ class MyBean {
[[websocket-next-security]]
=== Security

Security capabilities are provided by the Quarkus Security extension.
Any xref:security-identity-providers.adoc[Identity provider] can be used to convert authentication credentials on the initial HTTP request into a `SecurityIdentity` instance.
The `SecurityIdentity` is then associated with the websocket connection.
Authorization options are demonstrated in following sections.

NOTE: When an OpenID Connect extension, `quarkus-oidc`, is used and token expires, Quarkus automatically closes connection.

[[secure-http-upgrade]]
==== Secure HTTP upgrade

An HTTP upgrade is secured when a standard security annotation is placed on an endpoint class or an HTTP Security policy is defined.
The advantage of securing HTTP upgrade is less processing, the authorization is performed early and only once.
You should always prefer HTTP upgrade security unless you need to perform an action on error (see <<secure-callback-methods>>) or a security check based on the payload (see <<secure-endpoints-with-permission-checkers>>).

.Use standard security annotation to secure an HTTP upgrade
[source, java]
----
package io.quarkus.websockets.next.test.security;
import io.quarkus.security.Authenticated;
import jakarta.inject.Inject;
import io.quarkus.security.identity.SecurityIdentity;
import io.quarkus.websockets.next.OnOpen;
import io.quarkus.websockets.next.OnTextMessage;
import io.quarkus.websockets.next.WebSocket;
@Authenticated <1>
@WebSocket(path = "/end")
public class Endpoint {
@Inject
SecurityIdentity currentIdentity;
@OnOpen
String open() {
return "ready";
}
@OnTextMessage
String echo(String message) {
return message;
}
}
----
<1> Initial HTTP handshake ends with the 401 status for anonymous users.
You can also redirect the handshake request on authorization failure with the `quarkus.websockets-next.server.security.auth-failure-redirect-url` configuration property.

IMPORTANT: HTTP upgrade is only secured when a security annotation is declared on an endpoint class next to the `@WebSocket` annotation.
Placing a security annotation on an endpoint bean will not secure bean methods, only the HTTP upgrade.
You must always verify that your endpoint is secured as intended.

.Use HTTP Security policy to secure an HTTP upgrade
[source,properties]
----
quarkus.http.auth.permission.http-upgrade.paths=/end
quarkus.http.auth.permission.http-upgrade.policy=authenticated
----

[[secure-callback-methods]]
==== Secure WebSocket endpoint callback methods

WebSocket endpoint callback methods can be secured with security annotations such as `io.quarkus.security.Authenticated`,
`jakarta.annotation.security.RolesAllowed` and other annotations listed in the xref:security-authorize-web-endpoints-reference.adoc#standard-security-annotations[Supported security annotations] documentation.

Expand Down Expand Up @@ -828,60 +894,109 @@ public class Endpoint {
<1> The echo callback method can only be invoked if the current security identity has an `admin` role.
<2> The error handler is invoked in case of the authorization failure.

`SecurityIdentity` is initially created during a secure HTTP upgrade and associated with the websocket connection.
[[secure-endpoints-with-permission-checkers]]
==== Secure server endpoints with permission checkers

NOTE: When OpenID Connect extension is used and token expires, Quarkus automatically closes connection.
WebSocket endpoints can be secured with the xref:security-authorize-web-endpoints-reference.adoc#permission-checker[permission checkers].
We recommend to <<secure-http-upgrade>> rather than individual endpoint methods. For example:

=== Secure HTTP upgrade
.Example of a WebSocket endpoint with secured HTTP upgrade
[source, java]
----
package io.quarkus.websockets.next.test.security;
An HTTP upgrade is secured when standard security annotation is placed on an endpoint class or an HTTP Security policy is defined.
The advantage of securing HTTP upgrade is less processing, the authorization is performed early and only once.
You should always prefer HTTP upgrade security unless, like in th example above, you need to perform action on error.
import io.quarkus.security.PermissionsAllowed;
import io.quarkus.websockets.next.OnTextMessage;
import io.quarkus.websockets.next.WebSocket;
.Use standard security annotation to secure an HTTP upgrade
@PermissionsAllowed("product:premium")
@WebSocket(path = "/product/premium")
public class PremiumProductEndpoint {
@OnTextMessage
PremiumProduct getPremiumProduct(int productId) {
return new PremiumProduct(productId);
}
}
----

.Example of a permission checker authorizing the HTTP upgrade
[source, java]
----
package io.quarkus.websockets.next.test.security;
import io.quarkus.security.Authenticated;
import io.quarkus.security.identity.SecurityIdentity;
import io.quarkus.security.PermissionChecker;
import io.quarkus.vertx.http.runtime.security.HttpSecurityUtils;
import io.vertx.ext.web.RoutingContext;
import jakarta.enterprise.context.ApplicationScoped;
@ApplicationScoped
public class PermissionChecker {
@PermissionChecker("product:premium")
public boolean canGetPremiumProduct(SecurityIdentity securityIdentity) { <1>
String username = currentIdentity.getPrincipal().getName();
RoutingContext routingContext = HttpSecurityUtils.getRoutingContextAttribute(securityIdentity);
String initialHttpUpgradePath = routingContext == null ? null : routingContext.normalizedPath();
if (!isUserAllowedToAccessPath(initialHttpUpgradePath, username)) {
return false;
}
return isPremiumCustomer(username);
}
}
----
<1> A permission checker authorizing an HTTP upgrade must declare exactly one method parameter, the `SecurityIdentity`.

It is also possible to run security checks on every message. For example, a message payload can be accessed like this:

[source, java]
----
package io.quarkus.websockets.next.test.security;
import io.quarkus.security.PermissionChecker;
import io.quarkus.security.PermissionsAllowed;
import jakarta.inject.Inject;
import io.quarkus.security.ForbiddenException;
import io.quarkus.security.identity.SecurityIdentity;
import io.quarkus.websockets.next.OnError;
import io.quarkus.websockets.next.OnOpen;
import io.quarkus.websockets.next.OnTextMessage;
import io.quarkus.websockets.next.WebSocket;
@Authenticated <1>
@WebSocket(path = "/end")
public class Endpoint {
@WebSocket(path = "/product")
public class ProductEndpoint {
private record Product(int id, String name) {}
@Inject
SecurityIdentity currentIdentity;
@OnOpen
String open() {
return "ready";
}
@PermissionsAllowed("product:get")
@OnTextMessage
String echo(String message) {
return message;
Product getProduct(int productId) { <1>
return new Product(productId, "Product " + productId);
}
}
----
<1> Initial HTTP handshake ends with the 401 status for anonymous users.
You can also redirect the handshake request on authorization failure with the `quarkus.websockets-next.server.security.auth-failure-redirect-url` configuration property.
IMPORTANT: HTTP upgrade is only secured when a security annotation is declared on an endpoint class next to the `@WebSocket` annotation.
Placing a security annotation on an endpoint bean will not secure bean methods, only the HTTP upgrade.
You must always verify that your endpoint is secured as intended.
@OnError
String error(ForbiddenException t) { <2>
return "forbidden:" + currentIdentity.getPrincipal().getName();
}
.Use HTTP Security policy to secure an HTTP upgrade
[source,properties]
----
quarkus.http.auth.permission.http-upgrade.paths=/end
quarkus.http.auth.permission.http-upgrade.policy=authenticated
@PermissionChecker("product:get")
boolean canGetProduct(int productId) {
String username = currentIdentity.getPrincipal().getName();
return currentIdentity.hasRole("admin") || canUserGetProduct(productId, username);
}
}
----
<1> The `getProduct` callback method can only be invoked if the current security identity has an `admin` role or the user is allowed to get the product detail.
<2> The error handler is invoked in case of the authorization failure.

=== Inspect and/or reject HTTP upgrade

Expand Down
Original file line number Diff line number Diff line change
@@ -1,10 +1,16 @@
package io.quarkus.security.runtime;

import java.security.Permission;
import java.security.Principal;
import java.util.HashMap;
import java.util.Map;
import java.util.Set;
import java.util.function.BiFunction;
import java.util.function.Function;
import java.util.function.Predicate;

import io.quarkus.security.ForbiddenException;
import io.quarkus.security.credential.Credential;
import io.quarkus.security.identity.AuthenticationRequestContext;
import io.quarkus.security.identity.SecurityIdentity;
import io.quarkus.security.identity.SecurityIdentityAugmentor;
Expand Down Expand Up @@ -33,38 +39,131 @@ public Throwable apply(Throwable throwable) {
return new ForbiddenException(throwable);
}
};
// keep in sync with HttpSecurityUtils
private static final String ROUTING_CONTEXT_ATTRIBUTE = "quarkus.http.routing.context";

private final BlockingSecurityExecutor blockingExecutor;
private final BiFunction<SecurityIdentity, Permission, Uni<Boolean>> permissionChecker;

QuarkusPermissionSecurityIdentityAugmentor(BlockingSecurityExecutor blockingExecutor) {
this.blockingExecutor = blockingExecutor;
this.permissionChecker = new BiFunction<SecurityIdentity, Permission, Uni<Boolean>>() {
@Override
public Uni<Boolean> apply(SecurityIdentity finalIdentity, Permission requiredpermission) {
if (requiredpermission instanceof QuarkusPermission<?> quarkusPermission) {
return quarkusPermission
.isGranted(finalIdentity, blockingExecutor)
.onFailure(NOT_A_FORBIDDEN_EXCEPTION).transform(WRAP_WITH_FORBIDDEN_EXCEPTION);
}
return Uni.createFrom().item(false);
}
};
}

@Override
public Uni<SecurityIdentity> augment(SecurityIdentity identity, AuthenticationRequestContext context) {
public Uni<SecurityIdentity> augment(SecurityIdentity identity, AuthenticationRequestContext context,
Map<String, Object> attributes) {
if (identity.isAnonymous()) {
return Uni.createFrom().item(identity);
}

return Uni.createFrom().item(QuarkusSecurityIdentity
.builder(identity)
.addPermissionChecker(new Function<>() {
@Override
public Uni<Boolean> apply(Permission requiredpermission) {
if (requiredpermission instanceof QuarkusPermission<?> quarkusPermission) {
return quarkusPermission
.isGranted(identity, blockingExecutor)
.onFailure(NOT_A_FORBIDDEN_EXCEPTION).transform(WRAP_WITH_FORBIDDEN_EXCEPTION);
}
return Uni.createFrom().item(false);
}
})
.build());
return Uni.createFrom().item(
new PermissionCheckerIdentityDecorator(identity, attributes.get(ROUTING_CONTEXT_ATTRIBUTE), permissionChecker));
}

@Override
public Uni<SecurityIdentity> augment(SecurityIdentity identity, AuthenticationRequestContext context) {
return augment(identity, context, Map.of());
}

@Override
public int priority() {
// we do not rely on this value and always add this augmentor as the last one manually
return Integer.MAX_VALUE;
}

private static final class PermissionCheckerIdentityDecorator implements SecurityIdentity {

private final SecurityIdentity delegate;
private final Object routingContext;
private final BiFunction<SecurityIdentity, Permission, Uni<Boolean>> permissionChecker;

private PermissionCheckerIdentityDecorator(SecurityIdentity delegate, Object routingContext,
BiFunction<SecurityIdentity, Permission, Uni<Boolean>> permissionChecker) {
this.delegate = delegate;
this.routingContext = routingContext;
this.permissionChecker = permissionChecker;
}

@Override
public Principal getPrincipal() {
return delegate.getPrincipal();
}

@Override
public <T extends Principal> T getPrincipal(Class<T> clazz) {
return delegate.getPrincipal(clazz);
}

@Override
public boolean isAnonymous() {
return false;
}

@Override
public Set<String> getRoles() {
return delegate.getRoles();
}

@Override
public boolean hasRole(String s) {
return delegate.hasRole(s);
}

@Override
public <T extends Credential> T getCredential(Class<T> aClass) {
return delegate.getCredential(aClass);
}

@Override
public Set<Credential> getCredentials() {
return delegate.getCredentials();
}

@SuppressWarnings("unchecked")
@Override
public <T> T getAttribute(String s) {
if (ROUTING_CONTEXT_ATTRIBUTE.equals(s)) {
return (T) routingContext;
}
return delegate.getAttribute(s);
}

@Override
public Map<String, Object> getAttributes() {
if (routingContext != null) {
Map<String, Object> attributes = new HashMap<>(delegate.getAttributes());
attributes.put(ROUTING_CONTEXT_ATTRIBUTE, routingContext);
return attributes;
}
return delegate.getAttributes();
}

@Override
public Uni<Boolean> checkPermission(Permission permission) {
return permissionChecker.apply(this, permission)
.flatMap(new Function<Boolean, Uni<? extends Boolean>>() {
@Override
public Uni<? extends Boolean> apply(Boolean accessGranted) {
if (Boolean.TRUE.equals(accessGranted)) {
return Uni.createFrom().item(true);
}
return delegate.checkPermission(permission);
}
});
}

@Override
public boolean checkPermissionBlocking(Permission permission) {
return checkPermission(permission).await().indefinitely();
}
}
}
Original file line number Diff line number Diff line change
Expand Up @@ -49,7 +49,7 @@ public List<AnnotationInstance> getTransitiveInstances() {
return transitiveInstances;
}

private boolean hasPermissionsAllowed(List<AnnotationInstance> instances) {
public boolean hasPermissionsAllowed(List<AnnotationInstance> instances) {
return instances.stream().anyMatch(ai -> metaAnnotationNames.contains(ai.name()));
}

Expand Down
Loading

0 comments on commit e7cd9c7

Please sign in to comment.