Quarkus: RBAC Security doesn't work with super classes

Created on 18 Dec 2019 · 8Comments · Source: quarkusio/quarkus

Describe the bug
All my resources which extends from a super class annotated with @RolesAllowed, doesnt work the security.

To Reproduce

Create a abstract class with @RolesAllowed annotation.
Create a resource class which extends from it.

Environment:

Output of java -version: java 8
Quarkus version or git rev: 1.0.1.Final
Using jdbc security

aresecurity kinbug triaginvalid

Source

lucini

👍1

All 8 comments

I have this problem too.

felixgilioli on 18 Dec 2019

👍1

@michalszynkiewicz Hi Michal, can it be something with the build step preparation where RolesAllowed are checked ?

sberyozkin on 18 Dec 2019

@lucini @felixgilioli do you define the methods that you want to protect in the superclass or the subclasses?

The implementation follows JSR-250 guidelines for annotation inheritance and applies the class-level security constraints only on the methods that are defined in the class annotated with the given annotation.
If it's not working this way: it's a bug and we have to fix it, it would be great to have some reproducer for it. We have some tests in the Quarkus code base that should cover this case but maybe we are missing something in them.

michalszynkiewicz on 18 Dec 2019

👍1

@lucini @felixgilioli do you define the methods that you want to protect in the superclass or the subclasses?

The implementation follows JSR-250 guidelines for annotation inheritance and applies the class-level security constraints only on the methods that are defined in the class annotated with the given annotation.
If it's not working this way: it's a bug and we have to fix it, it would be great to have some reproducer for it. We have some tests in the Quarkus code base that should cover this case but maybe we are missing something in them.

It's not working... follow the example:


@RolesAllowed("ADMIN")
public abstract class BaseResource {

    @GET
    @Produces(MediaType.TEXT_PLAIN)
    public String sayHello() {
        return "Abstract Hello!";
    }
}

@Path("son")
public class SonResource extends BaseResource {
    @Override
    public String sayHello() {
        return super.sayHello();
    }
}

lucini on 18 Dec 2019

Overridden method would not inherit the check. Could you try a method that is inheritted and not overridden?

michalszynkiewicz on 18 Dec 2019

👍1

@michalszynkiewicz Inherrited method works fine...
Why overriden method not inherit the check?
Jaxrs annotations inherit it.

lucini on 18 Dec 2019

In my opinion it is an expected behavior.

The @RollesAllowed is resolved by a CDI interceptor. This is the CDI interceptor: io.quarkus.security.runtime.interceptor.RolesAllowedInterceptor

According to Quarkus documentation, CDI Interceptor methods on superclasses are not implemented yet.

rhuan080 on 18 Dec 2019

👍1

This is actually the expected behaviour. If you override a method then it will have the security of the class the overiddes it. You can't actually intercept the super.sayHello() call because it uses invokespecial rather than invokevirtual.