0

I have a quarkus project I try to secure some of my endpoints with a Jwt token.

So far, it don't work. everything is still accessible.

my application.properties:

quarkus.http.auth.permission.public.paths=/api/bo/authenticate
quarkus.http.auth.permission.public.policy=permit

quarkus.http.auth.policy.admin-role.roles-allowed=ADMINISTRATEUR_SYSTEME
quarkus.http.auth.permission.admin.paths=/api/bo/private/**
quarkus.http.auth.permission.admin.policy=admin-role
quarkus.http.auth.permission.admin.enabled=true

mp.jwt.verify.publickey.location=jwt/publicKey.pem
mp.jwt.verify.issuer=https://xxxxx.fr
quarkus.smallrye-jwt.enabled=true
smallrye.jwt.sign.key.location=jwt/privateKey.pem

it worth notting that the lines

mp.jwt.verify.publickey.location=jwt/publicKey.pem
mp.jwt.verify.issuer=https://xxxxx.fr
quarkus.smallrye-jwt.enabled=true
smallrye.jwt.sign.key.location=jwt/privateKey.pem

are in gray in my IDE ( Intellij), and my IDE say they are not used nor by my project nor it's dependency.

Speaking of dependency, I have this in my pom:

<dependencies>
...
<dependency>
  <groupId>io.quarkus</groupId>
  <artifactId>quarkus-smallrye-jwt-build</artifactId>
</dependency>
<dependency>
  <groupId>io.quarkus</groupId>
  <artifactId>quarkus-smallrye-health</artifactId>
</dependency>
   <dependency>
  <groupId>io.quarkus</groupId>
  <artifactId>quarkus-smallrye-jwt</artifactId>
</dependency>
  <dependency>
  <groupId>io.quarkus</groupId>
  <artifactId>quarkus-smallrye-openapi</artifactId>
</dependency>

Any idea?

sab
  • 4,352
  • 7
  • 36
  • 60
  • Just to be clear: is there an actual resource at `/api/bo` or did you mean to protect all sub-resources `/api/bo/*`? – Turing85 Nov 11 '21 at 22:38
  • @Turing85 I've update my response: /api/bo/private/** – sab Nov 11 '21 at 22:48
  • 1
    Could you try adding a single `*` at the end of the path? I am not quite sure that `**` is "understood correctly" – Turing85 Nov 11 '21 at 22:51
  • 1
    Indeed, double `*` may not be understood, if, instead of restricting the access at the configuration level, you can get it correctly protected with `@RolesAllowed` then it would confirm `**` does not work – Sergey Beryozkin Nov 12 '21 at 09:51
  • I confirme the issue was the /** who didn't work. /* work – sab Nov 18 '21 at 12:19

1 Answers1

0

The issue was, the double "**" a simple * work just fine

quarkus.http.auth.permission.admin.paths=/api/bo/private/*

sab
  • 4,352
  • 7
  • 36
  • 60