I have an application with 2 entities : A and B.
Each of these entities contain a "Workspace" :
@Entity
class A {
private Workspace workspace;
}
@Entity
class B {
private Workspace workspace;
}
For each request that comes in like a GET <api>/resourceA or a POST <api>/resourceB/{id}/createSomething, we need to check that the caller (that is logged in through Keycloak and has a JWT) has access to the Workspace that A is part of (or B, in the latter case). It's all "dynamic" as it's based on the ID of the specific object A.
So, for each endpoint (or each Resource, might be all that's needed), we need to call a method that is specific to that endpoint/Resource. We cannot do this with just "Roles", because we need to have that specific check on the IDs, like :
A.getWorkspace().isAccessibleBy(theCallingUser)
I know Spring Security has specific methods like "hasRole()" and you can call specific code in the @PreAuthorize annotations, but I haven't seen the same in Quarkus.
