-
Notifications
You must be signed in to change notification settings - Fork 59
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fine-grained rules for authentication and authorization #113
Comments
I think this is related with #124 which could use spec clarification. Apparently some implementations only authenticate / validate if you have a |
@dblevins Hi David, I've suggested to clarify that for the purpose of this spec |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Current rules of MicroProfile-JWT is that when MP-JWT is enabled, all of the application requires a JWT for requests to be successful. It should be possible to allow specific parts (endpoints or paths) of the application to not require a JWT.
While use of javax.annotation.security.PermitAll seems the most obvious, consider this usecase:
In the above fictitious scenario, the user clearly intends that red and blue can be invoked by a user with the
artist
role and green can be invoked by a user regardless of role. In all cases, the code clearly expects there to be an authenticated user.When we discuss this feature we need to enable users to define:
The second case is for overriding class-level uses of @RolesAllowed and is the original intent of @permitAll. Whether or not this requires a user to be logged in -- the first case -- is not addressed or covered.
If @RolesAllowed, @permitAll and @Denyall are determined to be strictly for authorization, then new annotations need to be created to denote if authentication is required.
The text was updated successfully, but these errors were encountered: