-
Notifications
You must be signed in to change notification settings - Fork 59
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Unclear expectations on secured endpoints #124
Labels
Specification Clarification
An issue that requires a clarification in the specification
Comments
starksm64
added
the
Specification Clarification
An issue that requires a clarification in the specification
label
Mar 13, 2019
I believe the way out of it (given that some implementations start dealing with the token only if the RBAC annotations are used) is to clarify that having |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
When we implemented the specification, we assumed that when an application is annotated with
@LoginConfig
, the whole application is protected and each request should be authenticated.When implementing the MP Starter project, it seems that other vendors chose the opposite - e.g. only endpoints that have
@RolesAllowed
annotation need authentication.Unfortunately the TCK does not test either approach - we pass the TCK tests as I am sure do other vendors.
I would like to hear a clarification on this approach. My 2 cents why I chose the approach we have implemented:
RolesAllowed
also require authorizationPermitAll
escape both authentication and authorizationThis way we can configure endpoints in any combination of authentication, authorization or public access.
If we chose the reverse approach, I cannot find out how to implement an endpoint that is authenticated and not authorized (e.g. we allow any logged in user to access the endpoint).
Please add a TCK test that verifies the approach that is intended by this specification.
Thanks!
The text was updated successfully, but these errors were encountered: