Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enhancing RequestMatcher building for the resource server configuration #3397

Closed
gorbunkov opened this issue Jun 18, 2024 · 3 comments · Fixed by #3398
Closed

Enhancing RequestMatcher building for the resource server configuration #3397

gorbunkov opened this issue Jun 18, 2024 · 3 comments · Fixed by #3398
Assignees
@gorbunkov @SergeiAksenov2
Labels
breaking changes Fix brings breaking changes in code or behavior in: security size: M
Milestone
2.4.0

Comments

@gorbunkov
Copy link
Contributor

gorbunkov commented Jun 18, 2024
edited
Loading

Issue Description

Both the Authorization Server and OpenID Connect (OIDC) add-ons configure a resource server in their auto-configurations.

At the project level, URL patterns can be defined as "protected by this resource server" in the following ways:

  1. By implementing the AuthorizedUrlsProvider interface.
  2. By adding the jmix.rest.authenticated-url-patterns application property.

Problems with the Current Implementation

  1. Limited Functionality of AuthorizedUrlsProvider:

    • The AuthorizedUrlsProvider only returns strings with URL patterns, limiting its ability to build complex RequestMatchers (which can include HTTP methods, for example).

  2. Redundant Methods in AuthorizedUrlsProvider:

    • The AuthorizedUrlsProvider has two methods: getAuthenticatedUrlPatterns and getAnonymousUrlPatterns. In most cases, users only need the getAuthenticatedUrlPatterns method. The getAnonymousUrlPatterns implementation is typically empty. Additionally, the interface name AuthorizedUrlsProvider does not imply that it configures anonymous URLs.
    • Not perfect naming: AuthorizedUrlsProvider has the getAuthenticatedUrlPatterns method.

  3. Misplaced Property:

    • The jmix.rest.authenticated-url-patterns property is used by the Authorization Server and OIDC add-ons, but its property processor is located in the REST API module. This property only works if the REST API add-on is included. There is no way to configure access to endpoints using properties when you have just Authorization Server add-on in the project and don't have REST API add-on.

Suggested Improvements

We should rework the way request matchers are configured for the resource server configuration:

  1. Unified Request Matcher Configuration:

    • Request matchers should be configurable for both the Authorization Server and the OIDC add-ons.

  2. Support for Complex Request Matchers:

    • There should be a way to build complex RequestMatchers.
@gorbunkov gorbunkov added size: M in: security triage Issue is waiting for triage labels Jun 18, 2024
@gorbunkov gorbunkov mentioned this issue Jun 18, 2024
Merged
@gorbunkov gorbunkov linked a pull request Jun 18, 2024 that will close this issue
Enhancing RequestMatcher building for the resource server configuration #3398
Merged
@gorbunkov gorbunkov self-assigned this Jun 18, 2024
@gorbunkov
Copy link
Contributor Author

See implementation details in the PR description: #3398

@gorbunkov gorbunkov removed the triage Issue is waiting for triage label Jun 21, 2024
@gorbunkov gorbunkov mentioned this issue Aug 6, 2024
Closed
gorbunkov added a commit that referenced this issue Aug 15, 2024
@gorbunkov
Enhance RequestMatcher building for resource server configuration #3397
4c296f9 
… (#3398)
@gorbunkov gorbunkov reopened this Aug 15, 2024
@gorbunkov gorbunkov added the breaking changes Fix brings breaking changes in code or behavior label Aug 15, 2024
@gorbunkov
Copy link
Contributor Author

gorbunkov commented Aug 15, 2024
edited
Loading

Breaking changes:

Generic REST add-on now requires explicit endpoints security configuration:

jmix.resource-server.authenticated-url-patterns = /rest/**

Studio issue: https://youtrack.jmix.io/issue/JST-5237

@gorbunkov gorbunkov mentioned this issue Aug 15, 2024
Closed
@SergeiAksenov2
Copy link

Tested on:
Jmix version: 2.4.999-SNAPSHOT
Jmix Studio plugin version: 2.4.SNAPSHOT6786-242
IntelliJ version: IntelliJ IDEA 2024.2.1 (Community Edition)

Checked Url Providers and RequestMatcher Providers - Ok.

@knstvk knstvk mentioned this issue Oct 4, 2024
Closed
knstvk added a commit that referenced this issue Oct 4, 2024
@knstvk
Added new property to REST Service template #3397
fe88f9c
@Gavrilov-Ivan Gavrilov-Ivan added this to the 2.4.0 milestone Oct 25, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@gorbunkov gorbunkov

@SergeiAksenov2 SergeiAksenov2

Labels
breaking changes Fix brings breaking changes in code or behavior in: security size: M
Projects
Release 2.4
Status: Done
Milestone
2.4.0
Development

Successfully merging a pull request may close this issue.

Enhancing RequestMatcher building for the resource server configuration jmix-framework/jmix
3 participants
@gorbunkov @Gavrilov-Ivan @SergeiAksenov2