Task Summary
Follow-up to #5199. The microservices now register RolesAllowedDynamicFeature, which enforces @RolesAllowed when present but does nothing for an endpoint that has no role annotation at all — that endpoint is silently public. The *RunSpec mock tests in #5199 only verify the feature is registered; they cannot catch a newly added method that forgot a role annotation.
Add a startup-time check that scans every Jersey resource registered on environment.jersey() and asserts every HTTP-mapped method (@GET / @POST / @PUT / @DELETE / @PATCH / @HEAD / @OPTIONS) carries one of @RolesAllowed, @PermitAll, or @DenyAll (taking class-level annotations into account). Fail fast — log + throw — if any method is unannotated.
This turns "I forgot to annotate" from a silent open hole into a startup error, which is the regression ConfigResourceAuthSpec partly guards against today but only for the endpoints it knows about.
Task Type
Task Summary
Follow-up to #5199. The microservices now register
RolesAllowedDynamicFeature, which enforces@RolesAllowedwhen present but does nothing for an endpoint that has no role annotation at all — that endpoint is silently public. The*RunSpecmock tests in #5199 only verify the feature is registered; they cannot catch a newly added method that forgot a role annotation.Add a startup-time check that scans every Jersey resource registered on
environment.jersey()and asserts every HTTP-mapped method (@GET/@POST/@PUT/@DELETE/@PATCH/@HEAD/@OPTIONS) carries one of@RolesAllowed,@PermitAll, or@DenyAll(taking class-level annotations into account). Fail fast — log + throw — if any method is unannotated.This turns "I forgot to annotate" from a silent open hole into a startup error, which is the regression
ConfigResourceAuthSpecpartly guards against today but only for the endpoints it knows about.Task Type