We should add access-control and integrate quarkus with keycloak. Before going to quarkus we had this exercise: https://github.com/devonfw-training/java-spring/blob/master/documentation/5-access-control.asciidoc The job was to add `@RolesAllowed` annotations to the use-case methods. See example here: https://github.com/devonfw-training/java-spring/blob/13f01d5b1a3232d1fdabc2b5593c4979e728fbf5/app/core/src/main/java/org/example/app/moviemanagement/logic/impl/usecase/UcFindMovieImpl.java#L34 We also had some test-infrastructure to simulate logins with permissions to make the tests still work and also allow tests verifying that if a permission is not granted, the Use-Case cannot be called. Example: https://github.com/devonfw-training/java-spring/blob/13f01d5b1a3232d1fdabc2b5593c4979e728fbf5/app/core/src/test/java/org/example/app/moviemanagement/logic/impl/usecase/UcFindMovieImplTest.java#L47 This should be achieved with Quarkus standard mechanisms rather than too much home-grown stuff. A nice concept of devonfw was however the concept of hierarchical permissions/groups that were modelled and expanded in the application: https://github.com/devonfw/devon4j/blob/master/documentation/guide-access-control.asciidoc#authorization Example: https://github.com/devonfw-training/java-spring/blob/13f01d5b1a3232d1fdabc2b5593c4979e728fbf5/app/core/src/main/java/org/example/app/general/common/api/security/ApplicationAccessControlConfig.java#L12-L52 ATTENTION: Do not start from scratch. See existing branches: * https://github.com/devonfw-training/java-quarkus/tree/feature/security-keycloak * https://github.com/devonfw-training/java-quarkus/tree/feature/security-keycloak-solution
We should add access-control and integrate quarkus with keycloak.
Before going to quarkus we had this exercise:
https://github.com/devonfw-training/java-spring/blob/master/documentation/5-access-control.asciidoc
The job was to add
@RolesAllowedannotations to the use-case methods. See example here:https://github.com/devonfw-training/java-spring/blob/13f01d5b1a3232d1fdabc2b5593c4979e728fbf5/app/core/src/main/java/org/example/app/moviemanagement/logic/impl/usecase/UcFindMovieImpl.java#L34
We also had some test-infrastructure to simulate logins with permissions to make the tests still work and also allow tests verifying that if a permission is not granted, the Use-Case cannot be called. Example:
https://github.com/devonfw-training/java-spring/blob/13f01d5b1a3232d1fdabc2b5593c4979e728fbf5/app/core/src/test/java/org/example/app/moviemanagement/logic/impl/usecase/UcFindMovieImplTest.java#L47
This should be achieved with Quarkus standard mechanisms rather than too much home-grown stuff.
A nice concept of devonfw was however the concept of hierarchical permissions/groups that were modelled and expanded in the application:
https://github.com/devonfw/devon4j/blob/master/documentation/guide-access-control.asciidoc#authorization
Example:
https://github.com/devonfw-training/java-spring/blob/13f01d5b1a3232d1fdabc2b5593c4979e728fbf5/app/core/src/main/java/org/example/app/general/common/api/security/ApplicationAccessControlConfig.java#L12-L52
ATTENTION: Do not start from scratch.
See existing branches: