Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support complex wildcard path matching for authorization of web endpoints #14047

Closed
codependent opened this issue Dec 24, 2020 · 6 comments · Fixed by #37192
Closed

Support complex wildcard path matching for authorization of web endpoints #14047

codependent opened this issue Dec 24, 2020 · 6 comments · Fixed by #37192
Assignees
@michalvavrik
Labels
area/security kind/enhancement New feature or request
Milestone
3.7.0.CR1

Comments

@codependent
Copy link

Description
According to the documentation path matching supports wildcards at the end of the path:

Permission sets can also specify paths and methods as a comma separated list. If a path ends with * then it is considered to be a wildcard match and will match all sub paths, otherwise it is an exact match and will only match that specific path

There is a clear limitation regarding the usage of wildcards which doesn't allow us to compose complex authorization expressions.

This use case has come across in many occasions, in which I have an API which requires an authorization config like:

/api/clients/{clientid}/accounts -> needs to be private
/api/clients/{clientid}/public-profile -> needs to be public

This could be configured like this:

quarkus:
  http:
    port: 8081
    cors: false
    auth:
      permission:
        permit1:
          policy: permit
          paths: /api/clientes/*/public-profile
          methods: GET,HEAD,POST,PUT,OPTION,PATCH
        authenticated:
          policy: authenticated
          paths: /api/clientes/*/accounts
          methods: GET,HEAD,POST,PUT,OPTION,PATCH

However this isn't supported since wildcards are only allowed at the end of the path.

Could you consider supporting it?
@codependent codependent added the kind/enhancement New feature or request label Dec 24, 2020
@ghost ghost added the triage/needs-triage label Dec 24, 2020
@codependent codependent changed the title Support complex wildcar path matching for authorization of web endpoints Support complex wildcard path matching for authorization of web endpoints Dec 24, 2020
@sberyozkin
Copy link
Member

CC @stuartwdouglas

@promosrene
Copy link

Is there any hint as to how the requirement can be fulfilled?

@quarkus-bot
Copy link

quarkus-bot bot commented Jun 8, 2022

/cc @sberyozkin

@michalvavrik michalvavrik mentioned this issue Jul 11, 2023
Closed
@sonnb
Copy link

sonnb commented Jul 31, 2023

I am having the same issue in which I need to use the wildcard both at the beginning and the end of the path. Sometimes it works sometimes not. I cannot make public path stable enough to be used.

@sonnb
Copy link

sonnb commented Jul 31, 2023
edited
Loading

Our resource has something like:

@Path("{tenant}/data/resources/tenants")
@Consumes(MediaType.APPLICATION_JSON)
@Produces(MediaType.APPLICATION_JSON)
public class TenantResource {

And the application.properties

#Public path
quarkus.http.auth.permission.tenants.paths=*/data/resources/tenants/*
quarkus.http.auth.permission.tenants.policy=permit
#HTTP Security Configuration
quarkus.http.auth.permission.authenticated.paths=*
quarkus.http.auth.permission.authenticated.policy=authenticated

@michalvavrik
Copy link
Member

I am having the same issue in which I need to use the wildcard both at the beginning and the end of the path. Sometimes it works sometimes not. I cannot make public path stable enough to be used.

Hey @sonnb wildcards are only supported at the end. We should implement this issue though, I am going to have a look.

@michalvavrik michalvavrik self-assigned this Jul 31, 2023
@michalvavrik michalvavrik mentioned this issue Aug 18, 2023
Closed
@michalvavrik michalvavrik mentioned this issue Nov 5, 2023
Merged
@michalvavrik michalvavrik mentioned this issue Nov 18, 2023
Merged
@quarkus-bot quarkus-bot bot added this to the 3.7 - main milestone Nov 22, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@michalvavrik michalvavrik

Labels
area/security kind/enhancement New feature or request
Projects
None yet
Milestone
3.7.0.CR1
Development

Successfully merging a pull request may close this issue.

Support repeated wildcards in the HTTP permissions path matching patterns michalvavrik/quarkus
6 participants
@gastaldi @sberyozkin @sonnb @codependent @promosrene @michalvavrik