Merge pull request #86 from com-pas/doc-security

Dennis Labordus · web-flow · commit c4899e8cdb15 · 2021-08-31T10:44:15.000+02:00
Added security description + roles to Readme.
diff --git a/README.md b/README.md
@@ -71,3 +71,48 @@ You can then execute your native executable with: `./app/target/code-with-quarku
 
 If you want to learn more about building native executables, please consult https://quarkus.io/guides/maven-tooling.html
 .
+
+## Security
+
+To use most of the endpoints the users needs to be authenticated using JWT in the authorization header. There are 4
+environment variables that can be set in the container to configure the validation/processing of the JWT.
+
+| Environment variable             | Java Property                    | Description                                        | Example                                                                |
+| -------------------------------- | -------------------------------- | -------------------------------------------------- | ---------------------------------------------------------------------- |
+| JWT_VERIFY_KEY                   | smallrye.jwt.verify.key.location | Location of certificates to verify the JWT.        | http://localhost:8089/auth/realms/compas/protocol/openid-connect/certs |
+| JWT_VERIFY_ISSUER                | mp.jwt.verify.issuer             | The issuer of the JWT.                             | http://localhost:8089/auth/realms/compas                               |
+| JWT_VERIFY_CLIENT_ID             | mp.jwt.verify.audiences          | The Client ID that should be in the "aud" claim.   | scl-data-service                                                       |
+| JWT_GROUPS_PATH                  | smallrye.jwt.path.groups         | The JSON Path where to find the roles of the user. | resource_access/scl-data-service/roles                                 |
+
+The application uses the following list of roles. The fine-grained roles are built up of the types of SCL Files this
+service supports and the rights READ/CREATE/UPDATE/DElETE. This way the mapping of the roles to groups/users can be
+configured as needed.
+
+- ICD_CREATE
+- ICD_DELETE
+- ICD_READ
+- ICD_UPDATE
+- SCD_CREATE
+- SCD_DELETE
+- SCD_READ
+- SCD_UPDATE
+- SSD_CREATE
+- SSD_DELETE
+- SSD_READ
+- SSD_UPDATE
+- ISD_CREATE
+- ISD_DELETE
+- ISD_READ
+- ISD_UPDATE
+- CID_CREATE
+- CID_DELETE
+- CID_READ
+- CID_UPDATE
+- IID_CREATE
+- IID_DELETE
+- IID_READ
+- IID_UPDATE
+- SED_CREATE
+- SED_DELETE
+- SED_READ
+- SED_UPDATE
