Obtain currently logged in user/principal in Interceptor of annotation used in JAX-RS endpoint

[joerg-db]

Hi,

I have a JAX-RS endpoint and a custom annotation used in that endpoint that needs to determine the current userid. How is that possible ?

JAX-RS endpoint method looks like this :
@get
@path("/getActiveProfile")
@CheckPermission(action = "action", resource = { "button" })

Within the Interceptor I need to get the username of the currently logged in user to check if the user has the permission to click the button. I tried various approached injecting a SecurityContext or SecurityIdentity, bit none of these work inside the Interceptor.

Any idea how I can get the username inside the Interceptor ?

Any help appreciated.

[gsmet]

/cc @sberyozkin

[sberyozkin]

@joerg-db Hi, do you mean that SecurityIdentity is not injected in a CDI interceptor bound to a specific JAX-RS method ?

Does your endpoint class have @Authenticated ? Have you tried ContainerRequestFilter ?

[joerg-db]

Hi,

by looking at the impl. of @RolesAllowed in quarkus (as it does a similar thing) I meanwhile found a way that works for me:

@Inject
SecurityIdentityAssociation identity;
String subject = identity.getIdentity().getPrincipal().getName()

That works if the context is secured (I use @testsecurity to login a user) and the respective @CheckPermission annotation can be applied to JAX-RS endpoints as well as plain Java methods.

So my problem is actually resolved and my question is answered (as long as there are no objections against my solution).

Thx

[sberyozkin]

@joerg-db Good it works for you, though I'm curious why injecting SecurityIdentityAssociation works while injecting SecurityIdentity does not. If you can provide more details about your set up, with the reproducer if possible, then we can try to investigate

[joerg-db]

@joerg-db Good it works for you, though I'm curious why injecting SecurityIdentityAssociation works while injecting SecurityIdentity does not. If you can provide more details about your set up, with the reproducer if possible, then we can try to investigate

I no longer remember if I tested to inject "SecurityIdentity" - will try that out and let you know. I did test injecting SecurityContext and whilst the inject works, the SecurityContext has no user Principal (getName returns empty string).

[joerg-db]

I did some more test and can confirm that injecting SecurityIdentity (instead of SecurityIdentyAssociation) also works fine. Thx

[sberyozkin]

@joerg-db Thanks, re SecurityContext, it is probably empty because of the order in which your filter runs, it can be investigated further with the reproducer