Add RolesAllowed annotation on JAX-RS resource from extension

[antoniomacri]

Hi, I'm writing an extension which should provide a JAX-RS resource with a RolesAllowed annotation based on configuration.

Suppose I have:

@Path("/app")
@ApplicationScoped
public class MyExtensionResource {
    @GET
    public String hello() {
        return "Hello";
    }
}

and I need to add a @RolesAllowed("MY_ROLE") to the hello method.

I've come across AdditionalSecurityCheckBuildItem and tried this:

    @BuildStep
    @Record(ExecutionTime.STATIC_INIT)
    void addRolesAllowed(CombinedIndexBuildItem index,
                         SecurityCheckRecorder securityCheckRecorder,
                         BuildProducer<AdditionalSecurityCheckBuildItem> additionalSecurityCheckBuildItems
    ) {
        String[] rolesAllowed = new String[]{"MY_ROLE"};
        MethodInfo methodInfo = index.getIndex().getClassByName(MyExtensionResource.class).method("hello");
        additionalSecurityCheckBuildItems.produce(new AdditionalSecurityCheckBuildItem(methodInfo, securityCheckRecorder.rolesAllowed(rolesAllowed)));
    }

However, it does not work: the method is stil publicly accessible.

What I'm doing wrong?

Thanks!

[sberyozkin]

@antoniomacri May be AdditionalSecuredMethodsBuildItem will work better.

You may also want to debug what is going starting from SecurityProcessor.gatherSecurityChecks.

HTTP Security policy can be used to setup such associations indirectly (to paths) declaratively:

https://quarkus.io/guides/security-authorize-web-endpoints-reference