Required authorization propagated from the class level (helidon-io#9137)

Signed-off-by: David Kral <david.k.kral@oracle.com>
tvallin · Aug 14, 2024 · 18e893e · 18e893e
1 parent ade9166
commit 18e893e
Show file tree

Hide file tree

Showing 3 changed files with 85 additions and 6 deletions.
diff --git a/microprofile/security/src/main/java/io/helidon/microprofile/security/SecurityDefinition.java b/microprofile/security/src/main/java/io/helidon/microprofile/security/SecurityDefinition.java
@@ -85,6 +85,7 @@ public String toString() {
     SecurityDefinition copyMe() {
         SecurityDefinition result = new SecurityDefinition();
         result.requiresAuthentication = this.requiresAuthentication;
+        result.requiresAuthorization = this.requiresAuthorization;
         result.failOnFailureIfOptional = this.failOnFailureIfOptional;
         result.authnOptional = this.authnOptional;
         result.authenticator = this.authenticator;

diff --git a/...n/src/main/java/io/helidon/tests/integration/security/annotation/SecondAdminResource.java b/...n/src/main/java/io/helidon/tests/integration/security/annotation/SecondAdminResource.java
@@ -0,0 +1,60 @@
+/*
+ * Copyright (c) 2024 Oracle and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package io.helidon.tests.integration.security.annotation;
+
+import io.helidon.security.annotations.Authenticated;
+import io.helidon.security.annotations.Authorized;
+
+import jakarta.annotation.security.RolesAllowed;
+import jakarta.ws.rs.GET;
+import jakarta.ws.rs.Path;
+
+/**
+ * An admin resource that should not be accessible without proper credentials.
+ */
+@Authenticated
+@Authorized(false)
+@Path("/admin2")
+public class SecondAdminResource {
+
+
+    /**
+     * The resource.
+     *
+     * @return admin secret.
+     */
+    @GET
+    @Authorized
+    @RolesAllowed("admin")
+    public String admin() {
+        return "admin";
+    }
+
+
+    /**
+     * The resource.
+     *
+     * @return admin secret.
+     */
+    @GET
+    @Path("/unauthorized")
+    @RolesAllowed("admin")
+    public String unauthorizedAdmin() {
+        return "unauthorized admin";
+    }
+
+}
diff --git a/...-annotation/src/test/java/io/helidon/tests/integration/security/pathparams/AdminTest.java b/...-annotation/src/test/java/io/helidon/tests/integration/security/pathparams/AdminTest.java
@@ -33,13 +33,32 @@ class AdminTest {
 
     @Test
     void testProtectedAdminEndpoint(WebTarget target) {
-        try (Response response = target.path("/admin")
+        testProtectedAdmin(target, "/admin");
+    }
+
+    @Test
+    void testProtectedAdmin2Endpoint(WebTarget target) {
+        testProtectedAdmin(target, "/admin2");
+    }
+
+    @Test
+    void testUnauthorizedAdminEndpoint(WebTarget target) {
+        testUnprotectedAdmin(target, "/admin/unauthorized");
+    }
+
+    @Test
+    void testUnauthorizedAdmin2Endpoint(WebTarget target) {
+        testUnprotectedAdmin(target, "/admin2/unauthorized");
+    }
+
+    private void testProtectedAdmin(WebTarget target, String endpoint) {
+        try (Response response = target.path(endpoint)
                 .request()
                 .header("Authorization", basic("fail"))
                 .get()) {
             assertThat(response.getStatus(), is(Status.FORBIDDEN_403.code()));
         }
-        try (Response response = target.path("/admin")
+        try (Response response = target.path(endpoint)
                 .request()
                 .header("Authorization", basic("success"))
                 .get()) {
@@ -48,16 +67,15 @@ void testProtectedAdminEndpoint(WebTarget target) {
         }
     }
 
-    @Test
-    void testUnauthorizedAdminEndpoint(WebTarget target) {
-        try (Response response = target.path("/admin/unauthorized")
+    private void testUnprotectedAdmin(WebTarget target, String endpoint) {
+        try (Response response = target.path(endpoint)
                 .request()
                 .header("Authorization", basic("fail"))
                 .get()) {
             assertThat(response.getStatus(), is(Status.OK_200.code()));
             assertThat(response.readEntity(String.class), is("unauthorized admin"));
         }
-        try (Response response = target.path("/admin/unauthorized")
+        try (Response response = target.path(endpoint)
                 .request()
                 .header("Authorization", basic("success"))
                 .get()) {