Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SPI for performed authorization checks #26549

Closed
knutwannheden opened this issue Jul 4, 2022 · 4 comments · Fixed by #37472
Closed

SPI for performed authorization checks #26549

knutwannheden opened this issue Jul 4, 2022 · 4 comments · Fixed by #37472
Assignees
@michalvavrik
Labels
area/security kind/enhancement New feature or request
Milestone
3.7.0.CR1

Comments

@knutwannheden
Copy link
Contributor

Description

It would be nice if Quarkus had some kind of callback mechanism which would allow registering a listener which would be notified when an authorization check either failed or succeeded. An application could use this to implement a custom security logging mechanism.

Currently, this is not so simple, because depending on whether the authorization rules are declared using annotations (@RolesAllowed et al.) or config properties (quarkus.http.auth.*) and depending on whether the outcome of the check was "allow" or "deny", different hooks need to be used, which could possibly also conflict with other uses of those hooks.

Implementation ideas

One idea would be to fire CDI events with the details.
@knutwannheden knutwannheden added the kind/enhancement New feature or request label Jul 4, 2022
@knutwannheden
Copy link
Contributor Author

/cc @sberyozkin

@knutwannheden knutwannheden changed the title Callback mechanism for performed authorization checks SPI for performed authorization checks Jul 5, 2022
@knutwannheden knutwannheden mentioned this issue Jul 5, 2022
Closed
@sberyozkin
Copy link
Member

@michalvavrik This is an interesting one, I suppose if users have @Observes a security authentication or authorization outcome event, the events can be sent, and then, later, Quarkus can provide a default one, via SPI, in a standalone extension, which will log everything. It will likely become more important quite soon

@michalvavrik michalvavrik self-assigned this Nov 27, 2023
@michalvavrik
Copy link
Member

I'm on board with CDI events based solution. I think it is important we should only do it when user is observing the event, so that there is no additional cost for others

@michalvavrik
Copy link
Member

I think this can be first step for security-related logging improvements as people are asking for it from time to time.

@michalvavrik michalvavrik mentioned this issue Dec 3, 2023
Merged
@quarkus-bot quarkus-bot bot added this to the 3.7 - main milestone Dec 14, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@michalvavrik michalvavrik

Labels
area/security kind/enhancement New feature or request
Projects
None yet
Milestone
3.7.0.CR1
Development

Successfully merging a pull request may close this issue.

Provide a way to observe security events michalvavrik/quarkus
3 participants
@knutwannheden @sberyozkin @michalvavrik