1. Home
  2. /
  3. Quarkus-security
  4. /
  5. Quarkus Security Simple REST API

Quarkus Security Simple REST API - Quarkus-security Typing CST Test

Loading…

Quarkus Security Simple REST API — Quarkus-security Code

Demonstrates a simple Quarkus REST API with JWT authentication and role-based access control.

@Path("/todos")
@RolesAllowed({"USER"})
public class TodoResource {

    @GET
    public List<String> getTodos() {
        return Arrays.asList("Task 1", "Task 2");
    }
}

// application.properties
quarkus.http.auth.permission.todos.paths=/todos
quarkus.http.auth.permission.todos.policy=authenticated
quarkus.smallrye-jwt.enabled=true

Quarkus-security Language Guide

Quarkus Security is a comprehensive security framework within the Quarkus ecosystem, designed to provide authentication, authorization, and identity management for Java applications, particularly for cloud-native and reactive applications.

Primary Use Cases

  • ▸JWT and OAuth2-based authentication
  • ▸Role-based access control (RBAC)
  • ▸Integration with LDAP or external identity providers
  • ▸Securing REST endpoints and reactive routes
  • ▸Microservices security in cloud environments

Notable Features

  • ▸Annotation-based authentication and authorization
  • ▸JWT, OAuth2, and basic authentication support
  • ▸Integration with identity providers like Keycloak
  • ▸Support for reactive and imperative security
  • ▸Flexible configuration via properties and application code

Origin & Creator

Created by Red Hat as part of the Quarkus project in 2019.

Industrial Note

Quarkus Security is often used in microservices, Kubernetes-native applications, and serverless environments where fast startup, lightweight footprint, and secure authentication are critical.

Quick Explain

  • ▸Quarkus Security integrates seamlessly with Quarkus extensions like JWT, OAuth2, and LDAP for authentication and authorization.
  • ▸Supports both imperative and reactive programming models.
  • ▸Provides annotation-based security for methods and endpoints.
  • ▸Easily configurable with properties and external identity providers.
  • ▸Designed for low memory footprint and fast startup suitable for cloud-native deployments.

Core Features

  • ▸Endpoint security annotations (`@RolesAllowed`, `@Authenticated`)
  • ▸Identity provider integration (OIDC, LDAP, custom)
  • ▸JWT token verification and generation
  • ▸Security context propagation in reactive streams
  • ▸Custom identity and credential handling

Learning Path

  • ▸Learn basic Quarkus framework
  • ▸Understand Java security and authentication concepts
  • ▸Learn JWT, OAuth2, and identity provider integration
  • ▸Practice securing REST and reactive endpoints
  • ▸Build small secure microservices and expand complexity

Practical Examples

  • ▸Secure a REST API endpoint using `@RolesAllowed`
  • ▸Implement JWT authentication for a microservice
  • ▸Integrate with Keycloak for OAuth2 SSO
  • ▸Use reactive security in a REST application
  • ▸Create a custom identity provider for specialized authentication

Comparisons

  • ▸Quarkus Security vs Spring Security: Quarkus lightweight, cloud-native, reactive-ready; Spring mature with larger ecosystem
  • ▸Quarkus Security vs Keycloak alone: Quarkus integrates authentication directly in code; Keycloak handles external SSO
  • ▸Quarkus Security vs Micronaut Security: Both lightweight, Quarkus has native image support
  • ▸Quarkus Security vs Apache Shiro: Quarkus better integrated with Quarkus ecosystem
  • ▸Quarkus Security vs Node.js Passport.js: Quarkus Java-based, compiled, and reactive; Passport.js dynamic and Node-based

Strengths

  • ▸Lightweight and fast startup suitable for cloud-native apps
  • ▸Tight integration with Quarkus ecosystem and extensions
  • ▸Supports both traditional and reactive Java applications
  • ▸Flexible authentication and authorization mechanisms
  • ▸Scales well in microservices and serverless deployments

Limitations

  • ▸Requires familiarity with Quarkus and Java security APIs
  • ▸Reactive security has a learning curve for developers new to reactive programming
  • ▸Limited out-of-the-box UI for managing users
  • ▸Relies on external identity providers for advanced SSO and federation
  • ▸Some advanced security patterns require additional configuration

When NOT to Use

  • ▸Applications that do not require authentication/authorization
  • ▸Small scripts or prototypes where Quarkus overhead is unnecessary
  • ▸Teams unfamiliar with Java or Quarkus
  • ▸When only external security proxies are used and no in-app security is needed
  • ▸Very simple microservices where security is handled externally

Cheat Sheet

  • ▸Add Quarkus Security extensions via Maven/Gradle
  • ▸Use `@Authenticated` to secure endpoints
  • ▸Use `@RolesAllowed` to enforce roles
  • ▸Configure JWT/OAuth2 properties in `application.properties`
  • ▸Test security flows with integration tests

FAQ

  • ▸Is Quarkus Security open-source? -> Yes, Apache 2.0 license.
  • ▸Does it support JWT? -> Yes, built-in JWT support.
  • ▸Can it be used with reactive endpoints? -> Yes, fully supported.
  • ▸Does it integrate with Keycloak? -> Yes, native OIDC integration.
  • ▸How to test secured endpoints? -> Unit and integration tests with mocked or real identity providers.

30-Day Skill Plan

  • ▸Week 1: Setup Quarkus Security with basic authentication
  • ▸Week 2: Implement JWT-based secured endpoints
  • ▸Week 3: Integrate OAuth2 with Keycloak
  • ▸Week 4: Apply reactive security in microservices
  • ▸Week 5: Test, optimize, and deploy secure applications

Final Summary

  • ▸Quarkus Security provides authentication, authorization, and identity management.
  • ▸Supports JWT, OAuth2, and integration with external identity providers.
  • ▸Annotation-driven security simplifies endpoint protection.
  • ▸Optimized for cloud-native, reactive, and native-image applications.
  • ▸Integrates seamlessly with Quarkus extensions for microservices and serverless security.

Project Structure

  • ▸src/main/java - application code including secured endpoints
  • ▸src/main/resources - configuration files (`application.properties`)
  • ▸src/test/java - security integration tests
  • ▸pom.xml or build.gradle - dependency management
  • ▸Optional security extensions directory for custom providers

Monetization

  • ▸Quarkus Security is open-source (Apache 2.0)
  • ▸Commercial support via Red Hat for enterprise use
  • ▸Reduces operational risk by securing microservices
  • ▸Integration with observability tools lowers downtime
  • ▸Enables enterprise-grade security compliance

Productivity Tips

  • ▸Use annotations for consistent security
  • ▸Leverage built-in JWT/OAuth2 support
  • ▸Keep identity providers and roles centralized
  • ▸Write reusable security utilities
  • ▸Regularly test authentication flows in CI/CD

Basic Concepts

  • ▸Identity - the authenticated user or system
  • ▸Credential - information proving identity (password, token, certificate)
  • ▸Roles - permissions assigned to identities
  • ▸Security context - runtime representation of identity and roles
  • ▸Annotations - declarative way to secure methods/endpoints

Official Docs

  • ▸https://quarkus.io/guides/security
  • ▸Quarkus Security GitHub repository
  • ▸Community forums and Zulip chat

Practice Other Languages

CReactPythonC++RustTypeScriptKotlinPHPJavaC#RubyMqlCqlN1qlCypher