Quarkus Security Simple REST API - Quarkus-security Typing CST Test
Loading…
Quarkus Security Simple REST API — Quarkus-security Code
Demonstrates a simple Quarkus REST API with JWT authentication and role-based access control.
@Path("/todos")
@RolesAllowed({"USER"})
public class TodoResource {
@GET
public List<String> getTodos() {
return Arrays.asList("Task 1", "Task 2");
}
}
// application.properties
quarkus.http.auth.permission.todos.paths=/todos
quarkus.http.auth.permission.todos.policy=authenticated
quarkus.smallrye-jwt.enabled=trueQuarkus-security Language Guide
Quarkus Security is a comprehensive security framework within the Quarkus ecosystem, designed to provide authentication, authorization, and identity management for Java applications, particularly for cloud-native and reactive applications.
Primary Use Cases
- ▸JWT and OAuth2-based authentication
- ▸Role-based access control (RBAC)
- ▸Integration with LDAP or external identity providers
- ▸Securing REST endpoints and reactive routes
- ▸Microservices security in cloud environments
Notable Features
- ▸Annotation-based authentication and authorization
- ▸JWT, OAuth2, and basic authentication support
- ▸Integration with identity providers like Keycloak
- ▸Support for reactive and imperative security
- ▸Flexible configuration via properties and application code
Origin & Creator
Created by Red Hat as part of the Quarkus project in 2019.
Industrial Note
Quarkus Security is often used in microservices, Kubernetes-native applications, and serverless environments where fast startup, lightweight footprint, and secure authentication are critical.
Quick Explain
- ▸Quarkus Security integrates seamlessly with Quarkus extensions like JWT, OAuth2, and LDAP for authentication and authorization.
- ▸Supports both imperative and reactive programming models.
- ▸Provides annotation-based security for methods and endpoints.
- ▸Easily configurable with properties and external identity providers.
- ▸Designed for low memory footprint and fast startup suitable for cloud-native deployments.
Core Features
- ▸Endpoint security annotations (`@RolesAllowed`, `@Authenticated`)
- ▸Identity provider integration (OIDC, LDAP, custom)
- ▸JWT token verification and generation
- ▸Security context propagation in reactive streams
- ▸Custom identity and credential handling
Learning Path
- ▸Learn basic Quarkus framework
- ▸Understand Java security and authentication concepts
- ▸Learn JWT, OAuth2, and identity provider integration
- ▸Practice securing REST and reactive endpoints
- ▸Build small secure microservices and expand complexity
Practical Examples
- ▸Secure a REST API endpoint using `@RolesAllowed`
- ▸Implement JWT authentication for a microservice
- ▸Integrate with Keycloak for OAuth2 SSO
- ▸Use reactive security in a REST application
- ▸Create a custom identity provider for specialized authentication
Comparisons
- ▸Quarkus Security vs Spring Security: Quarkus lightweight, cloud-native, reactive-ready; Spring mature with larger ecosystem
- ▸Quarkus Security vs Keycloak alone: Quarkus integrates authentication directly in code; Keycloak handles external SSO
- ▸Quarkus Security vs Micronaut Security: Both lightweight, Quarkus has native image support
- ▸Quarkus Security vs Apache Shiro: Quarkus better integrated with Quarkus ecosystem
- ▸Quarkus Security vs Node.js Passport.js: Quarkus Java-based, compiled, and reactive; Passport.js dynamic and Node-based
Strengths
- ▸Lightweight and fast startup suitable for cloud-native apps
- ▸Tight integration with Quarkus ecosystem and extensions
- ▸Supports both traditional and reactive Java applications
- ▸Flexible authentication and authorization mechanisms
- ▸Scales well in microservices and serverless deployments
Limitations
- ▸Requires familiarity with Quarkus and Java security APIs
- ▸Reactive security has a learning curve for developers new to reactive programming
- ▸Limited out-of-the-box UI for managing users
- ▸Relies on external identity providers for advanced SSO and federation
- ▸Some advanced security patterns require additional configuration
When NOT to Use
- ▸Applications that do not require authentication/authorization
- ▸Small scripts or prototypes where Quarkus overhead is unnecessary
- ▸Teams unfamiliar with Java or Quarkus
- ▸When only external security proxies are used and no in-app security is needed
- ▸Very simple microservices where security is handled externally
Cheat Sheet
- ▸Add Quarkus Security extensions via Maven/Gradle
- ▸Use `@Authenticated` to secure endpoints
- ▸Use `@RolesAllowed` to enforce roles
- ▸Configure JWT/OAuth2 properties in `application.properties`
- ▸Test security flows with integration tests
FAQ
- ▸Is Quarkus Security open-source? -> Yes, Apache 2.0 license.
- ▸Does it support JWT? -> Yes, built-in JWT support.
- ▸Can it be used with reactive endpoints? -> Yes, fully supported.
- ▸Does it integrate with Keycloak? -> Yes, native OIDC integration.
- ▸How to test secured endpoints? -> Unit and integration tests with mocked or real identity providers.
30-Day Skill Plan
- ▸Week 1: Setup Quarkus Security with basic authentication
- ▸Week 2: Implement JWT-based secured endpoints
- ▸Week 3: Integrate OAuth2 with Keycloak
- ▸Week 4: Apply reactive security in microservices
- ▸Week 5: Test, optimize, and deploy secure applications
Final Summary
- ▸Quarkus Security provides authentication, authorization, and identity management.
- ▸Supports JWT, OAuth2, and integration with external identity providers.
- ▸Annotation-driven security simplifies endpoint protection.
- ▸Optimized for cloud-native, reactive, and native-image applications.
- ▸Integrates seamlessly with Quarkus extensions for microservices and serverless security.
Project Structure
- ▸src/main/java - application code including secured endpoints
- ▸src/main/resources - configuration files (`application.properties`)
- ▸src/test/java - security integration tests
- ▸pom.xml or build.gradle - dependency management
- ▸Optional security extensions directory for custom providers
Monetization
- ▸Quarkus Security is open-source (Apache 2.0)
- ▸Commercial support via Red Hat for enterprise use
- ▸Reduces operational risk by securing microservices
- ▸Integration with observability tools lowers downtime
- ▸Enables enterprise-grade security compliance
Productivity Tips
- ▸Use annotations for consistent security
- ▸Leverage built-in JWT/OAuth2 support
- ▸Keep identity providers and roles centralized
- ▸Write reusable security utilities
- ▸Regularly test authentication flows in CI/CD
Basic Concepts
- ▸Identity - the authenticated user or system
- ▸Credential - information proving identity (password, token, certificate)
- ▸Roles - permissions assigned to identities
- ▸Security context - runtime representation of identity and roles
- ▸Annotations - declarative way to secure methods/endpoints
Official Docs
- ▸https://quarkus.io/guides/security
- ▸Quarkus Security GitHub repository
- ▸Community forums and Zulip chat