Package io.quarkus.vertx.http.runtime

Interface AuthRuntimeConfig

public interface AuthRuntimeConfig
Authentication mechanism information used for configuring HTTP auth instance for the deployment.

  • Method Details

    • permissions

      @WithName("permission") Map<String,PolicyMappingConfig> permissions()
      The HTTP permissions

    • rolePolicy

      @WithName("policy") Map<String,PolicyConfig> rolePolicy()
      The HTTP role based policies

    • rolesMapping

      @ConfigDocMapKey("role-name") Map<String,List<String>> rolesMapping()
      Map the `SecurityIdentity` roles to deployment specific roles and add the matching roles to `SecurityIdentity`.

      For example, if `SecurityIdentity` has a `user` role and the endpoint is secured with a 'UserRole' role, use this property to map the `user` role to the `UserRole` role, and have `SecurityIdentity` to have both `user` and `UserRole` roles.

    • certificateRoleAttribute

      @WithDefault("CN") String certificateRoleAttribute()
      Client certificate attribute whose values are going to be mapped to the 'SecurityIdentity' roles according to the roles mapping specified in the certificate properties file. The attribute must be either one of the Relative Distinguished Names (RDNs) or Subject Alternative Names (SANs). By default, the Common Name (CN) attribute value is used for roles mapping. Supported values are:
      • RDN type - Distinguished Name field. For example 'CN' represents Common Name field. Multivalued RNDs and multiple instances of the same attributes are currently not supported.
      • 'SAN_RFC822' - Subject Alternative Name field RFC 822 Name.
      • 'SAN_URI' - Subject Alternative Name field Uniform Resource Identifier (URI).
      • 'SAN_ANY' - Subject Alternative Name field Other Name. Please note that only simple case of UTF8 identifier mapping is supported. For example, you can map 'other-identifier' to the SecurityIdentity roles. If you use 'openssl' tool, supported Other name definition would look like this: subjectAltName=otherName:1.2.3.4;UTF8:other-identifier

    • certificateRoleProperties

      Optional<Path> certificateRoleProperties()
      Properties file containing the client certificate attribute value to role mappings. Use it only if the mTLS authentication mechanism is enabled with either `quarkus.http.ssl.client-auth=required` or `quarkus.http.ssl.client-auth=request`.

      Properties file is expected to have the `CN_VALUE=role1,role,...,roleN` format and should be encoded using UTF-8.

    • realm

      Optional<String> realm()
      The authentication realm

    • form

      FormAuthConfig form()
      Form Auth config

    • inclusive

      @WithDefault("false") boolean inclusive()
      Require that all registered HTTP authentication mechanisms must attempt to verify the request credentials.

      By default, when the inclusiveMode() is strict, every registered authentication mechanism must produce SecurityIdentity, otherwise, a number of mechanisms which produce the identity may be less than a total number of registered mechanisms.

      All produced security identities can be retrieved using the following utility method: 

       
 io.quarkus.vertx.http.runtime.security.HttpSecurityUtils#getSecurityIdentities(io.quarkus.security.identity.SecurityIdentity)
      An injected `SecurityIdentity` represents an identity produced by the first inclusive authentication mechanism. When the `mTLS` authentication is required, the `mTLS` mechanism is always the first mechanism, because its priority is elevated when inclusive authentication

      This property is false by default which means that the authentication process is complete as soon as the first `SecurityIdentity` is created.

      This property will be ignored if the path specific authentication is enabled.

    • inclusiveMode

      @WithDefault("strict") AuthRuntimeConfig.InclusiveMode inclusiveMode()
      Inclusive authentication mode.