Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Defining endpoint security through JDL #19201

Closed
1 task done
SpiralUp opened this issue Jul 20, 2022 · 6 comments · May be fixed by #23740
Closed
1 task done

Defining endpoint security through JDL #19201

SpiralUp opened this issue Jul 20, 2022 · 6 comments · May be fixed by #23740

Comments

@SpiralUp
Copy link
Contributor

Overview of the feature request

When creating an application through JHipster, it is necessary to manually adjust the security on the generated endpoints. This could be avoided if security was defined through JDL and then generated.
An example of a possible definition in JDL:

  secure _Entity_ with roles {
       ROLE_ADMIN allows (GET, PUT, POST, DELETE)
       ROLE_USER allows (GET)
  }

This should be reflected in the generation of EntityResource and EntityResourceIT.

I already have an implementation for this, so I can share it ...

Motivation for or Use Case

Now, security has to be added manually on endpoints that are generated and unit tests have to be refined manually. It seems to me that this is the most common refinement over the generated code.

Related issues or PR
  • Checking this box is mandatory (this is just to show you read everything)
@gmarziou
Copy link
Contributor

Interesting, were you able to reflect this into the API documentation?

@SpiralUp
Copy link
Contributor Author

SpiralUp commented Jul 20, 2022

I just added a comment to the source code:


  // Security is enabled on this entity

  // Security type = roles

  // GET:    "ROLE_ADMIN", "ROLE_USER"

  // PUT:    "ROLE_ADMIN"

  // POST:   "ROLE_ADMIN"

  // DELETE: "ROLE_ADMIN"


but it's a good suggestion to make it visible in the API documentation as well - it shouldn't be hard ...

@DanielFran
Copy link
Member

@SpiralUp Are you available to contribute with a PR?

@SpiralUp
Copy link
Contributor Author

I'm available to contribute with a PR...

SpiralUp added a commit to SpiralUp/generator-jhipster-8 that referenced this issue Oct 4, 2023
This commit introduces a role-based security feature for the backend, allowing users to define security configurations using JDL clauses. Security can now be specified directly within JDL for various entities, where different roles with specified permissions are mapped to the corresponding Java entity resource files. This mapping auto-generates the requisite `@Secured({})` annotations on the endpoints, ensuring the right level of access control based on roles. Examples of the JDL security clauses include:
```
  secure entity1, entity2, entity3 with roles {
    ROLE_ADMIN allows (get, post, put, delete)
    ROLE_USER allows (get)
  }
```
and
```
  secure all except entity3 with roles {
    ROLE_ADMIN allows (get, post, put, delete)
    ROLE_USER allows (get)
  }
```
which would translate to `@Secured({ "ROLE_ADMIN" })` annotations in the generated Java code for specified endpoints. Additionally, the integration tests have been updated to consider these role-based security configurations.

Moreover, the groundwork for supporting other security types has been laid down through the inclusion of grammar and parser definitions. These additional security types encompass privilege security, organizational security, parent based security, and relation based security, although the code generators for these types are not included in this commit.

Resolves jhipster#19201
SpiralUp added a commit to SpiralUp/generator-jhipster-8 that referenced this issue Oct 4, 2023
This commit introduces a role-based security feature for the backend, allowing users to define security configurations using JDL clauses. Security can now be specified directly within JDL for various entities, where different roles with specified permissions are mapped to the corresponding Java entity resource files. This mapping auto-generates the requisite `@Secured({})` annotations on the endpoints, ensuring the right level of access control based on roles. Examples of the JDL security clauses include:
```
  secure entity1, entity2, entity3 with roles {
    ROLE_ADMIN allows (get, post, put, delete)
    ROLE_USER allows (get)
  }
```
and
```
  secure all except entity3 with roles {
    ROLE_ADMIN allows (get, post, put, delete)
    ROLE_USER allows (get)
  }
```
which would translate to `@Secured({ "ROLE_ADMIN" })` annotations in the generated Java code for specified endpoints. Additionally, the integration tests have been updated to consider these role-based security configurations.

Moreover, the groundwork for supporting other security types has been laid down through the inclusion of grammar and parser definitions. These additional security types encompass privilege security, organizational security, parent based security, and relation based security, although the code generators for these types are not included in this commit.

Resolves jhipster#19201
Copy link
Contributor

This issue is stale because it has been open for too long without any activity.
Due to the moving nature of jhipster generated application, bugs can become invalid.
If this issue still applies please comment otherwise it will be closed in 7 days

Copy link
Contributor

This issue is stale because it has been open for too long without any activity.
Due to the moving nature of jhipster generated application, bugs can become invalid.
If this issue still applies please comment otherwise it will be closed in 7 days

@github-actions github-actions bot closed this as not planned Won't fix, can't repro, duplicate, stale Aug 30, 2024
@mraible mraible added this to the 8.7.1 milestone Sep 21, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging a pull request may close this issue.

4 participants