Accessing permissions from @PermissionAllowed in custom HttpSecurityPolicy

[n-kremer]

Hi,

is it somehow possible to access the permissions requested in @PermissionAllowed in a custom HttpSecurityPolicy?

Detailed description of what I'm trying to achieve, in case I'm asking the wrong question:
In a project I'm working on working on we use the Open Policy Agent (OPA) to check if a user is allowed to access a certain endpoint. Whenever an endpoint is called, we send a REST request to OPA in which we provide some information from the SecurityIdentity like the roles and the name of the user.
When the OPA policy only requires information form the SecurityIdentity, I could use a custom HttpSecurityPolicy to send the request for the check to OPA.

However, in most cases we also need to provide the list of Permissions that the user should have to access an endpoint. In these cases OPA will compare the expected permissions to the permission that the user actually has. The actual permissions of the user are not contained in the SecurityIdentity, but are requested by OPA from a different service, so I can't just do the checks in my service.

Ideally I would like to annotate each endpoint which one or more @PermissionAllowed annotations, read the required permissions in the custom HttpSecurityPolicy and add them to the request to OPA.

[quarkus-bot[bot]]

/cc @sberyozkin (security)

[sberyozkin]

@n-kremer Hi, I think you can do it by injecting JAX-RS @ResourceInfo and then access it via a Java Method API, see also https://quarkus.io/guides/security-authorize-web-endpoints-reference#policy-active-cdi-request-context