Authentication and Authorization

[amit-c1x]

Hello,

We are using this library for last few months and are very happy with it. We would like to know if it is possible to handle auth/authorization using jax-rs annotations?
Additionally, i have looked at adding an authentication handler but couldn't quite get it working. Would be great if someone could give pointers to get it working.

@Service
@Slf4j
public class AuthenticationHandler extends SimpleChannelInboundHandler<FullHttpRequest> {

    @Autowired
    private AuthenticationService authenticationService;

    @Override
    protected void channelRead0(ChannelHandlerContext ctx, FullHttpRequest request) throws Exception {

        log.info("In Auth Handler");
        if (!authenticationService.isAuthenticated(request)) {
            HttpResponse response = new DefaultHttpResponse(HttpVersion.HTTP_1_1, HttpResponseStatus.UNAUTHORIZED);
            ctx.channel().writeAndFlush(response).addListener(ChannelFutureListener.CLOSE);
            return;
        }
        ctx.fireChannelRead(request);
    }
}

Below is how i add this handler in channelpipeline

                .setChannelPipelineModifier(new ChannelPipelineModifier() {
                    @Override
                    public void modify(ChannelPipeline channelPipeline) {
                        CorsConfig corsConfig = CorsConfigBuilder.
                                forAnyOrigin().
                                allowNullOrigin()
                                .allowCredentials()
                                .allowedRequestMethods(HttpMethod.CONNECT, HttpMethod.GET, HttpMethod.PUT, HttpMethod.OPTIONS, HttpMethod.POST, HttpMethod.DELETE)
                                .allowedRequestHeaders("Content-Type", "Access-Control-Allow-Headers", "Authorization", "X-Requested-With", "authorization")
                                .exposeHeaders("Content-Type", "Access-Control-Allow-Headers", "Authorization", "X-Requested-With", "authorization")
                                .build();
                        channelPipeline.addBefore("router", "cors", new CorsHandler(corsConfig));
                        channelPipeline.addBefore("router", "auth", authenticationHandler);

[chtyim]

Do you see any error / exception or not observing the AuthenticationHandler being triggered? Would you mind give some more details?

[amit-c1x]

I dont see AuthenticationHandler being triggered. No error as such.

[chtyim]

From the client perspective, does it get any response or does it hang? Does it act like the auth handler is skipped?

[amit-c1x]

yes, it seems auth handler is skipped.

[chtyim]

Can you change the type provided to the SimpleChannelInboundHandler to HttpRequest instead of FullHttpRequest? The HttpObjectAggregator is added by the "router", hence any handler that goes before the "router" will only get HttpRequest

[amit-c1x]

Yup it works now. Thanks!

Additionally, is there any planned effort for adding authentication annotations?
How would you suggest adding auth in my application? As usual, we have mix of authentication and open APIs

[chtyim]

Supporting the jax-rs authentication annotation is a good suggestion but we currently don't have any plan on that yet. For now, you have to perform authentication in your auth handler based on the request. If you are interested in helping to add the auth annotation support, that would be great!

[amit-c1x]

Will try to put in a PR soon. Closing this for now. Thanks a lot for the help!!