What happened?
@RolesAllowed annotations on microservice resources are not enforced because none of the microservices register Jersey's RolesAllowedDynamicFeature. The annotations are decorative — anyone with a valid JWT can hit endpoints labeled @RolesAllowed(Array("ADMIN")), regardless of the user's role.
workflow-compiling-service is worse: it registers neither JwtAuthFilter nor RolesAllowedDynamicFeature, so its @RolesAllowed endpoint runs without any authentication or authorization at all.
amber correctly registers RolesAllowedDynamicFeature (amber/.../web/TexeraWebApplication.scala:142 and amber/.../web/ComputingUnitMaster.scala:172), so its annotations work as intended.
| Service |
JwtAuthFilter |
RolesAllowedDynamicFeature |
uses @RolesAllowed? |
| access-control-service |
yes |
no |
no |
| config-service |
yes |
no |
yes (2 places) |
| file-service |
yes |
no |
no |
| computing-unit-managing-service |
yes |
no |
yes (10+ places) |
| workflow-compiling-service |
no |
no |
yes (1 place) |
amber (TexeraWebApplication, ComputingUnitMaster) |
yes |
yes |
yes |
Concrete decorative annotations:
config-service/.../resource/ConfigResource.scala:32, 66 — @RolesAllowed(Array("REGULAR", "ADMIN"))computing-unit-managing-service/.../resource/ComputingUnitManagingResource.scala:252, 262, 276, 491, 594, 642, 682, 736, 751 — @RolesAllowed(Array("REGULAR", "ADMIN"))computing-unit-managing-service/.../resource/ComputingUnitAccessResource.scala:104 — sameworkflow-compiling-service/.../resource/WorkflowCompilationResource.scala:59 — same (and the request is unauthenticated to begin with)
How to reproduce?
- Issue a JWT for a user whose role is below the one a
@RolesAllowed annotation requires (e.g. role INACTIVE against @RolesAllowed(Array("REGULAR", "ADMIN"))).
curl -H "Authorization: Bearer <that-token>" http://localhost:<port>/api/<annotated-endpoint> against config-service or computing-unit-managing-service.- Observe: the request succeeds with
200. The role check is silently skipped.
- For
workflow-compiling-service, omit the token entirely: any request reaches the resource method. No JwtAuthFilter runs because the service never registers it.
Branch
main
Commit Hash (Optional)
786a920
What happened?
@RolesAllowedannotations on microservice resources are not enforced because none of the microservices register Jersey'sRolesAllowedDynamicFeature. The annotations are decorative — anyone with a valid JWT can hit endpoints labeled@RolesAllowed(Array("ADMIN")), regardless of the user's role.workflow-compiling-serviceis worse: it registers neitherJwtAuthFilternorRolesAllowedDynamicFeature, so its@RolesAllowedendpoint runs without any authentication or authorization at all.ambercorrectly registersRolesAllowedDynamicFeature(amber/.../web/TexeraWebApplication.scala:142andamber/.../web/ComputingUnitMaster.scala:172), so its annotations work as intended.JwtAuthFilterRolesAllowedDynamicFeature@RolesAllowed?TexeraWebApplication,ComputingUnitMaster)Concrete decorative annotations:
config-service/.../resource/ConfigResource.scala:32, 66—@RolesAllowed(Array("REGULAR", "ADMIN"))computing-unit-managing-service/.../resource/ComputingUnitManagingResource.scala:252, 262, 276, 491, 594, 642, 682, 736, 751—@RolesAllowed(Array("REGULAR", "ADMIN"))computing-unit-managing-service/.../resource/ComputingUnitAccessResource.scala:104— sameworkflow-compiling-service/.../resource/WorkflowCompilationResource.scala:59— same (and the request is unauthenticated to begin with)How to reproduce?
@RolesAllowedannotation requires (e.g. roleINACTIVEagainst@RolesAllowed(Array("REGULAR", "ADMIN"))).curl -H "Authorization: Bearer <that-token>" http://localhost:<port>/api/<annotated-endpoint>againstconfig-serviceorcomputing-unit-managing-service.200. The role check is silently skipped.workflow-compiling-service, omit the token entirely: any request reaches the resource method. NoJwtAuthFilterruns because the service never registers it.Branch
main
Commit Hash (Optional)
786a920