- Java 17
- Quarkus (REST, gRPC, OIDC)
- Maven
- In-memory DB (H2 or equivalent)
- Keycloak (OIDC provider)
Build a secured Document Service exposing both REST and gRPC APIs. The service must enforce RBAC and ABAC access control using OIDC (Keycloak). Documents are scoped to tenants, and users can only access documents associated with their own tenant.
- Use OIDC via Keycloak (you may use a local dockerized Keycloak).
- Support RBAC using the following roles:
admin: can create and read documentsviewer: can only read documents
- Support ABAC by enforcing access to documents:
- Users can only access documents if
document.tenantId == user.tenantId - Assume
tenantIdis provided as a custom claim (e.g.,tenant_id) in the JWT.
- Users can only access documents if
Expose the following endpoints:
| Method | Path | Role | Description |
|---|---|---|---|
| POST | /documents |
admin | Create a new document |
| GET | /documents/{id} |
viewer | Fetch document by ID (with ABAC) |
Each document should have:
id: UUIDtitle: Stringcontent: StringtenantId: String
Use in-memory storage (e.g., Map<UUID, Document>).
Implement a simple gRPC service to simulate document processing.
Proto:
service DocumentProcessor {
rpc Process(DocumentRequest) returns (DocumentResponse);
}DocumentRequestincludesdocumentId: stringDocumentResponseincludesstatus: string(e.g., "Processed")- Access to this service must also validate RBAC + ABAC.
- Unit test for the document service logic
- Integration test for REST API (e.g., using RestAssured)
- Integration test for gRPC API (optional but preferred)
src/
βββ main/java/com/example
β βββ auth/ # ABAC logic, JWT parsing
β βββ rest/ # REST controller
β βββ grpc/ # gRPC implementation
β βββ model/ # Document DTOs
β βββ service/ # DocumentService
βββ resources/
βββ application.yml
test/
βββ ... # Tests for HTTP + gRPC
You may use a local Keycloak docker container with:
- A realm named
test-realm - Two users:
admin-user(role:admin, tenant_id:tenant-1)viewer-user(role:viewer, tenant_id:tenant-1)
- JWT should contain the
tenant_idas a custom claim.
(You can mock JWTs if you donβt want to spin up Keycloak.)
- A GitHub (or zip) project with:
- Complete source code
- Sample Keycloak config (or token structure)
- Basic README with:
- How to run the app
- How to test it (e.g., curl commands or gRPCurl)
- How to simulate JWTs if not using full Keycloak