Security overview
Abstract
Chapter 1. Quarkus Security overview
Quarkus Security is a framework that provides the architecture, multiple authentication and authorization mechanisms, and other tools to build secure and production-quality Java applications.
Before building security into your Quarkus applications, learn about the Quarkus Security architecture and the different authentication mechanisms and features you can use.
1.1. Key features of Quarkus Security
The Quarkus Security framework provides built-in security authentication mechanisms for Basic, Form-based, and mutual TLS (mTLS) authentication. You can also use other well-known authentication mechanisms, such as OpenID Connect (OIDC). Authentication mechanisms depend on Identity providers to verify the authentication credentials and map them to a SecurityIdentity instance with the username, roles, original authentication credentials, and other attributes.
Quarkus also includes built-in security to allow for role-based access control (RBAC) based on the common security annotations @RolesAllowed, @DenyAll, @PermitAll on REST endpoints, and Contexts and Dependency Injection (CDI) beans. For more information, see the Quarkus Authorization of web endpoints guide.
Quarkus Security also supports the following features:
- Proactive authentication
- Content from quarkus.io is not included.Secure connections with SSL/TLS
- Cross-origin resource sharing
- Cross-Site Request Forgery (CSRF) prevention
- SameSite cookies
- Secrets engines
- Secure auto-generated resources by REST Data with Panache
- Secure serialization
- Content from quarkus.io is not included.Security vulnerability detection and National Vulnerability Database (NVD) registration
Quarkus Security is also highly customizable. For more information, see the Quarkus Content from quarkus.io is not included.Security tips and tricks guide.
1.2. Getting started with Quarkus Security
To get started with security in Quarkus, consider securing your Quarkus application endpoints with the built-in Quarkus Basic authentication and the Jakarta Persistence identity provider and enabling role-based access control.
Complete the steps in the Getting started with Security by using Basic authentication and Jakarta Persistence tutorial.
After successfully securing your Quarkus application with Basic authentication, you can increase the security further by adding more advanced authentication mechanisms, for example, the Quarkus OpenID Connect (OIDC) authorization code flow mechanism guide.
1.3. Quarkus Security testing
For guidance on testing Quarkus Security features and ensuring that your Quarkus applications are securely protected, see the Content from quarkus.io is not included.Security testing guide.
1.4. More about security features in Quarkus
1.4.1. WebSockets Next security
The quarkus-websockets-next extension provides a modern, efficient implementation of the WebSocket API. It also provides an integration with Quarkus security. For more information, see the Content from quarkus.io is not included.Security section of the Quarkus "WebSockets Next reference" guide.
1.4.2. Cross-origin resource sharing
To make your Quarkus application accessible to another application running on a different domain, you need to configure cross-origin resource sharing (CORS). For more information about the CORS filter Quarkus provides, see the CORS filter section of the Quarkus "Cross-origin resource sharing" guide.
1.4.3. Cross-Site Request Forgery (CSRF) prevention
Quarkus Security provides a Quarkus REST (formerly RESTEasy Reactive) filter that can protect your applications against a Content from owasp.org is not included.Cross-Site Request Forgery attack. For more information, see the Quarkus Content from quarkus.io is not included.Cross-Site Request Forgery Prevention guide.
1.4.4. SameSite cookies
You can add a Content from developer.mozilla.org is not included.SameSite cookie property to any of the cookies set by a Quarkus endpoint. For more information, see the Content from quarkus.io is not included.SameSite cookies section of the Quarkus "HTTP reference" guide.
1.4.5. Secrets engines
You can use secrets engines with Quarkus to store, generate, or encrypt data.
Quarkus provides additional extensions in Quarkiverse for securely storing credentials, for example, Content from docs.quarkiverse.io is not included.Quarkus and HashiCorp Vault.
1.5. Secrets in environment properties
Quarkus provides support to store secrets in environment properties. For more information, see the Quarkus Content from quarkus.io is not included.store secrets in an environment properties file guide.
1.5.1. Secure serialization
If your Quarkus Security architecture includes Quarkus REST (formerly RESTEasy Reactive) and Jackson, Quarkus can limit the fields included in JSON serialization based on the configured security. For more information, see the Content from quarkus.io is not included.JSON serialization section of the Quarkus “Writing REST services with Quarkus REST (formerly RESTEasy Reactive)” guide.
1.5.2. Secure auto-generated resources by REST Data with Panache
If you use the REST Data with Panache extension to auto-generate your resources, you can still use security annotations within the package jakarta.annotation.security. For more information, see the Content from quarkus.io is not included.Securing endpoints section of the Quarkus "Generating Jakarta REST resources with Panache" guide.
1.6. Security vulnerability detection
Most Quarkus tags get reported in the US Content from nvd.nist.gov is not included.National Vulnerability Database (NVD). For information about security vulnerabilities, see the Content from quarkus.io is not included.Security vulnerability detection and reporting in Quarkus guide.