Autodetect PermissionsAllowed#params based on parameter names

quarkusio · Sep 19, 2024 · 867d4e5 · 867d4e5
1 parent fd58485
commit 867d4e5
Showing 1 changed file with 40 additions and 3 deletions.
diff --git a/src/main/java/io/quarkus/security/PermissionsAllowed.java b/src/main/java/io/quarkus/security/PermissionsAllowed.java
@@ -65,8 +65,45 @@
      * There is no limit to a reasonable number of parameters passed to the permission constructor this way.
      * Please see {@link #params()} for more complex matching.
      */
+    String AUTODETECTED_TYPES = "<<autodetected-types>>";
+
+    /**
+     * Alias for {@link #AUTODETECTED_TYPES}.
+     *
+     * @deprecated use {@link #AUTODETECTED_TYPES} or {@link #AUTODETECTED_PARAM_NAMES}
+     */
+    @Deprecated
     String AUTODETECTED = "<<autodetected>>";
 
+    /**
+     * Constant value for {@link #params()} indicating that the constructor parameters of the {@link #permission()}
+     * should be autodetected based on formal parameter names. For example, consider following method secured with this
+     * annotation:
+     * <pre>
+     * {@code
+     * &#64;PermissionsAllowed(value = "resource:retrieve", permission = UserPermission.class)
+     * public Resource getResource(String param1, String param2, String param3) {
+     *      // business logic
+     * }
+     * }
+     * </pre>
+     * The {@code getResource} method parameters {@code param1} and {@code param3} will be
+     * matched with the {@code UserPermission} constructor parameters {@code param1} and {@code param3}.
+     * <pre>
+     * {@code
+     * public class UserPermission extends Permission {
+     *
+     *     public UserPermission(String name, String param3, String param1) {
+     *         ...
+     *     }
+     *
+     *     ...
+     * }
+     * }
+     * </pre>
+     */
+    String AUTODETECTED_PARAM_NAMES = "<<autodetected-param-names>>";
+
     /**
      * Colon is used to separate a {@link Permission#getName()} and an element of the {@link Permission#getActions()}.
      * For example, {@link StringPermission} created for method 'getResource':
@@ -165,7 +202,7 @@
      * Now that we have defined parameter data types, please consider the secured method 'getResource':
      *
      * <pre>
-     * &#64;PermissionsAllowed(permission = UserPermission.class, value = "resource", params = {user1, admin1})
+     * &#64;PermissionsAllowed(permission = UserPermission.class, value = "resource", params = {"user1", "admin1"})
      * public Resource getResource(User user, User user1, Admin admin, Admin admin1) {
      *     // business logic
      * }
@@ -204,11 +241,11 @@
      * <b>WARNING:</b> "params" attribute is only supported in the scenarios explicitly named in the Quarkus documentation.
      * </p>
      *
-     * @see #AUTODETECTED
+     * @see #AUTODETECTED_PARAM_NAMES and {@link #AUTODETECTED_TYPES}
      *
      * @return constructor parameters passed to the {@link #permission()}
      */
-    String[] params() default AUTODETECTED;
+    String[] params() default AUTODETECTED_PARAM_NAMES;
 
     /**
      * The class that extends the {@link Permission} class, used to create permissions specified via {@link #value()}.