Red Hat SummitBasic authentication
Guide
초록
Providing feedback on Red Hat build of Quarkus documentation
To report an error or to improve our documentation, log in to your Red Hat Jira account and submit an issue. If you do not have a Red Hat Jira account, then you will be prompted to create an account.
Procedure
- Click the following link to create a ticket.
- Enter a brief description of the issue in the Summary.
- Provide a detailed description of the issue or enhancement in the Description. Include a URL to where the issue occurs in the documentation.
- Clicking Submit creates and routes the issue to the appropriate documentation team.
1장. Basic authentication
HTTP Basic authentication is one of the least resource-demanding techniques that enforce access controls to web resources. You can secure your Quarkus application endpoints by using HTTP Basic authentication. Quarkus includes a built-in authentication mechanism for Basic authentication.
Basic authentication uses fields in the HTTP header and does not rely on HTTP cookies, session identifiers, or login pages.
1.1. Authorization header
An HTTP user agent, like a web browser, uses an Authorization header to provide a username and password in each HTTP request. The header is specified as Authorization: Basic <credentials>, where credentials are the Base64 encoding of the user ID and password, joined by a colon.
Example:
If the user name is Alice and the password is secret, the HTTP authorization header would be Authorization: Basic QWxjZTpzZWNyZXQ=, where QWxjZTpzZWNyZXQ= is a Base64 encoded representation of the Alice:secret string.
The Basic authentication mechanism does not provide confidentiality protection for the transmitted credentials. The credentials are merely encoded with Base64 when in transit, and not encrypted or hashed in any way. Therefore, to provide confidentiality, use Basic authentication with HTTPS.
Basic authentication is a well-specified, simple challenge and response scheme that all web browsers and most web servers understand.
1.2. Limitations with using Basic authentication
The following table outlines some limitations of using HTTP Basic authentication to secure your Quarkus applications:
| Limitation | Description |
|---|---|
| Credentials are sent as plain text | Use HTTPS with Basic authentication to avoid exposing the credentials. The risk of exposing credentials as plain text increases if a load balancer terminates HTTPS because the request is forwarded to Quarkus over HTTP. Furthermore, in multi-hop deployments, the credentials can be exposed if HTTPS is used between the client and the first Quarkus endpoint only, and the credentials are propagated to the next Quarkus endpoint over HTTP. |
| Credentials are sent with each request | In Basic authentication, a username and password must be sent with each request, increasing the risk of exposing credentials. |
| Application complexity increases | The Quarkus application must validate that usernames, passwords, and roles are managed securely. This process, however, can introduce significant complexity to the application. Depending on the use case, other authentication mechanisms that delegate username, password, and role management to specialized services might be more secure. |
1.3. Implementing Basic authentication in Quarkus
For more information about how you can secure your Quarkus applications by using Basic authentication, see the following resources:
1.4. Role-based access control
Red Hat build of Quarkus also includes built-in security to allow for role-based access control (RBAC) based on the common security annotations @RolesAllowed, @DenyAll, @PermitAll on REST endpoints and CDI beans. For more information, see the Quarkus Authorization of web endpoints guide.
1.5. References
2장. Enable Basic authentication
Enable Basic authentication for your Quarkus project and allow users to authenticate with a username and password.
2.1. Prerequisites
You have installed at least one extension that provides an
IdentityProviderbased on username and password. For example:
The following procedure outlines how you can enable Basic authentication for your application by using the elytron-security-properties-file extension.
2.2. Procedure
In the
application.propertiesfile, set thequarkus.http.auth.basicproperty totrue.quarkus.http.auth.basic=trueOptional: In a non-production environment only and purely for testing Quarkus Security in your applications:
To enable authentication for the embedded realm, set the
quarkus.security.users.embedded.enabledproperty totrue.quarkus.security.users.embedded.enabled=trueYou can also configure the required user credentials, user name, secret, and roles. For example:
quarkus.http.auth.basic=true quarkus.security.users.embedded.enabled=true quarkus.security.users.embedded.plain-text=true quarkus.security.users.embedded.users.alice=alice1 quarkus.security.users.embedded.users.bob=bob2 quarkus.security.users.embedded.roles.alice=admin3 quarkus.security.users.embedded.roles.bob=user4 - 1 3
- The user,
alice, hasaliceas their password andadminas their role. - 2 4
- The user,
bob, hasbobas their password anduseras their role.For information about other methods that you can use to configure the required user credentials, see the Configuring User Information section of the Quarkus "Security Testing" guide.
중요Configuring user names, secrets, and roles in the
application.propertiesfile is appropriate only for testing scenarios. For securing a production application, it is crucial to use a database to store this information.
2.3. Next steps
For a more detailed walk-through that shows you how to configure Basic authentication together with Jakarta Persistence for storing user credentials in a database, see the Getting started with Security by using Basic authentication and Jakarta Persistence guide.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}