Quarkus Security overview
Quarkus Security 是一个框架,它提供了架构、多种认证和授权机制以及其他工具,用于构建安全且具有生产质量的 Java 应用程序。
Quarkus Security is a framework that provides the architecture, multiple authentication and authorization mechanisms, and other tools to build secure and production-quality Java applications.
在将安全性构建到 Quarkus 应用程序之前,请了解 Quarkus Security architecture 以及您可以使用的不同认证机制和功能。
Before building security into your Quarkus applications, learn about the Quarkus Security architecture and the different authentication mechanisms and features you can use.
Key features of Quarkus Security
Quarkus Security 框架为 Basic、基于表单和双向 TLS (mTLS) 认证提供了内置的安全认证机制。您还可以使用其他知名的 authentication mechanisms,例如 OpenID Connect (OIDC) 和 WebAuthn。认证机制依赖 Identity providers 来验证认证凭证,并将它们映射到 username、role、原始认证凭证和其他属性的 SecurityIdentity 实例。
The Quarkus Security framework provides built-in security authentication mechanisms for Basic, Form-based, and mutual TLS (mTLS) authentication.
You can also use other well-known authentication mechanisms, such as OpenID Connect (OIDC) and WebAuthn.
Authentication mechanisms depend on Identity providers to verify the authentication credentials and map them to a SecurityIdentity instance with the username, roles, original authentication credentials, and other attributes.
{project-name} 还包括内置安全性,以便基于 REST 端点上的常见安全注解 @RolesAllowed、@DenyAll、@PermitAll 和 Contexts and Dependency Injection (CDI) bean,允许基于角色的访问控制 (RBAC)。有关更多信息,请参阅 Quarkus Authorization of web endpoints 指南。
{project-name} also includes built-in security to allow for role-based access control (RBAC) based on the common security annotations @RolesAllowed, @DenyAll, @PermitAll on REST endpoints, and Contexts and Dependency Injection (CDI) beans.
For more information, see the Quarkus Authorization of web endpoints guide.
Quarkus Security 还支持以下功能:
Quarkus Security also supports the following features:
Quarkus Security 还具有很高的可定制性。有关更多信息,请参阅 Quarkus Security tips and tricks 指南。
Quarkus Security is also highly customizable. For more information, see the Quarkus Security tips and tricks guide.
Getting started with Quarkus Security
要开始使用 Quarkus 中的安全性,请考虑使用内置的 Quarkus Basic authentication 和 Jakarta Persistence 身份提供程序保护您的 Quarkus 应用程序端点,并启用基于角色的访问控制。
To get started with security in Quarkus, consider securing your Quarkus application endpoints with the built-in Quarkus Basic authentication and the Jakarta Persistence identity provider and enabling role-based access control.
Complete the steps in the Getting started with Security by using Basic authentication and Jakarta Persistence tutorial.
在使用 Basic 认证成功保护您的 Quarkus 应用程序后,您可以通过添加更高级别的认证机制,例如 Quarkus OpenID Connect (OIDC) authorization code flow mechanism 指南,来进一步提高安全性。
After successfully securing your Quarkus application with Basic authentication, you can increase the security further by adding more advanced authentication mechanisms, for example, the Quarkus OpenID Connect (OIDC) authorization code flow mechanism guide.
Quarkus Security testing
有关如何测试 Quarkus Security 功能以及确保您的 Quarkus 应用程序受到安全保护的指南,请参阅 Security testing 指南。
For guidance on testing Quarkus Security features and ensuring that your Quarkus applications are securely protected, see the Security testing guide.
More about security features in Quarkus
WebSockets Next security
quarkus-websockets-next 扩展提供了 WebSocket API 的现代、高效实现。它还提供了与 Quarkus 安全性的集成。有关更多信息,请参阅 Quarkus“WebSockets Next reference”指南的 Security 部分。
The quarkus-websockets-next extension provides a modern, efficient implementation of the WebSocket API.
It also provides an integration with Quarkus security.
For more information, see the Security section of the Quarkus "WebSockets Next reference" guide.
Cross-origin resource sharing
要使您的 Quarkus 应用程序可供在不同域上运行的其他应用程序访问,您需要配置跨源资源共享 (CORS)。有关 Quarkus 提供的 CORS 过滤器的更多信息,请参阅 Quarkus“Cross-origin resource sharing”指南的 CORS filter 部分。
To make your Quarkus application accessible to another application running on a different domain, you need to configure cross-origin resource sharing (CORS). For more information about the CORS filter Quarkus provides, see the CORS filter section of the Quarkus "Cross-origin resource sharing" guide.
Cross-Site Request Forgery (CSRF) prevention
Quarkus Security 提供了一个 Quarkus REST(以前称为 RESTEasy Reactive)过滤器,该过滤器可以保护您的应用程序免受 Cross-Site Request Forgery 攻击。有关更多信息,请参阅 Quarkus Cross-Site Request Forgery Prevention 指南。
Quarkus Security provides a Quarkus REST (formerly RESTEasy Reactive) filter that can protect your applications against a Cross-Site Request Forgery attack. For more information, see the Quarkus Cross-Site Request Forgery Prevention guide.
SameSite cookies
您可以将 SameSite cookie 属性添加到 Quarkus 端点设置的任何 cookie 中。有关更多信息,请参阅 Quarkus “HTTP reference”指南的 SameSite cookies 部分。
You can add a SameSite cookie property to any of the cookies set by a Quarkus endpoint. For more information, see the SameSite cookies section of the Quarkus "HTTP reference" guide.
Secrets engines
您可以将 secrets engine 与 Quarkus 一起使用来存储、生成或加密数据。
You can use secrets engines with Quarkus to store, generate, or encrypt data.
Quarkus 在 Quarkiverse 中提供其他扩展,供您安全存储凭证,例如, Quarkus and HashiCorp Vault 。
Quarkus provides additional extensions in Quarkiverse for securely storing credentials, for example, Quarkus and HashiCorp Vault.
Secrets in environment properties
Quarkus 提供支持,用于在环境属性中存储密钥。有关更多信息,请参阅 Quarkus store secrets in an environment properties file 指南。
Quarkus provides support to store secrets in environment properties. For more information, see the Quarkus store secrets in an environment properties file guide.
Secure serialization
如果您的 Quarkus 安全架构包含 Quarkus REST(以前称为 RESTEasy Reactive)和 Jackson,则 Quarkus 可以根据配置的安全功能限制 JSON 序列化中包含的字段。有关更多信息,请参阅 Quarkus “使用 Quarkus REST(以前称为 RESTEasy Reactive)编写 REST 服务”指南的 JSON serialization 部分。
If your Quarkus Security architecture includes Quarkus REST (formerly RESTEasy Reactive) and Jackson, Quarkus can limit the fields included in JSON serialization based on the configured security. For more information, see the JSON serialization section of the Quarkus “Writing REST services with Quarkus REST (formerly RESTEasy Reactive)” guide.
Secure auto-generated resources by REST Data with Panache
如果您使用 REST 数据与 Panache 扩展自动生成您的资源,您仍然可以在包 `jakarta.annotation.security`中使用安全注释。有关更多信息,请参阅 Quarkus “使用 Panache 生成 Jakarta REST 资源”指南的 Securing endpoints 部分。
If you use the REST Data with Panache extension to auto-generate your resources, you can still use security annotations within the package jakarta.annotation.security.
For more information, see the Securing endpoints section of the Quarkus "Generating Jakarta REST resources with Panache" guide.
Security vulnerability detection
大多数 Quarkus 标记在美国 National Vulnerability Database (NVD) 中得到报告。有关安全漏洞的信息,请参阅 Security vulnerability detection and reporting in Quarkus 指南。
Most Quarkus tags get reported in the US National Vulnerability Database (NVD). For information about security vulnerabilities, see the Security vulnerability detection and reporting in Quarkus guide.