Quarkus discovering of JAXRS-Endpoints - quarkus

I'am currently trying to understand the discovering of JAXRS-Endpoints in Quarkus. My assumption is that they are automatically discovered and there is no need to register them. In addition I tried to import Endpoints from an other module/jar File. It is working to out of the box.
But than I tried to understand the order of discovering endpoints.
I tried to overwrite a jar file provided endpoint in my application, but it is not working. Therfore in my opinion there is a potential security problem, if any third party module can overwrite my endpoints. Has anyone the same problems and can provide me informations how to think about this problem? (My only solution is to write an own extension which removes all endpoints an add only the ones I want to have, but I think this is against the idea)
Thanks in advance!

Duplicate endpoint detection was added to RESTEasy Reactive in https://github.com/quarkusio/quarkus/pull/15037.
This means that from version 2.7.0.CR1 and on, Quarkus will fail the build if duplicate JAX-RS endpoints are defined (assuming you are using quarkus-resteasy-reactive).

Related

Trying to create a "general" logging solution for requests in Spring Boot

I'm currently trying to create a info log for every request in the API I'm working on, but instead of creating a log for every request at the controller level, I wanted to try creating a "catch all" solution but I'm not being able to fullfill my goals.
I've decided to start the idea using Spring's #Aspect annotation, but using it isn't the best idea because I'd have to create one aspect for every controller that I have.
After some digging I found 2 possible solution paths that I could try to work on, #ControllerAdvice and creating an interceptor (which in theory is the one idea that I think has the most chances of succeeding and being a clean solution).
The problem is that I'm not being able to find much information regarding these ideas.
For the #ControllerAdvice idea I'm only finding it being used to handle exceptions, and for the interceptor idea I'm not finding anything similar to what I want to create.
Are these ideas feasible at all? Or should I just stick to logging everything at controller level?
Not sure if it's important but I'm currently working using LogBack library.
There is a ready solution for complete request and response logging for different client- and server-side technologies.
I'm using logbook tool for tracking request-response info for my rest endpoints.
https://github.com/zalando/logbook

Consuming a web service in a MULE domain project

I'm developing a set of MULE 3.7.0 app projects under a MULE domain project which contains a set of shared parameters for all these apps and I need to consume an external webservice before any of the apps is loaded in order to get an additional parameter which is needed for all the apps and also for the domain itself.
As there are no flows in the domain project, I don't know how to achieve this.
Can this be done? If so, how? Maybe a bean-oriented approach?
Any help will be much appreciated.
As per problem description provide here, you can go for Spring bean approach to achieve this. Check out similar post below.
mule - how to run code on starting mule (server listener)
Let me know if still facing any issues.

The best web login approach

I am developing a jsp dynamic web project on eclipse.
I want to create an website with login functionality. I intend to store users' accounts and passwords in MySQL database. Of course, different users have different roles and rights to access different web pages. What is the best approach to implement it?
So far, I know these approaches:
1) Users enter accounts/passwords in login.jsp. LoginServlet then connects to MySQL database to check if it is correct. AuthenticationFilters will make sure only users with rights can access certain pages.
2) Use Role Based Authentication by declaring user roles in web.xml. I find this approach is not flexible, because I need to declare roles in advance.
3) Use HttpServletRequest's login/logout methods. I have not studied it.
Is my understanding correct? Could someone gives me some suggestions? Some clues would be very helpful!
Besides, I know that using POST alone to send passwords is not safe enough. Many websites suggest to use HTTPS connections. So if using HTTPS connections, does it affect the approach I choose to implement the login function?
Thanks!
--
Now, I know I need to use Spring. But Spring seems difficult for me... In Spring website I cant find out the link to download jar files. The user guide says I need to use Gradle or Maven, which I haven't used before, and have no idea why I need them. Besides, there are many Spring projects. Which one should I choose? Spring framework?
--
Have you looked into using Spring Security? It's built for just that. You don't need to be familiar with Spring but it may help.
Here are a couple of tutorials that use database authentication:
1: Spring Security Authentication and Authorization Example with Database Credentials
2: Spring Security Login Example with Database
Edit:
You don't have to Maven or Gradle. You can simply add the jars to your build path and they will work. The only projects you need to implement for the login to work is the Spring Framework and Spring Security.
To use Spring Security without Maven or Gradle:
Download the Spring Framework jars, unzip them, and add them to your project and build path. It's probably a good idea to find a hello world tutorial using Spring to get you started. A quick Google search should turn up many results.
After you have Spring implemented in your project, download the Spring Security jars, unzip those, and add them to your build path. The links to the tutorials that I previously posted will get you started. They may take a little while to go through and you may not understand exactly what is happening behind the scenes, but once you get it set up is works outstanding. I'm also not sure if you are using xml configuration or Java config but I believe those tutorials are for xml.
Spring Security was built so that it could be added to any project and have you up and running with basic configuration in about 15 minutes. After you get the basic login going (it will use the generic login form), you can search for how to implement your own custom login form, add permissions or restrictions to users and url patters, adding custom filters, etc. I encourage you to spend some time learning it as it is highly flexible and customizable.

Secure Spring REST Service using spring-security-oauth2 2.0.5.RELEASE

I have been searching for an example Spring Webservice which is being protected using oauth 2.0..
Looking around I found https://github.com/spring-projects/spring-security-oauth/tree/master/samples/oauth2 but there some files seems to be missing from the project.
Two things that I am looking for is :
When user authenticates, user name and password goes to /login.do , now I can not understand how this Servlet is being configured, if its not controller. web.xml is missing.
When I try to see how beans configured then applicationContext.xml is also missing. I am not able to find those files in order to see how things are configured.
Help Required :
Should I use annotation in order to configure my web service or xml configuration. I am willing to use the latest version, and leverage advanced configurations, for better security.
I have another Single page application ( HTML5 ) , which accesses data from this spring web service, which is being hosted on Google App Engine. My ultimate objective is to create a chrome plugin of (html5) pages and use my service from there..
Please suggest a better path so that I can achieve my objectives.
Best regards,
Shashank Pratap
Apologize for late reply.
1) Regarding Oauth2.0 implementation : Since GAE does not support Servlet 3.0 therefore, developer is restricted to servlet 2.5. Therefore I found that we are restricted to 1.0.5.RELEASE. I was able to configure it successfully.
Best Practice on GAE : Rather than following this approach, I would suggest others to use Google Endpoints. As it supports oauth2.0 as well as we can develop REST API relatively quickly.
Scale ability and Response time : Since I was using Spring dependency injection along with spring security, application responded slower than the combination of Google Endpoints and Google Juice, as juice does injection just in time, where as spring prepares everything as soon as new instance starts, which created problem for me.
2) Chrome Plugin is completely different story. :-)
Please correct if I am wrong.
Thanks,
Shashank Pratap

Easiest way to add GWT to a Spring MVC application?

I've got a Spring MVC application and I've decided that I'd like to try using GWT for the front end. I'd like to continue using MVC as I'll also be using Spring Security and some other springy stuff.
I'm aware of the GWT-SL project, and I guess I'll use it. The documentation is light on examples unfortunately.
What I'm wondering now is.... how do I reconfigure my project so that I can use GWT? I'm assuming that I'll lose the ability to run in hosted mode, and I suppose that's ok. Do I just add the GWT and GWT-SL jars, reconfigure my web.xml, and add a package to my project for the GWT code?
I'm using Eclipse 3.4. My existing project is standard web project.
With the new version of the GWT plugin, you'd have all the benefits of the hosted mode browser without having to modify any options. The GWTHandler from the GWT-SL will take care of your rpc call mapping. However, you will have a problem with your existing domain objects structure. You will either have to put them in GWT's 'client' package, or mirror your existing domain objects to enable them to be compiled to javascript. I have been looking for a stable non-invasive framework for doing this, but have yet to find one. Gilead looks promising, but you will have to extend its classes on your domain.
I have posted a view month ago my simple project (3 classes) how to integrate GWT with existing Spring MVC application. Simple sample also provided.
Try it, it is clear and simple: http://code.google.com/p/gspring.
You won't lose hosted mode. I don't know if you're using the internal server for that - I use -noserver so I can't help you there.
Other than that, I guess the documentation is quite clear. Have you hit any specific problems?

Resources