Custom Security Rules not working Micronaut 2.2.1

[ghost]

am trying to implement the custom security rules with Micronaut 2.2.1, but it is not working.

public @interface RequiredPermission {
    String resourceIdName();
    String permission();
}

Security Rules

@Singleton
public class AdminRequirement implements SecurityRule {
@Override
    public int getOrder(){
        return 1;
    }
    @Override
    public SecurityRuleResult check(HttpRequest<?> request, @Nullable RouteMatch<?> routeMatch, @Nullable Map<String, Object> claims) {
        if (routeMatch instanceof MethodBasedRouteMatch) {
            MethodBasedRouteMatch methodBasedRouteMatch = (MethodBasedRouteMatch) routeMatch;
            if (methodBasedRouteMatch.hasAnnotation(RequiredPermission.class)) {
                AnnotationValue<RequiredPermission> requiredPermissionAnnotation = methodBasedRouteMatch.getAnnotation(RequiredPermission.class);
                // Get parameters from annotation on method
                Optional<String> resourceIdName = requiredPermissionAnnotation.stringValue("resourceIdName");
                Optional<String> permission = requiredPermissionAnnotation.stringValue("permission");
                if (permission.isPresent() && resourceIdName.isPresent() && claims != null) {
                    // Use name of parameter to get the value passed in as an argument to the method
                    String resourceId = methodBasedRouteMatch.getVariableValues().get(resourceIdName.get()).toString();
                    // Get claim from jwt using the resource ID
                    Object permissionForResource = ((Map) claims.get("https://your-domain.com/claims")).get(resourceId);
                    if (permissionForResource != null && permissionForResource.equals(permission.get())) {
                        // if the permission exists and it's equal, allow access
                        return SecurityRuleResult.ALLOWED;
                    }
                }
            }
        }
        return SecurityRuleResult.UNKNOWN;
    }
}

Controller

@Secured(SecurityRule.IS_AUTHENTICATED)
@Controller("/product")
public record ProductController(IProducer iProducer) {
    @Get(uri = "/{text}")
    @RequiredPermission(resourceIdName = "Admin", permission = "Admin")
    public Single<String> get(String text){
        return iProducer.sendText(text);
    }
}

Application.yml

micronaut:
  application:
    name: demo
  security:
    enabled: true
    token:
      jwt:
        enabled: true
        signatures:
          jwks:
            okta:
              url: 'https://dev-6271510.okta.com/oauth2/default/v1/keys'
    intercept-url-map:
      - pattern: /swagger-ui/**
        httpMethod: GET
        access:
          - isAnonymous()
      - pattern: /swagger/**
        access:
          - isAnonymous()

AdminRequirement implements SecurityRule the override check() method is never executed, something I am missing.

[sdelamo]

There are multiple security rules in the system. Maybe your route is being authorised or rejected before it reaches your SecurityRule. Try overriding getOrder() method in your SecurityRule coming from the Ordered interface.

I am not sure this is an issue. Thus, I am moving this temporarily to discussions.

[ghost]

I did the getOrder() method still the same issue, however, if I move the @RequiredPermission(resourceIdName = "Admin", permission = "Admin") at the controller level it works, here is the repo - https://github.com/anandjaisy/micronaut-customSecurityRule

[sdelamo]

Not sure I understand the issue. Your project contains a failing test OrderControllerTest but I think it is expected to fail.

AdminRequirement security rule has this two if statements:

  if (routeMatch instanceof MethodBasedRouteMatch) {
            MethodBasedRouteMatch methodBasedRouteMatch = (MethodBasedRouteMatch) routeMatch;
            if (methodBasedRouteMatch.hasAnnotation(RequiredPermission.class)) {

The controller's methods is not annotated with RequiredPermission. Am I missing anything ?

[ghost]

You were looking at the other controller, the code is in the product controller. I have updated the code, please have a look. The break point was not coming to the check method. The code inside the check method is incomplete, I just want to execute that method.