|
1 | 1 | /* |
2 | | - * Copyright (c) 2012-2024, Inversoft Inc., All Rights Reserved |
| 2 | + * Copyright (c) 2012-2025, Inversoft Inc., All Rights Reserved |
3 | 3 | * |
4 | 4 | * Licensed under the Apache License, Version 2.0 (the "License"); |
5 | 5 | * you may not use this file except in compliance with the License. |
@@ -412,8 +412,15 @@ protected Map<HTTPMethod, ExecuteMethodConfiguration> findExecuteMethods(Class<? |
412 | 412 | protected Map<HTTPMethod, List<JWTMethodConfiguration>> findJwtAuthorizationMethods(Class<?> actionClass, |
413 | 413 | List<String> securitySchemes, |
414 | 414 | Map<HTTPMethod, ExecuteMethodConfiguration> executeMethods) { |
415 | | - // When JWT scheme is not enabled, we will not call any of the JWT Authorization Methods. |
416 | | - if (!securitySchemes.contains("jwt")) { |
| 415 | + // When a JWT scheme is not enabled, we will not call any of the JWT Authorization Methods. |
| 416 | + // - Note that anyone can bind a jwt security scheme, and they may wish to use these authorization methods. |
| 417 | + // So as long as the scheme contains "jwt", bind them. For example, you may wish to bind `jwt-1` and `jwt-` with |
| 418 | + // different constraint validations. |
| 419 | + // - In theory we could just always bind them, however we do validate that the action is properly configured to |
| 420 | + // have a method to cover the expected HTTP verbs, etc. Ideally we would keep this logic to keep the user from |
| 421 | + // not using these methods correctly. But if we wanted to tell the user it's their problem, we could remove |
| 422 | + // some of that validation and just always bind them. |
| 423 | + if (securitySchemes.stream().noneMatch(s -> s.contains("jwt"))) { |
417 | 424 | return Collections.emptyMap(); |
418 | 425 | } |
419 | 426 |
|
@@ -454,15 +461,17 @@ protected Map<HTTPMethod, List<JWTMethodConfiguration>> findJwtAuthorizationMeth |
454 | 461 |
|
455 | 462 | if (!jwtMethods.keySet().containsAll(authenticatedMethods)) { |
456 | 463 | throw new PrimeException("The action class [" + actionClass + "] is missing at a JWT Authorization method. " + |
457 | | - "The class must define one or more methods annotated " + JWTAuthorizeMethod.class.getSimpleName() + " when [jwtEnabled] is set to [true]. " |
458 | | - + "Ensure that for each execute method in your action such as post, put, get and delete that a method is configured to authorize the JWT."); |
| 464 | + "The class must define one or more methods annotated " + JWTAuthorizeMethod.class.getSimpleName() + " when [jwtEnabled] " + |
| 465 | + "is set to [true] which deprecated, or you are using a jwt based security scheme. You action has" + |
| 466 | + " defined the following security schemes [" + String.join(", ", securitySchemes) + "].Ensure that for each execute " + |
| 467 | + "method in your action such as post, put, get and delete that a method is configured to authorize the JWT."); |
459 | 468 | } |
460 | 469 |
|
461 | 470 | return jwtMethods; |
462 | 471 | } |
463 | 472 |
|
464 | 473 | /** |
465 | | - * Finds all of the result configurations for the action class. |
| 474 | + * Finds all the result configurations for the action class. |
466 | 475 | * |
467 | 476 | * @param actionClass The action class. |
468 | 477 | * @return The map of all the result configurations. |
|
0 commit comments