Re: [PR] fix: REVERT "fix: enforce @RolesAllowed on microservice resources" [texera]

Sat, 23 May 2026 21:45:27 -0700 


Copilot commented on code in PR #5173:
URL: https://github.com/apache/texera/pull/5173#discussion_r3293907325


##########
workflow-compiling-service/src/main/scala/org/apache/texera/service/WorkflowCompilingService.scala:
##########
@@ -56,16 +53,14 @@ class WorkflowCompilingService extends 
Application[WorkflowCompilingServiceConfi
     // serve backend at /api
     environment.jersey.setUrlPattern("/api/*")
 
-    environment.jersey.register(classOf[HealthCheckResource])
-
-    WorkflowCompilingService.registerAuthFeatures(environment)
-
     SqlServer.initConnection(
       StorageConfig.jdbcUrl,
       StorageConfig.jdbcUsername,
       StorageConfig.jdbcPassword
     )
 
+    environment.jersey.register(classOf[HealthCheckResource])
+
     // register the compilation endpoint
     environment.jersey.register(classOf[WorkflowCompilationResource])
 

Review Comment:
   `WorkflowCompilationResource` is annotated with `@RolesAllowed`, but this 
service no longer registers any auth filter or `RolesAllowedDynamicFeature`. In 
Dropwizard/Jersey this means the role annotations won’t be enforced and 
`/api/compile` becomes effectively unauthenticated. Either restore JWT/auth + 
`RolesAllowedDynamicFeature` registration (and the needed dependencies), or 
remove `@RolesAllowed` from the resource and ensure the endpoint is not exposed 
publicly.



##########
config-service/src/main/scala/org/apache/texera/service/ConfigService.scala:
##########
@@ -72,9 +71,6 @@ class ConfigService extends 
Application[ConfigServiceConfiguration] with LazyLog
       new 
io.dropwizard.auth.AuthValueFactoryProvider.Binder(classOf[SessionUser])
     )
 
-    // Enforce @RolesAllowed annotations on resource methods
-    environment.jersey.register(classOf[RolesAllowedDynamicFeature])
-
     environment.jersey.register(new ConfigResource)
 

Review Comment:
   This service still registers `AuthDynamicFeature`, but it no longer 
registers `RolesAllowedDynamicFeature`. Since `ConfigResource` methods are 
annotated with `@RolesAllowed`, those role checks will not be enforced by 
Jersey, weakening access control on `/api/config/*`. Re-register 
`RolesAllowedDynamicFeature` (or remove `@RolesAllowed` usages and replace with 
an alternative authorization mechanism).



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to