Quarkus Security overview

Quarkus Security is a framework that provides the architecture, multiple authentication and authorization mechanisms, and other tools for you to build secure and production-quality Java applications.

Before you start building security into your Quarkus applications, learn about the Quarkus Security architecture and the different authentication mechanisms and features that you can use.

Key features of Quarkus Security

The Quarkus Security framework provides built-in security authentication mechanisms for Basic, Form-based, and mutual TLS (mTLS) authentication. You can also use other well-known authentication mechanisms, such as OpenId Connect (OIDC) and WebAuthn.

Authentication mechanisms depend on Identity providers to verify the authentication credentials and map them to a SecurityIdentity instance, which has the username, roles, original authentication credentials, and other attributes.

Quarkus also includes built-in security to allow for role-based access control (RBAC) based on the common security annotations @RolesAllowed, @DenyAll, @PermitAll on REST endpoints, and CDI beans. For more information, see Authorization of web endpoints.

Quarkus Security also supports the following features:

Quarkus Security is also highly customizable. For more information, see Security customization.

Getting started with Quarkus Security

To get started with security in Quarkus, we recommend you combine the Quarkus built-in Basic authentication with the Jakarta Persistence identity provider to enable role-based access control (RBAC). Complete the steps in the Secure a Quarkus application with Basic authentication tutorial.

After you have successfully secured your Quarkus application with Basic authentication, you can increase the security further by adding more advanced authentication mechanisms, for example, OpenID Connect (OIDC) authentication.

Quarkus Security testing

Guidance for testing Quarkus Security features and ensuring that your Quarkus applications are securely protected is provided in Security Testing.

More about security features in Quarkus

Cross-origin resource sharing

To make your Quarkus application accessible to another application running on a different domain, you need to configure cross-origin resource sharing (CORS). For more information about the CORS filter that is provided by Quarkus, see the HTTP reference information.

Cross-site Request Forgery (CSRF) prevention

Quarkus Security provides a RESTEasy Reactive filter that can protect your applications against a Cross-Site Request Forgery attack. For more information, see Cross-Site Request Forgery Prevention.

SameSite cookies

You can add a SameSite cookie property to any of the cookies set by a Quarkus endpoint. For more information, see SameSite cookies.

Secrets engines

Secrets engines are components that store, generate, or encrypt data.

Quarkus provides comprehensive HashiCorp Vault support. For more information, see the Quarkus and HashiCorp Vault documentation.

Secure serialization

If your Quarkus Security architecture includes RESTEasy Reactive and Jackson, Quarkus can limit the fields that are included in JSON serialization based on the configured security. For more information, see Writing REST services with RESTEasy Reactive.

Secure auto-generated resources by REST Data with Panache

If you are using the REST Data with Panache extension to auto-generate your resources, you can still use the Security annotations within the package jakarta.annotation.security. For more information, see Securing auto-generated resources.

Security vulnerability detection

Most of the Quarkus tags are reported in the US National Vulnerability Database (NVD). For information about security vulnerabilities, see Security vulnerability detection and reporting in Quarkus.