The English version of is the official project site. Translated sites are community supported on a best-effort basis.

Quarkus Security overview

Quarkus Security是一个框架,它提供了架构、多种认证和授权机制以及其他工具,用来为开发者提供构建达到生产级别安全性质量保证的Quarkus应用程序。

Before building security into your Quarkus applications, learn about the Quarkus Security architecture and the different authentication mechanisms and features that you can use.

Key features of Quarkus Security

The Quarkus Security framework provides built-in security authentication mechanisms for Basic, Form-based, and mutual TLS (mTLS) authentication. You can also use other well-known authentication mechanisms, such as OpenID Connect (OIDC) and WebAuthn.

Authentication mechanisms depend on Identity providers to verify the authentication credentials and map them to a SecurityIdentity instance, which has the username, roles, original authentication credentials, and other attributes.

Quarkus also includes built-in security to allow for role-based access control (RBAC) based on the common security annotations @RolesAllowed, @DenyAll, @PermitAll on REST endpoints, and CDI beans. For more information, see the Quarkus Authorization of web endpoints guide.

Quarkus Security also supports the following features:

Quarkus Security is also highly customizable. For more information, see the Quarkus Security tips and tricks guide.

开始使用Quarkus Security

To get started with security in Quarkus, consider securing your Quarkus application endpoints with the built-in Quarkus Basic authentication and the Jakarta Persistence identity provider and enabling role-based access control.

After successfully securing your Quarkus application with Basic authentication, you can increase the security further by adding more advanced authentication mechanisms, for example, the OpenID Connect (OIDC) authorization code flow mechanism.

Quarkus Security testing

Guidance for testing Quarkus Security features and ensuring that your Quarkus applications are securely protected is provided in the Quarkus Security testing guide.

More about security features in Quarkus

Cross-Origin 资源共享

To make your Quarkus application accessible to another application running on a different domain, you need to configure cross-origin resource sharing (CORS). For more information about the CORS filter that Quarkus provides, see the Quarkus CORS filter section of the "Cross-origin resource sharing" guide.

Cross-Site Request Forgery (CSRF) prevention

Quarkus Security provides a RESTEasy Reactive filter that can protect your applications against a Cross-Site Request Forgery attack. For more information, see the Quarkus Cross-Site Request Forgery Prevention guide.

SameSite cookies

You can add a SameSite cookie property to any of the cookies set by a Quarkus endpoint. For more information, see the Quarkus SameSite cookies guide.

Secrets engines


Quarkus提供了非常全面的HashiCorp Vault支持,请参见 Quarkus和HashiCorp Vault 文档以了解更多信息。

Secrets in environment properties

Quarkus provides support to store secrets in environment properties. See store secrets in an environment properties file.


If your Quarkus Security architecture includes RESTEasy Reactive and Jackson, Quarkus can limit the fields that are included in JSON serialization based on the configured security. For more information, see the Quarkus Writing REST services with RESTEasy Reactive guide.

Secure auto-generated resources by REST Data with Panache

If you use the REST Data with Panache extension to auto-generate your resources, you can still use security annotations within the package For more information, see the Securing auto-generated resources section of the Quarkus "Generating Jakarta REST resources with Panache" guide.

Security vulnerability detection

Most Quarkus tags get reported in the US National Vulnerability Database (NVD). For information about security vulnerabilities, see the Security vulnerability detection and reporting in Quarkus guide.