Skip to main content

Authorization

The SSE endpoint can be secured in one of three mutually exclusive ways. The chosen mode is selected purely by configuration under jeap.sse.web.*; the bean wiring in ServerSentEventsWebAutoConfiguration picks the matching NotifyClienAuthorization implementation, and NotifyClientAuthorizationConfigurationValidator rejects ambiguous or empty combinations at startup.

The native browser EventSource cannot send custom headers, so authentication for SSE typically relies on a JWT carried as a cookie scoped to the endpoint path. See Client integration for the client-side implications.

Insecure (development only)

jeap:
sse:
web:
insecure:
enabled: true

Permits unauthenticated access. SseApiWebSecurityConfig registers a high-precedence SecurityFilterChain that matches the endpoint and permitAll(). Use only locally or in tests; it is mutually exclusive with the auth properties below.

Simple (role-based)

jeap:
sse:
web:
auth:
role: declaration-reader

NotifyClientAuthorizationSimple requires a JeapAuthenticationToken in the security context and checks ServletSimpleAuthorization.hasRole(role). Requires the jEAP security starter to provide a ServletSimpleAuthorization bean; otherwise startup validation fails.

Semantic (resource / operation)

jeap:
sse:
web:
auth:
resource: declaration
operation: read

NotifyClientAuthorizationSemantic requires a JeapAuthenticationToken and checks ServletSemanticAuthorization.hasRole(resource, operation). Both resource and operation must be set together. Requires a ServletSemanticAuthorization bean from the jEAP security starter.

Failure behaviour

When an authorization check fails, the controller throws UnauthorizedSseAccessException, mapped to an HTTP error by RestResponseExceptionHandler. A missing or wrong token type (not a JeapAuthenticationToken) is rejected before the role/resource check.