@Retention(RUNTIME) @Target(TYPE) public @interface RolesAllowed

Restricts a handler to callers whose JWT contains at least one of the specified roles. Authentication is implicitly required — no need to combine with Authenticated.

Roles are read from the claim configured in OidcConfig.rolesClaimPath() (default: "roles"). Nested paths like "realm_access.roles" are supported with dot notation.


 @Route(method = HttpMethod.DELETE, path = "/api/admin/blogs/{id}")
 @RolesAllowed("admin")
 public class DeleteBlog extends JacksonHandler { ... }

 // Multiple accepted roles (OR semantics — any one role is sufficient):
 @RolesAllowed({"admin", "editor"})
 public class UpdateBlog extends JacksonHandler { ... }

Required Element Summary

Required Elements

Modifier and Type

Required Element

Description

String[]

value

One or more role names.

Element Details
- value
  
  String[] value
  
  One or more role names. Access is granted if the caller has any of them.

Annotation Interface RolesAllowed

Required Element Summary

Element Details

value