Fix BOLA (Broken Object Level Authorization) in Quarkus

BOLA (Broken Object Level Authorization) is the #1 API threat. In Quarkus, developers often mistake authentication for authorization. Just because a user has a valid JWT doesn't mean they should access resource ID 123. If your Panache queries don't explicitly filter by the 'owner' or 'tenant' field derived from the 'SecurityIdentity', you are wide open to IDOR attacks.

The Vulnerable Pattern

@Path("/api/invoices")
@Authenticated
public class InvoiceResource {
@GET
@Path("/{id}")
public Invoice getInvoice(@PathParam("id") Long id) {
    // VULNERABLE: Any authenticated user can access any invoice ID
    return Invoice.findById(id);
}
}

The Secure Implementation

The exploit occurs because the application trusts the ID provided in the URI without verifying the relationship between the authenticated subject and the requested resource. The fix involves injecting the 'SecurityIdentity' to retrieve the verified principal. We then modify the database query to enforce ownership at the persistence layer. By using '.singleResultOptional()' and throwing a 'ForbiddenException' (or 404 to prevent enumeration), we ensure that an attacker cannot access data belonging to other users even if they guess the object ID.

@Path("/api/invoices")
@Authenticated
public class InvoiceResource {
@Inject
SecurityIdentity identity;

@GET
@Path("/{id}")
public Invoice getInvoice(@PathParam("id") Long id) {
    String currentUsername = identity.getPrincipal().getName();
    
    // SECURE: Query filters by both ID and the owner name from the JWT/Security context
    return Invoice.find("id = ?1 and owner = ?2", id, currentUsername)
                  .singleResultOptional()
                  .orElseThrow(() -> new ForbiddenException("Access Denied: Object ownership mismatch"));
}
}