guicedee-auth
Annotation-driven authentication and authorization for GuicedEE with Vert.x 5: 8 optional providers (OAuth2/OIDC, JWT, ABAC, OTP/TOTP/HOTP, Property File, LDAP, htpasswd, htdigest), ChainAuth, @AuthOptions, @RolesAllowed/@PermitAll/@DenyAll, IGuicedAuthenticationProvider and IGuicedAuthorizationProvider SPIs, env var overrides, and Guice injection of all provider types. Use when adding authentication, authorization, security annotations, configuring auth providers, or implementing custom auth SPIs.
Best use case
guicedee-auth is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Annotation-driven authentication and authorization for GuicedEE with Vert.x 5: 8 optional providers (OAuth2/OIDC, JWT, ABAC, OTP/TOTP/HOTP, Property File, LDAP, htpasswd, htdigest), ChainAuth, @AuthOptions, @RolesAllowed/@PermitAll/@DenyAll, IGuicedAuthenticationProvider and IGuicedAuthorizationProvider SPIs, env var overrides, and Guice injection of all provider types. Use when adding authentication, authorization, security annotations, configuring auth providers, or implementing custom auth SPIs.
Teams using guicedee-auth should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/guicedee-auth/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How guicedee-auth Compares
| Feature / Agent | guicedee-auth | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Annotation-driven authentication and authorization for GuicedEE with Vert.x 5: 8 optional providers (OAuth2/OIDC, JWT, ABAC, OTP/TOTP/HOTP, Property File, LDAP, htpasswd, htdigest), ChainAuth, @AuthOptions, @RolesAllowed/@PermitAll/@DenyAll, IGuicedAuthenticationProvider and IGuicedAuthorizationProvider SPIs, env var overrides, and Guice injection of all provider types. Use when adding authentication, authorization, security annotations, configuring auth providers, or implementing custom auth SPIs.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# GuicedEE Auth
Annotation-driven, opt-in authentication and authorization for GuicedEE using Vert.x 5 auth modules.
## Architecture
All auth providers live in `com.guicedee.vertx` as optional dependencies. Each is activated **only** when its annotation is found on a class or `package-info.java`. Providers are chained via `ChainAuth` (ANY or ALL mode).
```
@AuthOptions (core) → ChainAuth, KeyStore, PEM, PRNG
@OAuth2Options → OAuth2/OIDC (vertx-auth-oauth2)
@JwtAuthOptions → JWT (vertx-auth-jwt)
@AbacOptions → ABAC policies (vertx-auth-abac)
@OtpAuthOptions → TOTP/HOTP (vertx-auth-otp)
@PropertyFileAuthOptions → Shiro properties (vertx-auth-properties)
@LdapAuthOptions → LDAP (vertx-auth-ldap)
@HtpasswdAuthOptions → htpasswd (vertx-auth-htpasswd)
@HtdigestAuthOptions → htdigest (vertx-auth-htdigest)
```
## Required Flow (any provider)
1. Add the Vert.x auth dependency for the provider(s) you need.
2. Add the annotation to `package-info.java` (or a class).
3. Add `requires` for the auth module in `module-info.java`.
4. Inject the provider type via Guice.
5. Use `@RolesAllowed`, `@PermitAll`, `@DenyAll` on REST endpoints.
## Provider Reference
### JWT — `@JwtAuthOptions`
**Dependency:** `io.vertx:vertx-auth-jwt`
**Module:** `requires io.vertx.auth.jwt;`
**Annotation package:** `com.guicedee.vertx.auth.jwt`
```java
@JwtAuthOptions(
keystorePath = "keystore.jceks",
keystoreType = "jceks",
keystorePassword = "${JWT_KEYSTORE_PASSWORD}",
algorithm = "RS256",
issuer = "my-corp.com",
audience = {"my-service"},
expiresInSeconds = 3600,
permissionsClaimKey = "realm_access/roles",
authorizationType = JwtAuthorizationType.MICROPROFILE
)
package com.example.auth;
```
**Env overrides:** `VERTX_AUTH_JWT_KEYSTORE_PATH`, `VERTX_AUTH_JWT_KEYSTORE_PASSWORD`, `VERTX_AUTH_JWT_ALGORITHM`, `VERTX_AUTH_JWT_ISSUER`, `VERTX_AUTH_JWT_AUDIENCE`, `VERTX_AUTH_JWT_EXPIRES_IN_SECONDS`, `VERTX_AUTH_JWT_PERMISSIONS_CLAIM_KEY`
**Guice bindings:** `JWTAuth`, `JWTAuthOptions`
**Provides both AuthN and AuthZ** (via JWTAuthorization or MicroProfileAuthorization).
### OAuth2 — `@OAuth2Options`
**Dependency:** `io.vertx:vertx-auth-oauth2`
**Module:** `requires io.vertx.auth.oauth2;`
**Annotation package:** `com.guicedee.vertx.auth.oauth2`
```java
@OAuth2Options(
flow = OAuth2Options.FlowType.AUTH_CODE,
clientId = "${OAUTH2_CLIENT_ID}",
clientSecret = "${OAUTH2_CLIENT_SECRET}",
site = "https://accounts.google.com",
tokenPath = "/o/oauth2/token",
authorizationPath = "/o/oauth2/auth",
discoveryUrl = "${OAUTH2_DISCOVERY_URL}",
callbackPath = "/callback"
)
package com.example.auth;
```
**Env overrides:** `VERTX_AUTH_OAUTH2_CLIENT_ID`, `VERTX_AUTH_OAUTH2_CLIENT_SECRET`, `VERTX_AUTH_OAUTH2_SITE`, `VERTX_AUTH_OAUTH2_DISCOVERY_URL`
**Guice binding:** `OAuth2Auth`
**AuthN only** — use with JWT or ABAC for authorization.
### ABAC — `@AbacOptions`
**Dependency:** `io.vertx:vertx-auth-abac`
**Module:** `requires io.vertx.auth.abac;`
**Annotation package:** `com.guicedee.vertx.auth.abac`
```java
@AbacOptions(
policyFiles = {"policies/admin.json", "policies/readonly.json"}
)
package com.example.auth;
```
Or inline:
```java
@AbacOptions(policies = {
"""{"name":"MFA DELETE","attributes":{"/principal/amr":{"eq":"mfa"}},
"authorizations":[{"type":"wildcard","permission":"web:DELETE"}]}"""
})
```
**SPI:** `IAbacPolicyProvider` — programmatic policies with custom `Attribute.create(Function<User, Boolean>)`.
**Env override:** `VERTX_AUTH_ABAC_POLICY_FILES`
**Guice binding:** `PolicyBasedAuthorizationProvider`
**AuthZ only.**
### OTP — `@OtpAuthOptions`
**Dependency:** `io.vertx:vertx-auth-otp`
**Module:** `requires io.vertx.auth.otp;`
**Annotation package:** `com.guicedee.vertx.auth.otp`
```java
@OtpAuthOptions(type = OtpType.TOTP, passwordLength = 6, period = 30)
package com.example.auth;
```
**Required SPI:** `IOtpAuthenticatorService` — must implement `authenticatorFetcher()` and `authenticatorUpdater()` for storage.
```java
provides IOtpAuthenticatorService with MyOtpService;
```
**Env overrides:** `VERTX_AUTH_OTP_TYPE`, `VERTX_AUTH_OTP_PASSWORD_LENGTH`, `VERTX_AUTH_OTP_PERIOD`, `VERTX_AUTH_OTP_LOOK_AHEAD_WINDOW`, `VERTX_AUTH_OTP_COUNTER`
**Guice binding:** `TotpAuth` or `HotpAuth` (depending on type)
**AuthN only.**
### Property File — `@PropertyFileAuthOptions`
**Dependency:** `io.vertx:vertx-auth-properties`
**Module:** `requires io.vertx.auth.properties;`
**Annotation package:** `com.guicedee.vertx.auth.properties`
```java
@PropertyFileAuthOptions(path = "auth.properties")
package com.example.auth;
```
File format (Apache Shiro):
```properties
user.tim = mypassword,administrator,developer
user.bob = hispassword,developer
role.administrator = *
role.developer = do_actual_work
```
**Env override:** `VERTX_AUTH_PROPERTIES_PATH`
**Guice bindings:** `PropertyFileAuthentication`, `PropertyFileAuthorization`
**Both AuthN and AuthZ.**
### LDAP — `@LdapAuthOptions`
**Dependency:** `io.vertx:vertx-auth-ldap`
**Module:** `requires io.vertx.auth.ldap;`
**Annotation package:** `com.guicedee.vertx.auth.ldap`
```java
@LdapAuthOptions(
url = "${LDAP_URL}",
authenticationQuery = "uid={0},ou=users,dc=example,dc=com",
authenticationMechanism = "simple",
referral = "follow"
)
package com.example.auth;
```
**Env overrides:** `VERTX_AUTH_LDAP_URL`, `VERTX_AUTH_LDAP_AUTHENTICATION_QUERY`, `VERTX_AUTH_LDAP_AUTHENTICATION_MECHANISM`, `VERTX_AUTH_LDAP_REFERRAL`
**Guice binding:** `LdapAuthentication`
**AuthN only.**
### htpasswd — `@HtpasswdAuthOptions`
**Dependency:** `io.vertx:vertx-auth-htpasswd`
**Module:** `requires io.vertx.auth.htpasswd;`
**Annotation package:** `com.guicedee.vertx.auth.htpasswd`
```java
@HtpasswdAuthOptions(path = ".htpasswd", plainTextEnabled = false)
package com.example.auth;
```
**Env overrides:** `VERTX_AUTH_HTPASSWD_PATH`, `VERTX_AUTH_HTPASSWD_PLAIN_TEXT_ENABLED`
**Guice binding:** `HtpasswdAuth`
**AuthN only.**
### htdigest — `@HtdigestAuthOptions`
**Dependency:** `io.vertx:vertx-auth-htdigest`
**Module:** `requires io.vertx.auth.htdigest;`
**Annotation package:** `com.guicedee.vertx.auth.htdigest`
```java
@HtdigestAuthOptions(path = ".htdigest")
package com.example.auth;
```
**Env override:** `VERTX_AUTH_HTDIGEST_PATH`
**Guice binding:** `HtdigestAuth`
**AuthN only.**
## Core Auth — `@AuthOptions`
The base annotation for ChainAuth configuration, KeyStore, PEM keys, and PRNG:
```java
@AuthOptions(
chainMode = AuthOptions.ChainMode.ANY,
keyStore = @AuthKeyStore(path = "keystore.pkcs12", type = "pkcs12", password = "changeit"),
pubSecKeys = {@AuthPubSecKey(algorithm = "RS256", path = "/path/to/public.pem")},
prngAlgorithm = "SHA1PRNG",
leeway = 5
)
package com.example.auth;
```
**Guice bindings:** `AuthenticationProvider`, `ChainAuth`, `AuthorizationProvider`, `Set<AuthorizationProvider>`, `VertxContextPRNG`, `KeyStoreOptions`, `Set<PubSecKeyOptions>`
## SPI Extension Points
| SPI | Purpose | Registration |
|---|---|---|
| `IGuicedAuthenticationProvider` | Custom AuthN provider | `provides IGuicedAuthenticationProvider with MyProvider;` |
| `IGuicedAuthorizationProvider` | Custom AuthZ provider | `provides IGuicedAuthorizationProvider with MyProvider;` |
| `IAbacPolicyProvider` | Programmatic ABAC policies | `provides IAbacPolicyProvider with MyPolicies;` |
| `IOtpAuthenticatorService` | OTP storage callbacks | `provides IOtpAuthenticatorService with MyOtpService;` |
## Jakarta Security Annotations
Apply to REST resource classes/methods:
```java
@Path("/api/admin")
@RolesAllowed({"admin", "super-admin"})
public class AdminResource {
@GET @Path("/users")
public List<User> listUsers() { ... }
@DELETE @Path("/users/{id}")
@RolesAllowed("super-admin")
public void deleteUser(@PathParam("id") String id) { ... }
@GET @Path("/health")
@PermitAll
public String health() { return "OK"; }
}
```
## Three-Tier Configuration
1. **Annotation defaults** — in code
2. **Environment variables** — deploy-time override (`VERTX_AUTH_*`)
3. **SPI hooks** — programmatic control
All string attributes support `${ENV_VAR}` placeholders.
## Non-Negotiable Constraints
- Auth providers are **opt-in** — only activated when their annotation is found.
- Each provider's Vert.x dependency must be on the module path.
- Module must `requires static` the auth module (e.g., `requires io.vertx.auth.jwt;`).
- SPI implementations must be dual-registered (`module-info.java` provides + `META-INF/services/`).
- Auth packages must `opens` to `com.google.guice` and `com.fasterxml.jackson.databind`.
- OTP **requires** `IOtpAuthenticatorService` SPI — no storage = no auth.
- `@RolesAllowed` only works on REST resources when the `rest` module is present.Related Skills
guicedee-websockets
RFC 6455 WebSocket support for GuicedEE using Vert.x 5: call-scoped connections, action-based message routing via IWebSocketMessageReceiver SPI, group management and broadcasting, WebSocketServerOptions, and lifecycle hooks. Use when adding WebSocket messaging, implementing real-time communication, managing WebSocket groups, or creating message receivers.
guicedee-webservices
SOAP web services for GuicedEE using Apache CXF conventions: JAX-WS annotations (@WebService, @WebMethod, @WebParam, @WebResult), code-first and WSDL-first approaches, endpoint publishing, CXF interceptors and logging, MTOM, WS-Security (WSS4J), SOAP 1.1/1.2 bindings, and Guice DI integration. Use when creating SOAP services, publishing JAX-WS endpoints, configuring CXF bindings, or adding WS-Security.
guicedee-web
Bootstrap reactive HTTP/HTTPS servers with Vert.x 5 inside GuicedEE: Router setup, BodyHandler configuration, TLS/HTTPS, SPI extension points (VertxRouterConfigurator, VertxHttpServerOptionsConfigurator, VertxHttpServerConfigurator), per-verticle sub-routers, and environment-driven configuration. Use when setting up the Vert.x web server, configuring HTTP/HTTPS, adding custom routes or middleware, or managing server options.
guicedee-vertx
Build reactive services using Vert.x 5 inside the GuicedEE DI lifecycle: event-bus consumers, publishers, verticle deployment, codecs, throttling, clustering, SPI hooks, and JPMS module setup. Use when adding Vert.x event-bus messaging, deploying verticles, wiring reactive endpoints with Guice injection, configuring Vert.x runtime options, or implementing custom codecs and cluster managers.
guicedee-service-registry
Named service registry with health-aware resolution for GuicedEE. Register services by simple name, auto-construct URLs from cloud DNS suffix, monitor health status, resolve services via registry:name prefix or bare name in rest-client @Endpoint. Supports aliases, multiple external URLs, Kubernetes internal URLs, and per-service health paths. Use when registering named services, checking service health, resolving service URLs by name, or integrating with rest-client for service-to-service calls.
guicedee-rest
Build Jakarta REST (JAX-RS) services on Vert.x 5 inside GuicedEE: @Path/@GET/@POST route registration, parameter binding (@PathParam, @QueryParam, @HeaderParam, etc.), Guice-managed resource classes, response handling, content negotiation, and JPMS module setup. Use when creating REST endpoints, configuring Jakarta REST resources, or wiring JAX-RS services with Guice injection.
guicedee-rest-client
Annotation-driven REST client for GuicedEE using Vert.x 5 WebClient: @Endpoint declarations, RestClient<Send, Receive> injection, authentication strategies (Bearer, Basic, API Key, OAuth2, mTLS), path parameters, environment variable overrides, package-level endpoints, service registry integration (bare name or registry: prefix), and RestClientConfigurator SPI. Use when making outbound REST calls, configuring REST client endpoints, or wiring reactive HTTP clients with Guice injection.
guicedee-rabbitmq
Annotation-driven RabbitMQ integration for GuicedEE with Vert.x 5: @RabbitConnectionOptions, @QueueExchange, @QueueDefinition, QueueConsumer/QueuePublisher injection, exchange management, queue options (priority, TTL, prefetch), publisher confirms, environment variable overrides, and verticle-scoped connections. Use when adding RabbitMQ messaging, declaring exchanges and queues, creating consumers and publishers, or configuring AMQP topology.
guicedee-persistence
Reactive JPA persistence with Hibernate Reactive 7, Vert.x 5 SQL clients, and Mutiny sessions inside GuicedEE: DatabaseModule setup, persistence.xml configuration, multi-database support, @EntityManager scoping, and environment variable resolution. Use when adding database persistence, configuring Hibernate Reactive, creating DatabaseModule subclasses, wiring Mutiny.SessionFactory, or managing multiple persistence units.
guicedee-openapi
Automatic OpenAPI 3.1 spec generation and serving for GuicedEE with Vert.x 5: scans Jakarta REST resources at startup, serves /openapi.json and /openapi.yaml endpoints, Swagger annotations support, @OpenAPIDefinition configuration, and companion Swagger UI module. Use when generating API documentation, serving OpenAPI specs, or configuring Swagger annotations on REST resources.
guicedee-metrics
Application metrics for GuicedEE using Vert.x 5 Dropwizard Metrics and MicroProfile Metrics 5.1: @Counted, @Timed, @MetricMethod annotations, Guice AOP interceptors, Prometheus scrape endpoint, Graphite reporting, JMX exposure, @MetricsOptions configuration, environment variable overrides, and Vert.x built-in metrics (event bus, HTTP, pools). Use when adding application metrics, configuring Prometheus endpoints, creating custom counters/timers, or monitoring Vert.x internals.
guicedee-mail-client
Annotation-driven SMTP mail client for GuicedEE with Vert.x 5: @MailConnectionOptions for SMTP server configuration, MailService injection for sending text/HTML/multipart emails with attachments, connection pooling, StartTLS/SSL support, DKIM signing, environment variable overrides, and graceful shutdown. Use when sending emails via SMTP, configuring mail connections, or injecting mail services.