*/
    public static boolean hasActionRole(final String role) {
        final String[] roles;
        if (role.endsWith(FessAdminAction.VIEW)) {
            roles = new String[] { role, role.substring(0, role.length() - FessAdminAction.VIEW.length()) };
        } else {
            roles = new String[] { role };
        }

If you want to secure your API, there are several better things you can do, for example:

* Make sure you have well defined Pydantic models for your request bodies and responses.
* Configure any required permissions and roles using dependencies.
* Never store plaintext passwords, only password hashes.
* Implement and use well-known cryptographic tools, like pwdlib and JWT tokens, etc.
* Add more granular permission controls with OAuth2 scopes where needed.

public class SearchEngineApiManager extends BaseApiManager {
    private static final String ADMIN_SERVER = "/admin/server_";

    private static final Logger logger = LogManager.getLogger(SearchEngineApiManager.class);

    /** Roles that are allowed to access the search engine API */
    protected String[] acceptedRoles = { "admin" };

    /**
     * Default constructor.
     * Initializes the API manager with the admin server path prefix.
     */

                if (fessConfig.isValidSearchLogPermissions(roles.toArray(new String[roles.size()]))) {
                    suggester.indexer()
                            .indexFromSearchWord(sb.toString(), fields.toArray(new String[fields.size()]),
                                    tags.toArray(new String[tags.size()]), roles.toArray(new String[roles.size()]), 1, langs);

    @Size(max = 1000)
    public String oicBaseUrl;

    /** OpenID Connect default groups. */
    @Size(max = 1000)
    public String oicDefaultGroups;

    /** OpenID Connect default roles. */
    @Size(max = 1000)
    public String oicDefaultRoles;

    /** SAML service provider base URL. */
    @Size(max = 1000)
    public String samlSpBaseUrl;

            public String getLdapAdminRoleBaseDn() {
                return "ou=roles,dc=example,dc=com";
            }
        };

        // Normal name
        assertEquals("cn=admin,ou=roles,dc=example,dc=com", fessConfig.getLdapAdminRoleSecurityPrincipal("admin"));

        // Asterisk injection attempt
        assertEquals("cn=admin\\2a,ou=roles,dc=example,dc=com", fessConfig.getLdapAdminRoleSecurityPrincipal("admin*"));
    }

    }

    @Test
    public void test_user_roles() {
        final User user = new User();
        assertNull(user.getRoles());

        final String[] roles = new String[] { "admin", "user" };
        user.setRoles(roles);
        assertNotNull(user.getRoles());
        assertEquals(2, user.getRoles().length);
        assertEquals("admin", user.getRoles()[0]);
        assertEquals("user", user.getRoles()[1]);

        }
        return map;
    }

    /**
     * Generates a unique document ID from the provided data map.
     * Constructs an ID string from URL, roles, and virtual hosts, then generates a hash.
     *
     * @param dataMap the document data map containing URL, roles, and virtual host information
     * @return a unique hashed ID string for the document
     */
    public String generateId(final Map<String, Object> dataMap) {

 * </pre>
 *
 * <h2>Optional Configuration</h2>
 * <pre>
 * # User attribute mapping
 * saml.attribute.group.name=groups
 * saml.attribute.role.name=roles
 *
 * # Default groups/roles for authenticated users
 * saml.default.groups=user
 * saml.default.roles=user
 * </pre>
 *
 * <h2>Security Settings (Production)</h2>
 * <p>For production environments, consider enabling these security features:</p>
 * <pre>

            doColumn("requestedAt");
        }

        public void columnResponseTime() {
            doColumn("responseTime");
        }

        public void columnRoles() {
            doColumn("roles");
        }

        public void columnSearchWord() {
            doColumn("searchWord");
        }

        public void columnUser() {
            doColumn("user");
        }