<label for="roles" class="col-sm-3 text-sm-right col-form-label"><la:message
                                            key="labels.roles"/></label>
                                    <div class="col-sm-9">
                                        <la:errors property="roles"/>
                                        <la:select styleId="roles" property="roles" multiple="true"

      },
      "gidNumber" : {
        "type" : "long"
      },
      "homeDirectory" : {
        "type" : "keyword"
      },
      "groups": {
        "type": "keyword"
      },
      "roles": {
        "type": "keyword"
      }
    }

                                        <th><la:message key="labels.roles"/></th>
                                        <td><c:forEach var="rt" varStatus="s"
                                                       items="${roleItems}">
                                            <c:forEach var="rtid" varStatus="s" items="${roles}">
                                                <c:if test="${rtid==rt.id}">

        final String jwtClaim = "{\"roles\":[\"admin\",\"user\"],\"groups\":[\"group1\",\"group2\"]}";
        final Map<String, Object> attributes = new HashMap<>();

        authenticator.parseJwtClaim(jwtClaim, attributes);

        assertTrue(attributes.get("roles") instanceof List);
        @SuppressWarnings("unchecked")
        final List<Object> roles = (List<Object>) attributes.get("roles");
        assertEquals(2, roles.size());

        if (password != null) {
            sourceMap.put("password", password);
        }
        if (groups != null) {
            sourceMap.put("groups", groups);
        }
        if (roles != null) {
            sourceMap.put("roles", roles);
        }
        if (attributes != null) {
            sourceMap.putAll(attributes);
        }
        return sourceMap;
    }

     * For admin actions, verifies that the user has appropriate admin roles or
     * meets the secured annotation requirements.
     *
     * @param resource the login handling resource to check permission for
     * @throws LoginRequiredException if login is required
     * @throws UserRoleLoginException if the user doesn't have required roles
     */
    @Override

If you want to secure your API, there are several better things you can do, for example:

* Make sure you have well defined Pydantic models for your request bodies and responses.
* Configure any required permissions and roles using dependencies.
* Never store plaintext passwords, only password hashes.
* Implement and use well-known cryptographic tools, like pwdlib and JWT tokens, etc.
* Add more granular permission controls with OAuth2 scopes where needed.

                throw new WebApiException(HttpServletResponse.SC_INTERNAL_SERVER_ERROR, e);
            }
        }
    }

    /**
     * Sets the roles that are allowed to access the search engine API.
     *
     * @param acceptedRoles array of role names that can access the API
     */
    public void setAcceptedRoles(final String[] acceptedRoles) {
        this.acceptedRoles = acceptedRoles;
    }

    /**

          },
          "requestedAt" : {
            "type" : "date",
            "format" : "date_optional_time"
          },
          "responseTime" : {
            "type" : "long"
          },
          "roles" : {
            "type" : "keyword"
          },
          "searchWord" : {
            "type" : "keyword"
          },
          "user" : {
            "type" : "keyword"
          },
          "userAgent" : {

            public String getLdapAdminRoleBaseDn() {
                return "ou=roles,dc=example,dc=com";
            }
        };

        // Normal name
        assertEquals("cn=admin,ou=roles,dc=example,dc=com", fessConfig.getLdapAdminRoleSecurityPrincipal("admin"));

        // Asterisk injection attempt
        assertEquals("cn=admin\\2a,ou=roles,dc=example,dc=com", fessConfig.getLdapAdminRoleSecurityPrincipal("admin*"));
    }