remove current-subject from OpenAPI header specs, use Authorization instead (#164)

Co-authored-by: Michael Hoennig <michael@hoennig.de> Reviewed-on: https://dev.hostsharing.net/hostsharing/hs.hsadmin.ng/pulls/164 Reviewed-by: Timotheus Pokorra <timotheus.pokorra@hostsharing.net>
2025-03-18 11:52:29 +01:00
parent 5ca0638319
commit eb9edf1cb1
100 changed files with 404 additions and 590 deletions
@@ -2,6 +2,8 @@ package net.hostsharing.hsadminng.config;

 import lombok.AllArgsConstructor;
 import lombok.SneakyThrows;
+import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
+import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.web.filter.OncePerRequestFilter;

 import jakarta.servlet.FilterChain;
@@ -24,7 +26,8 @@ public class CasAuthenticationFilter extends OncePerRequestFilter {
        if (request.getHeader("authorization") != null) {
            final var authenticatedRequest = new AuthenticatedHttpServletRequestWrapper(request);
            final var currentSubject = authenticator.authenticate(request);
-            authenticatedRequest.addHeader("current-subject", currentSubject);
+            final var authentication = new UsernamePasswordAuthenticationToken(currentSubject, null, null);
+            SecurityContextHolder.getContext().setAuthentication(authentication);
            filterChain.doFilter(authenticatedRequest, response);
        } else {
            filterChain.doFilter(request, response);
@@ -0,0 +1,14 @@
+package net.hostsharing.hsadminng.config;
+
+import lombok.SneakyThrows;
+
+import jakarta.servlet.http.HttpServletRequest;
+
+public class FakeCasAuthenticator implements CasAuthenticator {
+
+    @Override
+    @SneakyThrows
+    public String authenticate(final HttpServletRequest httpRequest) {
+        return httpRequest.getHeader("Authorization").replaceAll("^Bearer ", "");
+    }
+}
@@ -2,11 +2,8 @@ package net.hostsharing.hsadminng.config;

 import io.micrometer.core.annotation.Timed;
 import lombok.SneakyThrows;
-import org.apache.commons.lang3.StringUtils;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.security.authentication.BadCredentialsException;
-import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
-import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.util.LinkedMultiValueMap;
 import org.springframework.web.client.RestTemplate;
 import org.w3c.dom.Document;
@@ -16,7 +13,6 @@ import jakarta.servlet.http.HttpServletRequest;
 import javax.xml.parsers.DocumentBuilderFactory;
 import javax.xml.parsers.ParserConfigurationException;
 import java.io.IOException;
-import java.util.function.Supplier;

 public class RealCasAuthenticator implements CasAuthenticator {

@@ -31,23 +27,6 @@ public class RealCasAuthenticator implements CasAuthenticator {
    @SneakyThrows
    @Timed("app.cas.authenticate")
    public String authenticate(final HttpServletRequest httpRequest) {
-        final var userName = StringUtils.isBlank(casServerUrl)
-                ? bypassCurrentSubject(httpRequest)
-                : casAuthentication(httpRequest);
-        final var authentication = new UsernamePasswordAuthenticationToken(userName, null, null);
-        SecurityContextHolder.getContext().setAuthentication(authentication);
-        return authentication.getName();
-    }
-
-    private static String bypassCurrentSubject(final HttpServletRequest httpRequest) {
-        final var userName = httpRequest.getHeader("authorization").replaceAll("^Bearer ", "");
-        System.err.println("CasAuthenticator.bypassCurrentSubject: " + userName);
-        return userName;
-    }
-
-    private String casAuthentication(final HttpServletRequest httpRequest)
-            throws SAXException, IOException, ParserConfigurationException {
-
        final var ticket = httpRequest.getHeader("authorization").replaceAll("^Bearer ", "");
        final var serviceTicket = ticket.startsWith("TGT-")
                ? fetchServiceTicket(ticket)
@@ -76,7 +55,7 @@ public class RealCasAuthenticator implements CasAuthenticator {
                "?service=" + serviceUrl +
                "&ticket=" + serviceTicket;

-        final var response = ((Supplier<String>) () -> restTemplate.getForObject(url, String.class)).get();
+        final var response = restTemplate.getForObject(url, String.class);

        return DocumentBuilderFactory.newInstance().newDocumentBuilder()
                .parse(new java.io.ByteArrayInputStream(response.getBytes()));
@@ -93,8 +72,7 @@ public class RealCasAuthenticator implements CasAuthenticator {
        return verification.getElementsByTagName("cas:user").item(0).getTextContent();
    }

-    private String throwBadCredentialsException(final String message) {
+    private void throwBadCredentialsException(final String message) {
        throw new BadCredentialsException(message);
    }
-
 }
@@ -22,9 +22,6 @@ import jakarta.servlet.http.HttpServletResponse;
@SecurityScheme(type = SecuritySchemeType.HTTP, name = "casTicket", scheme = "bearer", bearerFormat = "CAS ticket", description = "CAS ticket", in = SecuritySchemeIn.HEADER)
 public class WebSecurityConfig {

-    private static final String[] PERMITTED_PATHS = new String[] { "/swagger-ui/**", "/v3/api-docs/**", "/actuator/**" };
-    private static final String[] AUTHENTICATED_PATHS = new String[] { "/api/**" };
-
    @Lazy
    @Autowired
    private CasAuthenticationFilter authenticationFilter;
@@ -34,8 +31,13 @@ public class WebSecurityConfig {
    public SecurityFilterChain securityFilterChain(final HttpSecurity http) throws Exception {
        return http
                .authorizeHttpRequests(authorize -> authorize
-                        .requestMatchers(PERMITTED_PATHS).permitAll()
-                        .requestMatchers(AUTHENTICATED_PATHS).authenticated()
+                        .requestMatchers(
+                                "/swagger-ui/**",
+                                "/v3/api-docs/**",
+                                "/actuator/**",
+                                "/api/hs/hosting/asset-types/**"
+                        ).permitAll()
+                        .requestMatchers("/api/**").authenticated()
                        .anyRequest().denyAll()
                )
                .addFilterBefore(authenticationFilter, AuthenticationFilter.class)
@@ -51,11 +53,17 @@ public class WebSecurityConfig {
    }

    @Bean
-    @Profile("!test")
-    public CasAuthenticator casServiceTicketValidator() {
+    @Profile("realCasAuthenticator")
+    public CasAuthenticator realCasServiceTicketValidator() {
        return new RealCasAuthenticator();
    }

+    @Bean
+    @Profile("fakeCasAuthenticator")
+    public CasAuthenticator fakeCasServiceTicketValidator() {
+        return new FakeCasAuthenticator();
+    }
+
    @Bean
    public CasAuthenticationFilter authenticationFilter(final CasAuthenticator authenticator) {
        return new CasAuthenticationFilter(authenticator);
@@ -4,6 +4,7 @@ import lombok.AllArgsConstructor;
 import lombok.SneakyThrows;
 import org.apache.commons.lang3.StringUtils;
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.stereotype.Service;
 import org.springframework.transaction.annotation.Transactional;
 import org.springframework.web.context.request.RequestContextHolder;
@@ -47,6 +48,12 @@ public class Context {
        define(toTask(request), toCurl(request), currentSubject, assumedRoles);
    }

+    @Transactional(propagation = MANDATORY)
+    public void assumeRoles(final String assumedRoles) {
+        final var currentSubject = SecurityContextHolder.getContext().getAuthentication().getName();
+        define(toTask(request), toCurl(request), currentSubject, assumedRoles);
+    }
+
    @Transactional(propagation = MANDATORY)
    public void define(
            final String currentTask,
@@ -21,12 +21,12 @@ public class HttpServletRequestWithCachedBody extends HttpServletRequestWrapper
    }

    @Override
-    public ServletInputStream getInputStream() throws IOException {
+    public ServletInputStream getInputStream() {
        return new HttpServletRequestBodyCache(this.cachedBody);
    }

    @Override
-    public BufferedReader getReader() throws IOException {
+    public BufferedReader getReader() {
        ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(this.cachedBody);
        return new BufferedReader(new InputStreamReader(byteArrayInputStream));
    }
@@ -58,10 +58,9 @@ public class HsBookingItemController implements HsBookingItemsApi {
    @Transactional(readOnly = true)
    @Timed("app.bookingItems.api.getListOfBookingItemsByProjectUuid")
    public ResponseEntity<List<HsBookingItemResource>> getListOfBookingItemsByProjectUuid(
-            final String currentSubject,
            final String assumedRoles,
            final UUID projectUuid) {
-        context.define(currentSubject, assumedRoles);
+        context.assumeRoles(assumedRoles);

        final var entities = bookingItemRepo.findAllByProjectUuid(projectUuid);

@@ -73,11 +72,10 @@ public class HsBookingItemController implements HsBookingItemsApi {
    @Transactional
    @Timed("app.bookingItems.api.postNewBookingItem")
    public ResponseEntity<HsBookingItemResource> postNewBookingItem(
-            final String currentSubject,
            final String assumedRoles,
            final HsBookingItemInsertResource body) {

-        context.define(currentSubject, assumedRoles);
+        context.assumeRoles(assumedRoles);

        final var entityToSave = mapper.map(body, HsBookingItemRbacEntity.class, RESOURCE_TO_ENTITY_POSTMAPPER);
        final var saveProcessor = new BookingItemEntitySaveProcessor(em, entityToSave);
@@ -103,11 +101,10 @@ public class HsBookingItemController implements HsBookingItemsApi {
    @Transactional(readOnly = true)
    @Timed("app.bookingItems.api.getSingleBookingItemByUuid")
    public ResponseEntity<HsBookingItemResource> getSingleBookingItemByUuid(
-            final String currentSubject,
            final String assumedRoles,
            final UUID bookingItemUuid) {

-        context.define(currentSubject, assumedRoles);
+        context.assumeRoles(assumedRoles);

        final var result = bookingItemRepo.findByUuid(bookingItemUuid);
        result.ifPresent(entity -> em.detach(entity)); // prevent further LAZY-loading
@@ -121,10 +118,9 @@ public class HsBookingItemController implements HsBookingItemsApi {
    @Transactional
    @Timed("app.bookingItems.api.deleteBookingIemByUuid")
    public ResponseEntity<Void> deleteBookingIemByUuid(
-            final String currentSubject,
            final String assumedRoles,
            final UUID bookingItemUuid) {
-        context.define(currentSubject, assumedRoles);
+        context.assumeRoles(assumedRoles);

        final var result = bookingItemRepo.deleteByUuid(bookingItemUuid);
        return result == 0
@@ -136,12 +132,11 @@ public class HsBookingItemController implements HsBookingItemsApi {
    @Transactional
    @Timed("app.bookingItems.api.patchBookingItem")
    public ResponseEntity<HsBookingItemResource> patchBookingItem(
-            final String currentSubject,
            final String assumedRoles,
            final UUID bookingItemUuid,
            final HsBookingItemPatchResource body) {

-        context.define(currentSubject, assumedRoles);
+        context.assumeRoles(assumedRoles);

        final var current = bookingItemRepo.findByUuid(bookingItemUuid).orElseThrow();

@@ -42,10 +42,9 @@ public class HsBookingProjectController implements HsBookingProjectsApi {
    @Transactional(readOnly = true)
    @Timed("app.bookingProjects.api.getListOfBookingProjectsByDebitorUuid")
    public ResponseEntity<List<HsBookingProjectResource>> getListOfBookingProjectsByDebitorUuid(
-            final String currentSubject,
            final String assumedRoles,
            final UUID debitorUuid) {
-        context.define(currentSubject, assumedRoles);
+        context.assumeRoles(assumedRoles);

        final var entities = bookingProjectRepo.findAllByDebitorUuid(debitorUuid);

@@ -57,11 +56,10 @@ public class HsBookingProjectController implements HsBookingProjectsApi {
    @Transactional
    @Timed("app.bookingProjects.api.postNewBookingProject")
    public ResponseEntity<HsBookingProjectResource> postNewBookingProject(
-            final String currentSubject,
            final String assumedRoles,
            final HsBookingProjectInsertResource body) {

-        context.define(currentSubject, assumedRoles);
+        context.assumeRoles(assumedRoles);

        final var entityToSave = mapper.map(body, HsBookingProjectRbacEntity.class, RESOURCE_TO_ENTITY_POSTMAPPER);

@@ -80,11 +78,10 @@ public class HsBookingProjectController implements HsBookingProjectsApi {
    @Transactional(readOnly = true)
    @Timed("app.bookingProjects.api.getBookingProjectByUuid")
    public ResponseEntity<HsBookingProjectResource> getBookingProjectByUuid(
-            final String currentSubject,
            final String assumedRoles,
            final UUID bookingProjectUuid) {

-        context.define(currentSubject, assumedRoles);
+        context.assumeRoles(assumedRoles);

        final var result = bookingProjectRepo.findByUuid(bookingProjectUuid);
        return result
@@ -97,10 +94,9 @@ public class HsBookingProjectController implements HsBookingProjectsApi {
    @Transactional
    @Timed("app.bookingProjects.api.deleteBookingIemByUuid")
    public ResponseEntity<Void> deleteBookingIemByUuid(
-            final String currentSubject,
            final String assumedRoles,
            final UUID bookingProjectUuid) {
-        context.define(currentSubject, assumedRoles);
+        context.assumeRoles(assumedRoles);

        final var result = bookingProjectRepo.deleteByUuid(bookingProjectUuid);
        return result == 0
@@ -112,12 +108,11 @@ public class HsBookingProjectController implements HsBookingProjectsApi {
    @Transactional
    @Timed("app.bookingProjects.api.patchBookingProject")
    public ResponseEntity<HsBookingProjectResource> patchBookingProject(
-            final String currentSubject,
            final String assumedRoles,
            final UUID bookingProjectUuid,
            final HsBookingProjectPatchResource body) {

-        context.define(currentSubject, assumedRoles);
+        context.assumeRoles(assumedRoles);

        final var current = bookingProjectRepo.findByUuid(bookingProjectUuid).orElseThrow();

@@ -55,12 +55,11 @@ public class HsHostingAssetController implements HsHostingAssetsApi {
    @Transactional(readOnly = true)
    @Timed("app.hosting.assets.api.getListOfHostingAssets")
    public ResponseEntity<List<HsHostingAssetResource>> getListOfHostingAssets(
-            final String currentSubject,
            final String assumedRoles,
            final UUID debitorUuid,
            final UUID parentAssetUuid,
            final HsHostingAssetTypeResource type) {
-        context.define(currentSubject, assumedRoles);
+        context.assumeRoles(assumedRoles);

        final var entities = rbacAssetRepo.findAllByCriteria(debitorUuid, parentAssetUuid, HsHostingAssetType.of(type));

@@ -73,11 +72,10 @@ public class HsHostingAssetController implements HsHostingAssetsApi {
    @Transactional
    @Timed("app.hosting.assets.api.postNewHostingAsset")
    public ResponseEntity<HsHostingAssetResource> postNewHostingAsset(
-            final String currentSubject,
            final String assumedRoles,
            final HsHostingAssetInsertResource body) {

-        context.define(currentSubject, assumedRoles);
+        context.assumeRoles(assumedRoles);

        final var entity = mapper.map(body, HsHostingAssetRbacEntity.class, RESOURCE_TO_ENTITY_POSTMAPPER);

@@ -102,11 +100,10 @@ public class HsHostingAssetController implements HsHostingAssetsApi {
    @Transactional(readOnly = true)
    @Timed("app.hosting.assets.api.getSingleHostingAssetByUuid")
    public ResponseEntity<HsHostingAssetResource> getSingleHostingAssetByUuid(
-            final String currentSubject,
            final String assumedRoles,
            final UUID assetUuid) {

-        context.define(currentSubject, assumedRoles);
+        context.assumeRoles(assumedRoles);

        final var result = rbacAssetRepo.findByUuid(assetUuid);
        return result
@@ -119,10 +116,9 @@ public class HsHostingAssetController implements HsHostingAssetsApi {
    @Transactional
    @Timed("app.hosting.assets.api.deleteHostingAssetByUuid")
    public ResponseEntity<Void> deleteHostingAssetByUuid(
-            final String currentSubject,
            final String assumedRoles,
            final UUID assetUuid) {
-        context.define(currentSubject, assumedRoles);
+        context.assumeRoles(assumedRoles);

        final var result = rbacAssetRepo.deleteByUuid(assetUuid);
        return result == 0
@@ -134,12 +130,11 @@ public class HsHostingAssetController implements HsHostingAssetsApi {
    @Transactional
    @Timed("app.hosting.assets.api.patchHostingAsset")
    public ResponseEntity<HsHostingAssetResource> patchHostingAsset(
-            final String currentSubject,
            final String assumedRoles,
            final UUID assetUuid,
            final HsHostingAssetPatchResource body) {

-        context.define(currentSubject, assumedRoles);
+        context.assumeRoles(assumedRoles);

        final var entity = rbacAssetRepo.findByUuid(assetUuid).orElseThrow();

@@ -35,10 +35,9 @@ public class HsOfficeBankAccountController implements HsOfficeBankAccountsApi {
    @Transactional(readOnly = true)
    @Timed("app.office.bankAccounts.api.patchDebitor")
    public ResponseEntity<List<HsOfficeBankAccountResource>> getListOfBankAccounts(
-            final String currentSubject,
            final String assumedRoles,
            final String holder) {
-        context.define(currentSubject, assumedRoles);
+        context.assumeRoles(assumedRoles);

        final var entities = bankAccountRepo.findByOptionalHolderLike(holder);

@@ -50,11 +49,10 @@ public class HsOfficeBankAccountController implements HsOfficeBankAccountsApi {
    @Transactional
    @Timed("app.office.bankAccounts.api.postNewBankAccount")
    public ResponseEntity<HsOfficeBankAccountResource> postNewBankAccount(
-            final String currentSubject,
            final String assumedRoles,
            final HsOfficeBankAccountInsertResource body) {

-        context.define(currentSubject, assumedRoles);
+        context.assumeRoles(assumedRoles);

        IbanUtil.validate(body.getIban());
        BicUtil.validate(body.getBic());
@@ -77,11 +75,10 @@ public class HsOfficeBankAccountController implements HsOfficeBankAccountsApi {
    @Transactional(readOnly = true)
    @Timed("app.office.bankAccounts.api.getSingleBankAccountByUuid")
    public ResponseEntity<HsOfficeBankAccountResource> getSingleBankAccountByUuid(
-            final String currentSubject,
            final String assumedRoles,
            final UUID bankAccountUuid) {

-        context.define(currentSubject, assumedRoles);
+        context.assumeRoles(assumedRoles);

        final var result = bankAccountRepo.findByUuid(bankAccountUuid);
        if (result.isEmpty()) {
@@ -94,10 +91,9 @@ public class HsOfficeBankAccountController implements HsOfficeBankAccountsApi {
    @Transactional
    @Timed("app.office.bankAccounts.api.deleteBankAccountByUuid")
    public ResponseEntity<Void> deleteBankAccountByUuid(
-            final String currentSubject,
            final String assumedRoles,
            final UUID BankAccountUuid) {
-        context.define(currentSubject, assumedRoles);
+        context.assumeRoles(assumedRoles);

        final var result = bankAccountRepo.deleteByUuid(BankAccountUuid);
        if (result == 0) {
@@ -48,11 +48,10 @@ public class HsOfficeContactController implements HsOfficeContactsApi {
    @Transactional(readOnly = true)
    @Timed("app.office.contacts.api.getListOfContacts")
    public ResponseEntity<List<HsOfficeContactResource>> getListOfContacts(
-            final String currentSubject,
            final String assumedRoles,
            final String caption,
            final String emailAddress) {
-        context.define(currentSubject, assumedRoles);
+        context.assumeRoles(assumedRoles);

        validate("caption, emailAddress").atMaxOne(caption, emailAddress);
        final var entities = emailAddress != null
@@ -67,11 +66,10 @@ public class HsOfficeContactController implements HsOfficeContactsApi {
    @Transactional
    @Timed("app.office.contacts.api.postNewContact")
    public ResponseEntity<HsOfficeContactResource> postNewContact(
-            final String currentSubject,
            final String assumedRoles,
            final HsOfficeContactInsertResource body) {

-        context.define(currentSubject, assumedRoles);
+        context.assumeRoles(assumedRoles);

        final var entityToSave = mapper.map(body, HsOfficeContactRbacEntity.class);

@@ -90,11 +88,10 @@ public class HsOfficeContactController implements HsOfficeContactsApi {
    @Transactional(readOnly = true)
    @Timed("app.office.contacts.api.getSingleContactByUuid")
    public ResponseEntity<HsOfficeContactResource> getSingleContactByUuid(
-            final String currentSubject,
            final String assumedRoles,
            final UUID contactUuid) {

-        context.define(currentSubject, assumedRoles);
+        context.assumeRoles(assumedRoles);

        final var result = contactRepo.findByUuid(contactUuid);
        if (result.isEmpty()) {
@@ -107,10 +104,9 @@ public class HsOfficeContactController implements HsOfficeContactsApi {
    @Transactional
    @Timed("app.office.contacts.api.deleteContactByUuid")
    public ResponseEntity<Void> deleteContactByUuid(
-            final String currentSubject,
            final String assumedRoles,
            final UUID contactUuid) {
-        context.define(currentSubject, assumedRoles);
+        context.assumeRoles(assumedRoles);

        final var result = contactRepo.deleteByUuid(contactUuid);
        if (result == 0) {
@@ -124,12 +120,11 @@ public class HsOfficeContactController implements HsOfficeContactsApi {
    @Transactional
    @Timed("app.office.contacts.api.patchContact")
    public ResponseEntity<HsOfficeContactResource> patchContact(
-            final String currentSubject,
            final String assumedRoles,
            final UUID contactUuid,
            final HsOfficeContactPatchResource body) {

-        context.define(currentSubject, assumedRoles);
+        context.assumeRoles(assumedRoles);

        final var current = contactRepo.findByUuid(contactUuid).orElseThrow();

@@ -60,12 +60,11 @@ public class HsOfficeCoopAssetsTransactionController implements HsOfficeCoopAsse
    @Transactional(readOnly = true)
    @Timed("app.office.coopAssets.api.getListOfCoopAssets")
    public ResponseEntity<List<HsOfficeCoopAssetsTransactionResource>> getListOfCoopAssets(
-            final String currentSubject,
            final String assumedRoles,
            final UUID membershipUuid,
            final @DateTimeFormat(iso = ISO.DATE) LocalDate fromValueDate,
            final @DateTimeFormat(iso = ISO.DATE) LocalDate toValueDate) {
-        context.define(currentSubject, assumedRoles);
+        context.assumeRoles(assumedRoles);

        final var entities = coopAssetsTransactionRepo.findCoopAssetsTransactionByOptionalMembershipUuidAndDateRange(
                membershipUuid,
@@ -83,11 +82,10 @@ public class HsOfficeCoopAssetsTransactionController implements HsOfficeCoopAsse
    @Transactional
    @Timed("app.office.coopAssets.api.postNewCoopAssetTransaction")
    public ResponseEntity<HsOfficeCoopAssetsTransactionResource> postNewCoopAssetTransaction(
-            final String currentSubject,
            final String assumedRoles,
            final HsOfficeCoopAssetsTransactionInsertResource requestBody) {

-        context.define(currentSubject, assumedRoles);
+        context.assumeRoles(assumedRoles);
        validate(requestBody);

        final var entityToSave = mapper.map(
@@ -109,9 +107,9 @@ public class HsOfficeCoopAssetsTransactionController implements HsOfficeCoopAsse
    @Transactional(readOnly = true)
    @Timed("app.office.coopAssets.api.getSingleCoopAssetTransactionByUuid")
    public ResponseEntity<HsOfficeCoopAssetsTransactionResource> getSingleCoopAssetTransactionByUuid(
-            final String currentSubject, final String assumedRoles, final UUID assetTransactionUuid) {
+            final String assumedRoles, final UUID assetTransactionUuid) {

-        context.define(currentSubject, assumedRoles);
+        context.assumeRoles(assumedRoles);

        final var result = coopAssetsTransactionRepo.findByUuid(assetTransactionUuid);
        if (result.isEmpty()) {
@@ -47,12 +47,11 @@ public class HsOfficeCoopSharesTransactionController implements HsOfficeCoopShar
    @Transactional(readOnly = true)
    @Timed("app.office.coopShares.api.getListOfCoopShares")
    public ResponseEntity<List<HsOfficeCoopSharesTransactionResource>> getListOfCoopShares(
-            final String currentSubject,
            final String assumedRoles,
            final UUID membershipUuid,
            final @DateTimeFormat(iso = ISO.DATE) LocalDate fromValueDate,
            final @DateTimeFormat(iso = ISO.DATE) LocalDate toValueDate) {
-        context.define(currentSubject, assumedRoles);
+        context.assumeRoles(assumedRoles);

        final var entities = coopSharesTransactionRepo.findCoopSharesTransactionByOptionalMembershipUuidAndDateRange(
                membershipUuid,
@@ -70,11 +69,10 @@ public class HsOfficeCoopSharesTransactionController implements HsOfficeCoopShar
    @Transactional
    @Timed("app.office.coopShares.repo.postNewCoopSharesTransaction")
    public ResponseEntity<HsOfficeCoopSharesTransactionResource> postNewCoopSharesTransaction(
-            final String currentSubject,
            final String assumedRoles,
            final HsOfficeCoopSharesTransactionInsertResource requestBody) {

-        context.define(currentSubject, assumedRoles);
+        context.assumeRoles(assumedRoles);
        validate(requestBody);

        final var entityToSave = mapper.map(
@@ -97,9 +95,9 @@ public class HsOfficeCoopSharesTransactionController implements HsOfficeCoopShar
    @Transactional(readOnly = true)
    @Timed("app.office.coopShares.repo.getSingleCoopShareTransactionByUuid")
    public ResponseEntity<HsOfficeCoopSharesTransactionResource> getSingleCoopShareTransactionByUuid(
-            final String currentSubject, final String assumedRoles, final UUID shareTransactionUuid) {
+            final String assumedRoles, final UUID shareTransactionUuid) {

-        context.define(currentSubject, assumedRoles);
+        context.assumeRoles(assumedRoles);

        final var result = coopSharesTransactionRepo.findByUuid(shareTransactionUuid);
        if (result.isEmpty()) {
@@ -64,12 +64,11 @@ public class HsOfficeDebitorController implements HsOfficeDebitorsApi {
    @Transactional(readOnly = true)
    @Timed("app.office.debitors.api.getListOfDebitors")
    public ResponseEntity<List<HsOfficeDebitorResource>> getListOfDebitors(
-            final String currentSubject,
            final String assumedRoles,
            final String name,
            final UUID partnerUuid,
            final String partnerNumber) {
-        context.define(currentSubject, assumedRoles);
+        context.assumeRoles(assumedRoles);

        final var entities = partnerNumber != null
                ? debitorRepo.findDebitorsByPartnerNumber(cropTag("P-", partnerNumber))
@@ -85,11 +84,10 @@ public class HsOfficeDebitorController implements HsOfficeDebitorsApi {
    @Transactional
    @Timed("app.office.debitors.api.postNewDebitor")
    public ResponseEntity<HsOfficeDebitorResource> postNewDebitor(
-            String currentSubject,
            String assumedRoles,
            HsOfficeDebitorInsertResource body) {

-        context.define(currentSubject, assumedRoles);
+        context.assumeRoles(assumedRoles);

        Validate.isTrue(
                body.getDebitorRel() == null || body.getDebitorRelUuid() == null,
@@ -118,11 +116,10 @@ public class HsOfficeDebitorController implements HsOfficeDebitorsApi {
    @Transactional(readOnly = true)
    @Timed("app.office.debitors.api.getSingleDebitorByUuid")
    public ResponseEntity<HsOfficeDebitorResource> getSingleDebitorByUuid(
-            final String currentSubject,
            final String assumedRoles,
            final UUID debitorUuid) {

-        context.define(currentSubject, assumedRoles);
+        context.assumeRoles(assumedRoles);

        final var result = debitorRepo.findByUuid(debitorUuid);
        if (result.isEmpty()) {
@@ -135,11 +132,10 @@ public class HsOfficeDebitorController implements HsOfficeDebitorsApi {
    @Transactional(readOnly = true)
    @Timed("app.office.debitors.api.getSingleDebitorByDebitorNumber")
    public ResponseEntity<HsOfficeDebitorResource> getSingleDebitorByDebitorNumber(
-            final String currentSubject,
            final String assumedRoles,
            final Integer debitorNumber) {

-        context.define(currentSubject, assumedRoles);
+        context.assumeRoles(assumedRoles);

        final var result = debitorRepo.findDebitorByDebitorNumber(debitorNumber);
        if (result.isEmpty()) {
@@ -152,10 +148,9 @@ public class HsOfficeDebitorController implements HsOfficeDebitorsApi {
    @Transactional
    @Timed("app.office.debitors.api.deleteDebitorByUuid")
    public ResponseEntity<Void> deleteDebitorByUuid(
-            final String currentSubject,
            final String assumedRoles,
            final UUID debitorUuid) {
-        context.define(currentSubject, assumedRoles);
+        context.assumeRoles(assumedRoles);

        final var result = debitorRepo.deleteByUuid(debitorUuid);
        if (result == 0) {
@@ -169,12 +164,11 @@ public class HsOfficeDebitorController implements HsOfficeDebitorsApi {
    @Transactional
    @Timed("app.office.debitors.api.patchDebitor")
    public ResponseEntity<HsOfficeDebitorResource> patchDebitor(
-            final String currentSubject,
            final String assumedRoles,
            final UUID debitorUuid,
            final HsOfficeDebitorPatchResource body) {

-        context.define(currentSubject, assumedRoles);
+        context.assumeRoles(assumedRoles);

        final var current = debitorRepo.findByUuid(debitorUuid).orElseThrow().reload(em);

@@ -44,11 +44,10 @@ public class HsOfficeMembershipController implements HsOfficeMembershipsApi {
    @Transactional(readOnly = true)
    @Timed("app.office.membership.api.getListOfMemberships")
    public ResponseEntity<List<HsOfficeMembershipResource>> getListOfMemberships(
-            final String currentSubject,
            final String assumedRoles,
            final UUID partnerUuid,
            final String partnerNumber) {
-        context.define(currentSubject, assumedRoles);
+        context.assumeRoles(assumedRoles);

        validate("partnerUuid, partnerNumber").atMaxOne(partnerUuid, partnerNumber);

@@ -69,11 +68,10 @@ public class HsOfficeMembershipController implements HsOfficeMembershipsApi {
    @Transactional
    @Timed("app.office.membership.api.postNewMembership")
    public ResponseEntity<HsOfficeMembershipResource> postNewMembership(
-            final String currentSubject,
            final String assumedRoles,
            final HsOfficeMembershipInsertResource body) {

-        context.define(currentSubject, assumedRoles);
+        context.assumeRoles(assumedRoles);

        final var entityToSave = mapper.map(body, HsOfficeMembershipEntity.class, SEPA_MANDATE_RESOURCE_TO_ENTITY_POSTMAPPER);

@@ -94,11 +92,10 @@ public class HsOfficeMembershipController implements HsOfficeMembershipsApi {
    @Transactional(readOnly = true)
    @Timed("app.office.membership.api.getSingleMembershipByUuid")
    public ResponseEntity<HsOfficeMembershipResource> getSingleMembershipByUuid(
-            final String currentSubject,
            final String assumedRoles,
            final UUID membershipUuid) {

-        context.define(currentSubject, assumedRoles);
+        context.assumeRoles(assumedRoles);

        final var result = membershipRepo.findByUuid(membershipUuid);
        if (result.isEmpty()) {
@@ -113,11 +110,10 @@ public class HsOfficeMembershipController implements HsOfficeMembershipsApi {
    @Transactional(readOnly = true)
    @Timed("app.office.membership.api.getSingleMembershipByMembershipNumber")
    public ResponseEntity<HsOfficeMembershipResource> getSingleMembershipByMembershipNumber(
-            final String currentSubject,
            final String assumedRoles,
            final Integer membershipNumber) {

-        context.define(currentSubject, assumedRoles);
+        context.assumeRoles(assumedRoles);

        final var result = membershipRepo.findMembershipByMemberNumber(membershipNumber);
        if (result.isEmpty()) {
@@ -132,10 +128,9 @@ public class HsOfficeMembershipController implements HsOfficeMembershipsApi {
    @Transactional
    @Timed("app.office.membership.api.deleteMembershipByUuid")
    public ResponseEntity<Void> deleteMembershipByUuid(
-            final String currentSubject,
            final String assumedRoles,
            final UUID membershipUuid) {
-        context.define(currentSubject, assumedRoles);
+        context.assumeRoles(assumedRoles);

        final var result = membershipRepo.deleteByUuid(membershipUuid);
        if (result == 0) {
@@ -149,12 +144,11 @@ public class HsOfficeMembershipController implements HsOfficeMembershipsApi {
    @Transactional
    @Timed("app.office.membership.api.patchMembership")
    public ResponseEntity<HsOfficeMembershipResource> patchMembership(
-            final String currentSubject,
            final String assumedRoles,
            final UUID membershipUuid,
            final HsOfficeMembershipPatchResource body) {

-        context.define(currentSubject, assumedRoles);
+        context.assumeRoles(assumedRoles);

        final var current = membershipRepo.findByUuid(membershipUuid).orElseThrow();

@@ -66,10 +66,9 @@ public class HsOfficePartnerController implements HsOfficePartnersApi {
    @Transactional(readOnly = true)
    @Timed("app.office.partners.api.getListOfPartners")
    public ResponseEntity<List<HsOfficePartnerResource>> getListOfPartners(
-            final String currentSubject,
            final String assumedRoles,
            final String name) {
-        context.define(currentSubject, assumedRoles);
+        context.assumeRoles(assumedRoles);

        final var entities = rbacPartnerRepo.findPartnerByOptionalNameLike(name);

@@ -81,11 +80,10 @@ public class HsOfficePartnerController implements HsOfficePartnersApi {
    @Transactional
    @Timed("app.office.partners.api.postNewPartner")
    public ResponseEntity<HsOfficePartnerResource> postNewPartner(
-            final String currentSubject,
            final String assumedRoles,
            final HsOfficePartnerInsertResource body) {

-        context.define(currentSubject, assumedRoles);
+        context.assumeRoles(assumedRoles);

        final var entityToSave = createPartnerEntity(body);

@@ -104,11 +102,10 @@ public class HsOfficePartnerController implements HsOfficePartnersApi {
    @Transactional(readOnly = true)
    @Timed("app.office.partners.api.getSinglePartnerByUuid")
    public ResponseEntity<HsOfficePartnerResource> getSinglePartnerByUuid(
-            final String currentSubject,
            final String assumedRoles,
            final UUID partnerUuid) {

-        context.define(currentSubject, assumedRoles);
+        context.assumeRoles(assumedRoles);

        final var result = rbacPartnerRepo.findByUuid(partnerUuid);
        if (result.isEmpty()) {
@@ -122,11 +119,10 @@ public class HsOfficePartnerController implements HsOfficePartnersApi {
    @Transactional(readOnly = true)
    @Timed("app.office.partners.api.getSinglePartnerByPartnerNumber")
    public ResponseEntity<HsOfficePartnerResource> getSinglePartnerByPartnerNumber(
-            final String currentSubject,
            final String assumedRoles,
            final Integer partnerNumber) {

-        context.define(currentSubject, assumedRoles);
+        context.assumeRoles(assumedRoles);

        final var result = rbacPartnerRepo.findPartnerByPartnerNumber(partnerNumber);
        if (result.isEmpty()) {
@@ -140,10 +136,9 @@ public class HsOfficePartnerController implements HsOfficePartnersApi {
    @Transactional
    @Timed("app.office.partners.api.deletePartnerByUuid")
    public ResponseEntity<Void> deletePartnerByUuid(
-            final String currentSubject,
            final String assumedRoles,
            final UUID partnerUuid) {
-        context.define(currentSubject, assumedRoles);
+        context.assumeRoles(assumedRoles);

        final var partnerToDelete = rbacPartnerRepo.findByUuid(partnerUuid);
        if (partnerToDelete.isEmpty()) {
@@ -161,12 +156,11 @@ public class HsOfficePartnerController implements HsOfficePartnersApi {
    @Transactional
    @Timed("app.office.partners.api.patchPartner")
    public ResponseEntity<HsOfficePartnerResource> patchPartner(
-            final String currentSubject,
            final String assumedRoles,
            final UUID partnerUuid,
            final HsOfficePartnerPatchResource body) {

-        context.define(currentSubject, assumedRoles);
+        context.assumeRoles(assumedRoles);

        final var current = rbacPartnerRepo.findByUuid(partnerUuid).orElseThrow();
        final var previousPartnerPerson = current.getPartnerRel().getHolder();
@@ -34,10 +34,9 @@ public class HsOfficePersonController implements HsOfficePersonsApi {
    @Transactional(readOnly = true)
    @Timed("app.office.persons.api.getListOfPersons")
    public ResponseEntity<List<HsOfficePersonResource>> getListOfPersons(
-            final String currentSubject,
            final String assumedRoles,
            final String name) {
-        context.define(currentSubject, assumedRoles);
+        context.assumeRoles(assumedRoles);

        final var entities = personRepo.findPersonByOptionalNameLike(name);

@@ -49,11 +48,10 @@ public class HsOfficePersonController implements HsOfficePersonsApi {
    @Transactional
    @Timed("app.office.persons.api.postNewPerson")
    public ResponseEntity<HsOfficePersonResource> postNewPerson(
-            final String currentSubject,
            final String assumedRoles,
            final HsOfficePersonInsertResource body) {

-        context.define(currentSubject, assumedRoles);
+        context.assumeRoles(assumedRoles);

        final var entityToSave = mapper.map(body, HsOfficePersonRbacEntity.class);

@@ -72,11 +70,10 @@ public class HsOfficePersonController implements HsOfficePersonsApi {
    @Transactional(readOnly = true)
    @Timed("app.office.persons.api.getSinglePersonByUuid")
    public ResponseEntity<HsOfficePersonResource> getSinglePersonByUuid(
-            final String currentSubject,
            final String assumedRoles,
            final UUID personUuid) {

-        context.define(currentSubject, assumedRoles);
+        context.assumeRoles(assumedRoles);

        final var result = personRepo.findByUuid(personUuid);
        if (result.isEmpty()) {
@@ -89,10 +86,9 @@ public class HsOfficePersonController implements HsOfficePersonsApi {
    @Transactional
    @Timed("app.office.persons.api.deletePersonByUuid")
    public ResponseEntity<Void> deletePersonByUuid(
-            final String currentSubject,
            final String assumedRoles,
            final UUID personUuid) {
-        context.define(currentSubject, assumedRoles);
+        context.assumeRoles(assumedRoles);

        final var result = personRepo.deleteByUuid(personUuid);
        if (result == 0) {
@@ -106,12 +102,11 @@ public class HsOfficePersonController implements HsOfficePersonsApi {
    @Transactional
    @Timed("app.office.persons.api.patchPerson")
    public ResponseEntity<HsOfficePersonResource> patchPerson(
-            final String currentSubject,
            final String assumedRoles,
            final UUID personUuid,
            final HsOfficePersonPatchResource body) {

-        context.define(currentSubject, assumedRoles);
+        context.assumeRoles(assumedRoles);

        final var current = personRepo.findByUuid(personUuid).orElseThrow();

@@ -52,14 +52,13 @@ public class HsOfficeRelationController implements HsOfficeRelationsApi {
    @Transactional(readOnly = true)
    @Timed("app.office.relations.api.getListOfRelations")
    public ResponseEntity<List<HsOfficeRelationResource>> getListOfRelations(
-            final String currentSubject,
            final String assumedRoles,
            final UUID personUuid,
            final HsOfficeRelationTypeResource relationType,
            final String mark,
            final String personData,
            final String contactData) {
-        context.define(currentSubject, assumedRoles);
+        context.assumeRoles(assumedRoles);

        final List<HsOfficeRelationRbacEntity> entities =
                rbacRelationRepo.findRelationRelatedToPersonUuidRelationTypeMarkPersonAndContactData(
@@ -76,11 +75,10 @@ public class HsOfficeRelationController implements HsOfficeRelationsApi {
    @Transactional
    @Timed("app.office.relations.api.postNewRelation")
    public ResponseEntity<HsOfficeRelationResource> postNewRelation(
-            final String currentSubject,
            final String assumedRoles,
            final HsOfficeRelationInsertResource body) {

-        context.define(currentSubject, assumedRoles);
+        context.assumeRoles(assumedRoles);

        final var entityToSave = new HsOfficeRelationRbacEntity();
        entityToSave.setType(HsOfficeRelationType.valueOf(body.getType()));
@@ -128,11 +126,10 @@ public class HsOfficeRelationController implements HsOfficeRelationsApi {
    @Transactional(readOnly = true)
    @Timed("app.office.relations.api.getSingleRelationByUuid")
    public ResponseEntity<HsOfficeRelationResource> getSingleRelationByUuid(
-            final String currentSubject,
            final String assumedRoles,
            final UUID relationUuid) {

-        context.define(currentSubject, assumedRoles);
+        context.assumeRoles(assumedRoles);

        final var result = rbacRelationRepo.findByUuid(relationUuid);
        if (result.isEmpty()) {
@@ -145,10 +142,9 @@ public class HsOfficeRelationController implements HsOfficeRelationsApi {
    @Transactional
    @Timed("apprelations.api..deleteRelationByUuid")
    public ResponseEntity<Void> deleteRelationByUuid(
-            final String currentSubject,
            final String assumedRoles,
            final UUID relationUuid) {
-        context.define(currentSubject, assumedRoles);
+        context.assumeRoles(assumedRoles);

        final var result = rbacRelationRepo.deleteByUuid(relationUuid);
        if (result == 0) {
@@ -162,12 +158,11 @@ public class HsOfficeRelationController implements HsOfficeRelationsApi {
    @Transactional
    @Timed("app.office.relations.api.patchRelation")
    public ResponseEntity<HsOfficeRelationResource> patchRelation(
-            final String currentSubject,
            final String assumedRoles,
            final UUID relationUuid,
            final HsOfficeRelationContactPatchResource body) {

-        context.define(currentSubject, assumedRoles);
+        context.assumeRoles(assumedRoles);

        final var current = rbacRelationRepo.findByUuid(relationUuid).orElseThrow();

@@ -52,10 +52,9 @@ public class HsOfficeSepaMandateController implements HsOfficeSepaMandatesApi {
    @Transactional(readOnly = true)
    @Timed("app.office.sepaMandates.api.getListOfSepaMandates")
    public ResponseEntity<List<HsOfficeSepaMandateResource>> getListOfSepaMandates(
-            final String currentSubject,
            final String assumedRoles,
            final String iban) {
-        context.define(currentSubject, assumedRoles);
+        context.assumeRoles(assumedRoles);

        final var entities = sepaMandateRepo.findSepaMandateByOptionalIban(iban);

@@ -68,11 +67,10 @@ public class HsOfficeSepaMandateController implements HsOfficeSepaMandatesApi {
    @Transactional
    @Timed("app.office.sepaMandates.api.postNewSepaMandate")
    public ResponseEntity<HsOfficeSepaMandateResource> postNewSepaMandate(
-            final String currentSubject,
            final String assumedRoles,
            final HsOfficeSepaMandateInsertResource body) {

-        context.define(currentSubject, assumedRoles);
+        context.assumeRoles(assumedRoles);

        final var entityToSave = mapper.map(body, HsOfficeSepaMandateEntity.class, SEPA_MANDATE_RESOURCE_TO_ENTITY_POSTMAPPER);

@@ -92,11 +90,10 @@ public class HsOfficeSepaMandateController implements HsOfficeSepaMandatesApi {
    @Transactional(readOnly = true)
    @Timed("app.office.sepaMandates.api.getSingleSepaMandateByUuid")
    public ResponseEntity<HsOfficeSepaMandateResource> getSingleSepaMandateByUuid(
-            final String currentSubject,
            final String assumedRoles,
            final UUID sepaMandateUuid) {

-        context.define(currentSubject, assumedRoles);
+        context.assumeRoles(assumedRoles);

        final var result = sepaMandateRepo.findByUuid(sepaMandateUuid);
        if (result.isEmpty()) {
@@ -110,10 +107,9 @@ public class HsOfficeSepaMandateController implements HsOfficeSepaMandatesApi {
    @Transactional
    @Timed("app.office.sepaMandates.api.deleteSepaMandateByUuid")
    public ResponseEntity<Void> deleteSepaMandateByUuid(
-            final String currentSubject,
            final String assumedRoles,
            final UUID sepaMandateUuid) {
-        context.define(currentSubject, assumedRoles);
+        context.assumeRoles(assumedRoles);

        final var result = sepaMandateRepo.deleteByUuid(sepaMandateUuid);
        if (result == 0) {
@@ -127,12 +123,11 @@ public class HsOfficeSepaMandateController implements HsOfficeSepaMandatesApi {
    @Transactional
    @Timed("app.office.sepaMandates.api.patchSepaMandate")
    public ResponseEntity<HsOfficeSepaMandateResource> patchSepaMandate(
-            final String currentSubject,
            final String assumedRoles,
            final UUID sepaMandateUuid,
            final HsOfficeSepaMandatePatchResource body) {

-        context.define(currentSubject, assumedRoles);
+        context.assumeRoles(assumedRoles);

        final var current = sepaMandateRepo.findByUuid(sepaMandateUuid).orElseThrow();

@@ -1,12 +1,12 @@
 package net.hostsharing.hsadminng.ping;

+import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.RequestHeader;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestMethod;
 import org.springframework.web.bind.annotation.ResponseBody;

-import jakarta.validation.constraints.NotNull;

@Controller
 public class PingController {
@@ -14,9 +14,8 @@ public class PingController {
    @ResponseBody
    @RequestMapping(value = "/api/ping", method = RequestMethod.GET)
    public String ping(
-            @RequestHeader(name = "current-subject") @NotNull String currentSubject,
            @RequestHeader(name = "assumed-roles", required = false) String assumedRoles
    ) {
-        return "pong " + currentSubject + "\n";
+        return "pong " + SecurityContextHolder.getContext().getAuthentication().getName() + "\n";
    }
 }
@@ -37,12 +37,11 @@ public class RbacGrantController implements RbacGrantsApi {
    @Transactional(readOnly = true)
    @Timed("app.rbac.grants.api.getListOfGrantsByUuid")
    public ResponseEntity<RbacGrantResource> getListOfGrantsByUuid(
-            final String currentSubject,
            final String assumedRoles,
            final UUID grantedRoleUuid,
            final UUID granteeSubjectUuid) {

-        context.define(currentSubject, assumedRoles);
+        context.assumeRoles(assumedRoles);

        final var id = new RbacGrantId(granteeSubjectUuid, grantedRoleUuid);
        final var result = rbacGrantRepository.findById(id);
@@ -56,10 +55,9 @@ public class RbacGrantController implements RbacGrantsApi {
    @Transactional(readOnly = true)
    @Timed("app.rbac.grants.api.getListOfSubjectGrants")
    public ResponseEntity<List<RbacGrantResource>> getListOfSubjectGrants(
-            final String currentSubject,
            final String assumedRoles) {

-        context.define(currentSubject, assumedRoles);
+        context.assumeRoles(assumedRoles);

        return ResponseEntity.ok(mapper.mapList(rbacGrantRepository.findAll(), RbacGrantResource.class));
    }
@@ -68,11 +66,10 @@ public class RbacGrantController implements RbacGrantsApi {
    @Transactional
    @Timed("app.rbac.grants.api.postNewRoleGrantToSubject")
    public ResponseEntity<RbacGrantResource> postNewRoleGrantToSubject(
-            final String currentSubject,
            final String assumedRoles,
            final RbacGrantResource body) {

-        context.define(currentSubject, assumedRoles);
+        context.assumeRoles(assumedRoles);

        final var granted = rbacGrantRepository.save(mapper.map(body, RbacGrantEntity.class));
        em.flush();
@@ -90,12 +87,11 @@ public class RbacGrantController implements RbacGrantsApi {
    @Transactional
    @Timed("app.rbac.grants.api.deleteRoleGrantFromSubject")
    public ResponseEntity<Void> deleteRoleGrantFromSubject(
-            final String currentSubject,
            final String assumedRoles,
            final UUID grantedRoleUuid,
            final UUID granteeSubjectUuid) {

-        context.define(currentSubject, assumedRoles);
+        context.assumeRoles(assumedRoles);

        rbacGrantRepository.deleteByRbacGrantId(new RbacGrantId(granteeSubjectUuid, grantedRoleUuid));

@@ -30,10 +30,9 @@ public class RbacRoleController implements RbacRolesApi {
    @Transactional(readOnly = true)
    @Timed("app.rbac.roles.api.getListOfRoles")
    public ResponseEntity<List<RbacRoleResource>> getListOfRoles(
-            final String currentSubject,
            final String assumedRoles) {

-        context.define(currentSubject, assumedRoles);
+        context.assumeRoles(assumedRoles);

        final List<RbacRoleEntity> result = rbacRoleRepository.findAll();

@@ -44,7 +44,7 @@ public class RbacSubjectController implements RbacSubjectsApi {
        rbacSubjectRepository.create(saved);
        final var uri =
                MvcUriComponentsBuilder.fromController(getClass())
-                        .path("/api/rbac.yaml/users/{id}")
+                        .path("/api/rbac/subjects/{id}")
                        .buildAndExpand(saved.getUuid())
                        .toUri();
        return ResponseEntity.created(uri).body(mapper.map(saved, RbacSubjectResource.class));
@@ -54,11 +54,10 @@ public class RbacSubjectController implements RbacSubjectsApi {
    @Transactional
    @Timed("app.rbac.subjects.api.deleteSubjectByUuid")
    public ResponseEntity<Void> deleteSubjectByUuid(
-            final String currentSubject,
            final String assumedRoles,
            final UUID subjectUuid
    ) {
-        context.define(currentSubject, assumedRoles);
+        context.assumeRoles(assumedRoles);

        rbacSubjectRepository.deleteByUuid(subjectUuid);

@@ -69,11 +68,10 @@ public class RbacSubjectController implements RbacSubjectsApi {
    @Transactional(readOnly = true)
    @Timed("app.rbac.subjects.api.getSingleSubjectByUuid")
    public ResponseEntity<RbacSubjectResource> getSingleSubjectByUuid(
-            final String currentSubject,
            final String assumedRoles,
            final UUID subjectUuid) {

-        context.define(currentSubject, assumedRoles);
+        context.assumeRoles(assumedRoles);

        final var result = rbacSubjectRepository.findByUuid(subjectUuid);
        if (result == null) {
@@ -86,11 +84,10 @@ public class RbacSubjectController implements RbacSubjectsApi {
    @Transactional(readOnly = true)
    @Timed("app.rbac.subjects.api.getListOfSubjects")
    public ResponseEntity<List<RbacSubjectResource>> getListOfSubjects(
-            final String currentSubject,
            final String assumedRoles,
            final String userName
    ) {
-        context.define(currentSubject, assumedRoles);
+        context.assumeRoles(assumedRoles);

        return ResponseEntity.ok(mapper.mapList(rbacSubjectRepository.findByOptionalNameLike(userName), RbacSubjectResource.class));
    }
@@ -99,11 +96,10 @@ public class RbacSubjectController implements RbacSubjectsApi {
    @Transactional(readOnly = true)
    @Timed("app.rbac.subjects.api.getListOfSubjectPermissions")
    public ResponseEntity<List<RbacSubjectPermissionResource>> getListOfSubjectPermissions(
-            final String currentSubject,
            final String assumedRoles,
            final UUID subjectUuid
    ) {
-        context.define(currentSubject, assumedRoles);
+        context.assumeRoles(assumedRoles);

        return ResponseEntity.ok(mapper.mapList(
                rbacSubjectRepository.findPermissionsOfUserByUuid(subjectUuid),
@@ -34,11 +34,10 @@ public class TestCustomerController implements TestCustomersApi {
    @Override
    @Transactional(readOnly = true)
    public ResponseEntity<List<TestCustomerResource>> listCustomers(
-            String currentSubject,
            String assumedRoles,
            String prefix
    ) {
-        context.define(currentSubject, assumedRoles);
+        context.assumeRoles(assumedRoles);

        final var result = testCustomerRepository.findCustomerByOptionalPrefixLike(prefix);

@@ -48,11 +47,10 @@ public class TestCustomerController implements TestCustomersApi {
    @Override
    @Transactional
    public ResponseEntity<TestCustomerResource> addCustomer(
-            final String currentSubject,
            final String assumedRoles,
            final TestCustomerResource customer) {

-        context.define(currentSubject, assumedRoles);
+        context.assumeRoles(assumedRoles);

        final var saved = testCustomerRepository.save(mapper.map(customer, TestCustomerEntity.class));
        final var uri =
@@ -31,11 +31,10 @@ public class TestPackageController implements TestPackagesApi {
    @Override
    @Transactional(readOnly = true)
    public ResponseEntity<List<TestPackageResource>> listPackages(
-            String currentSubject,
            String assumedRoles,
            String name
    ) {
-        context.define(currentSubject, assumedRoles);
+        context.assumeRoles(assumedRoles);

        final var result = testPackageRepository.findAllByOptionalNameLike(name);
        return ResponseEntity.ok(mapper.mapList(result, TestPackageResource.class));
@@ -44,12 +43,11 @@ public class TestPackageController implements TestPackagesApi {
    @Override
    @Transactional
    public ResponseEntity<TestPackageResource> updatePackage(
-            final String currentSubject,
            final String assumedRoles,
            final UUID packageUuid,
            final TestPackageUpdateResource body) {

-        context.define(currentSubject, assumedRoles);
+        context.assumeRoles(assumedRoles);

        final var current = testPackageRepository.findByUuid(packageUuid);
        OptionalFromJson.of(body.getDescription()).ifPresent(current::setDescription);
@@ -3,14 +3,6 @@ components:

    parameters:

-        currentSubject:
-            name: current-subject
-            in: header
-            required: false
-            schema:
-                type: string
-            description: Identifying name of the current subject (e.g. user).
-
        assumedRoles:
            name: assumed-roles
            in: header
@@ -1,20 +0,0 @@
-
-components:
-
-    parameters:
-
-        currentSubject:
-            name: current-subject
-            in: header
-            required: true
-            schema:
-                type: string
-            description: Identifying name of the currently logged in subject.
-
-        assumedRoles:
-            name: assumed-roles
-            in: header
-            required: false
-            schema:
-                type: string
-            description: Semicolon-separated list of roles to assume. The current subject needs to have the right to assume these roles.
@@ -0,0 +1 @@
+../auth.yaml
@@ -4,7 +4,6 @@ get:
    description: 'Fetch a single booking item its uuid, if visible for the current subject.'
    operationId: getSingleBookingItemByUuid
    parameters:
-        - $ref: 'auth.yaml#/components/parameters/currentSubject'
        - $ref: 'auth.yaml#/components/parameters/assumedRoles'
        - name: bookingItemUuid
          in: path
@@ -32,7 +31,6 @@ patch:
    description: 'Updates a single booking item identified by its uuid, if permitted for the current subject.'
    operationId: patchBookingItem
    parameters:
-        -   $ref: 'auth.yaml#/components/parameters/currentSubject'
        -   $ref: 'auth.yaml#/components/parameters/assumedRoles'
        -   name: bookingItemUuid
            in: path
@@ -63,7 +61,6 @@ delete:
    description: 'Delete a single booking item identified by its uuid, if permitted for the current subject.'
    operationId: deleteBookingIemByUuid
    parameters:
-        - $ref: 'auth.yaml#/components/parameters/currentSubject'
        - $ref: 'auth.yaml#/components/parameters/assumedRoles'
        - name: bookingItemUuid
          in: path
@@ -5,7 +5,6 @@ get:
        - hs-booking-items
    operationId: getListOfBookingItemsByProjectUuid
    parameters:
-        - $ref: 'auth.yaml#/components/parameters/currentSubject'
        - $ref: 'auth.yaml#/components/parameters/assumedRoles'
        - name: projectUuid
          in: query
@@ -34,7 +33,6 @@ post:
        - hs-booking-items
    operationId: postNewBookingItem
    parameters:
-        - $ref: 'auth.yaml#/components/parameters/currentSubject'
        - $ref: 'auth.yaml#/components/parameters/assumedRoles'
    requestBody:
        description: A JSON object describing the new booking item.
@@ -4,7 +4,6 @@ get:
    description: 'Fetch a single booking project its uuid, if visible for the current subject.'
    operationId: getBookingProjectByUuid
    parameters:
-        - $ref: 'auth.yaml#/components/parameters/currentSubject'
        - $ref: 'auth.yaml#/components/parameters/assumedRoles'
        - name: bookingProjectUuid
          in: path
@@ -32,7 +31,6 @@ patch:
    description: 'Updates a single booking project identified by its uuid, if permitted for the current subject.'
    operationId: patchBookingProject
    parameters:
-        -   $ref: 'auth.yaml#/components/parameters/currentSubject'
        -   $ref: 'auth.yaml#/components/parameters/assumedRoles'
        -   name: bookingProjectUuid
            in: path
@@ -63,7 +61,6 @@ delete:
    description: 'Delete a single booking project identified by its uuid, if permitted for the current subject.'
    operationId: deleteBookingIemByUuid
    parameters:
-        - $ref: 'auth.yaml#/components/parameters/currentSubject'
        - $ref: 'auth.yaml#/components/parameters/assumedRoles'
        - name: bookingProjectUuid
          in: path
@@ -5,7 +5,6 @@ get:
        - hs-booking-projects
    operationId: getListOfBookingProjectsByDebitorUuid
    parameters:
-        - $ref: 'auth.yaml#/components/parameters/currentSubject'
        - $ref: 'auth.yaml#/components/parameters/assumedRoles'
        - name: debitorUuid
          in: query
@@ -34,7 +33,6 @@ post:
        - hs-booking-projects
    operationId: postNewBookingProject
    parameters:
-        - $ref: 'auth.yaml#/components/parameters/currentSubject'
        - $ref: 'auth.yaml#/components/parameters/assumedRoles'
    requestBody:
        description: A JSON object describing the new booking project.
@@ -1,20 +0,0 @@
-
-components:
-
-    parameters:
-
-        currentSubject:
-            name: current-subject
-            in: header
-            required: true
-            schema:
-                type: string
-            description: Identifying name of the currently logged in subject.
-
-        assumedRoles:
-            name: assumed-roles
-            in: header
-            required: false
-            schema:
-                type: string
-            description: Semicolon-separated list of roles to assume. The current subject needs to have the right to assume these roles.
@@ -0,0 +1 @@
+../auth.yaml
@@ -4,7 +4,6 @@ get:
    description: 'Fetch a single managed asset by its uuid, if visible for the current subject.'
    operationId: getSingleHostingAssetByUuid
    parameters:
-        - $ref: 'auth.yaml#/components/parameters/currentSubject'
        - $ref: 'auth.yaml#/components/parameters/assumedRoles'
        - name: assetUuid
          in: path
@@ -32,7 +31,6 @@ patch:
    description: 'Updates a single hosting asset identified by its uuid, if permitted for the current subject.'
    operationId: patchHostingAsset
    parameters:
-        -   $ref: 'auth.yaml#/components/parameters/currentSubject'
        -   $ref: 'auth.yaml#/components/parameters/assumedRoles'
        -   name: assetUuid
            in: path
@@ -63,7 +61,6 @@ delete:
    description: 'Delete a single hosting asset identified by its uuid, if permitted for the current subject.'
    operationId: deleteHostingAssetByUuid
    parameters:
-        - $ref: 'auth.yaml#/components/parameters/currentSubject'
        - $ref: 'auth.yaml#/components/parameters/assumedRoles'
        - name: assetUuid
          in: path
@@ -5,7 +5,6 @@ get:
        - hs-hosting-assets
    operationId: getListOfHostingAssets
    parameters:
-        - $ref: 'auth.yaml#/components/parameters/currentSubject'
        - $ref: 'auth.yaml#/components/parameters/assumedRoles'
        - name: projectUuid
          in: query
@@ -47,7 +46,6 @@ post:
        - hs-hosting-assets
    operationId: postNewHostingAsset
    parameters:
-        - $ref: 'auth.yaml#/components/parameters/currentSubject'
        - $ref: 'auth.yaml#/components/parameters/assumedRoles'
    requestBody:
        description: A JSON object describing the new hosting asset.
@@ -4,7 +4,6 @@ get:
    description: 'Fetch a single bank account by its uuid, if visible for the current subject.'
    operationId: getSingleBankAccountByUuid
    parameters:
-        - $ref: 'auth.yaml#/components/parameters/currentSubject'
        - $ref: 'auth.yaml#/components/parameters/assumedRoles'
        - name: bankAccountUUID
          in: path
@@ -31,7 +30,6 @@ delete:
    description: 'Delete a single bank account by its uuid, if permitted for the current subject.'
    operationId: deleteBankAccountByUuid
    parameters:
-        - $ref: 'auth.yaml#/components/parameters/currentSubject'
        - $ref: 'auth.yaml#/components/parameters/assumedRoles'
        - name: bankAccountUUID
          in: path
@@ -5,7 +5,6 @@ get:
        - hs-office-bank-accounts
    operationId: getListOfBankAccounts
    parameters:
-        - $ref: 'auth.yaml#/components/parameters/currentSubject'
        - $ref: 'auth.yaml#/components/parameters/assumedRoles'
        - name: holder
          in: query
@@ -33,7 +32,6 @@ post:
        - hs-office-bank-accounts
    operationId: postNewBankAccount
    parameters:
-        - $ref: 'auth.yaml#/components/parameters/currentSubject'
        - $ref: 'auth.yaml#/components/parameters/assumedRoles'
    requestBody:
        content:
@@ -4,7 +4,6 @@ get:
    description: 'Fetch a single business contact by its uuid, if visible for the current subject.'
    operationId: getSingleContactByUuid
    parameters:
-        - $ref: 'auth.yaml#/components/parameters/currentSubject'
        - $ref: 'auth.yaml#/components/parameters/assumedRoles'
        - name: contactUUID
          in: path
@@ -32,7 +31,6 @@ patch:
    description: 'Updates a single contact by its uuid, if permitted for the current subject.'
    operationId: patchContact
    parameters:
-        -   $ref: 'auth.yaml#/components/parameters/currentSubject'
        -   $ref: 'auth.yaml#/components/parameters/assumedRoles'
        -   name: contactUUID
            in: path
@@ -63,7 +61,6 @@ delete:
    description: 'Delete a single business contact by its uuid, if permitted for the current subject.'
    operationId: deleteContactByUuid
    parameters:
-        - $ref: 'auth.yaml#/components/parameters/currentSubject'
        - $ref: 'auth.yaml#/components/parameters/assumedRoles'
        - name: contactUUID
          in: path
@@ -5,7 +5,6 @@ get:
        - hs-office-contacts
    operationId: getListOfContacts
    parameters:
-        - $ref: 'auth.yaml#/components/parameters/currentSubject'
        - $ref: 'auth.yaml#/components/parameters/assumedRoles'
        - name: caption
          in: query
@@ -40,7 +39,6 @@ post:
        - hs-office-contacts
    operationId: postNewContact
    parameters:
-        - $ref: 'auth.yaml#/components/parameters/currentSubject'
        - $ref: 'auth.yaml#/components/parameters/assumedRoles'
    requestBody:
        content:
@@ -4,7 +4,6 @@ get:
    description: 'Fetch a single asset transaction by its uuid, if visible for the current subject.'
    operationId: getSingleCoopAssetTransactionByUuid
    parameters:
-        - $ref: 'auth.yaml#/components/parameters/currentSubject'
        - $ref: 'auth.yaml#/components/parameters/assumedRoles'
        - name: assetTransactionUUID
          in: path
@@ -5,7 +5,6 @@ get:
    - hs-office-coopAssets
  operationId: getListOfCoopAssets
  parameters:
-    - $ref: 'auth.yaml#/components/parameters/currentSubject'
    - $ref: 'auth.yaml#/components/parameters/assumedRoles'
    - name: membershipUuid
      in: query
@@ -48,7 +47,6 @@ post:
    - hs-office-coopAssets
  operationId: postNewCoopAssetTransaction
  parameters:
-    - $ref: 'auth.yaml#/components/parameters/currentSubject'
    - $ref: 'auth.yaml#/components/parameters/assumedRoles'
  requestBody:
    description: A JSON object describing the new cooperative assets transaction.
@@ -4,7 +4,6 @@ get:
    description: 'Fetch a single share transaction by its uuid, if visible for the current subject.'
    operationId: getSingleCoopShareTransactionByUuid
    parameters:
-        - $ref: 'auth.yaml#/components/parameters/currentSubject'
        - $ref: 'auth.yaml#/components/parameters/assumedRoles'
        - name: shareTransactionUUID
          in: path
@@ -5,7 +5,6 @@ get:
    - hs-office-coopShares
  operationId: getListOfCoopShares
  parameters:
-    - $ref: 'auth.yaml#/components/parameters/currentSubject'
    - $ref: 'auth.yaml#/components/parameters/assumedRoles'
    - name: membershipUuid
      in: query
@@ -48,7 +47,6 @@ post:
    - hs-office-coopShares
  operationId: postNewCoopSharesTransaction
  parameters:
-    - $ref: 'auth.yaml#/components/parameters/currentSubject'
    - $ref: 'auth.yaml#/components/parameters/assumedRoles'
  requestBody:
    description: A JSON object describing the new cooperative shares transaction.
@@ -4,7 +4,6 @@ get:
    description: 'Fetch a single debitor by its debitorNumber, if visible for the current subject.'
    operationId: getSingleDebitorByDebitorNumber
    parameters:
-        - $ref: 'auth.yaml#/components/parameters/currentSubject'
        - $ref: 'auth.yaml#/components/parameters/assumedRoles'
        - name: debitorNumber
          in: path
@@ -4,7 +4,6 @@ get:
    description: 'Fetch a single debitor by its uuid, if visible for the current subject.'
    operationId: getSingleDebitorByUuid
    parameters:
-        - $ref: 'auth.yaml#/components/parameters/currentSubject'
        - $ref: 'auth.yaml#/components/parameters/assumedRoles'
        - name: debitorUUID
          in: path
@@ -32,7 +31,6 @@ patch:
    description: 'Updates a single debitor by its uuid, if permitted for the current subject.'
    operationId: patchDebitor
    parameters:
-        -   $ref: 'auth.yaml#/components/parameters/currentSubject'
        -   $ref: 'auth.yaml#/components/parameters/assumedRoles'
        -   name: debitorUUID
            in: path
@@ -63,7 +61,6 @@ delete:
    description: 'Delete a single debitor by its uuid, if permitted for the current subject.'
    operationId: deleteDebitorByUuid
    parameters:
-        - $ref: 'auth.yaml#/components/parameters/currentSubject'
        - $ref: 'auth.yaml#/components/parameters/assumedRoles'
        - name: debitorUUID
          in: path
@@ -5,7 +5,6 @@ get:
        - hs-office-debitors
    operationId: getListOfDebitors
    parameters:
-        - $ref: 'auth.yaml#/components/parameters/currentSubject'
        - $ref: 'auth.yaml#/components/parameters/assumedRoles'
        - name: name
          in: query
@@ -47,7 +46,6 @@ post:
        - hs-office-debitors
    operationId: postNewDebitor
    parameters:
-        - $ref: 'auth.yaml#/components/parameters/currentSubject'
        - $ref: 'auth.yaml#/components/parameters/assumedRoles'
    requestBody:
        content:
@@ -4,7 +4,6 @@ get:
    description: 'Fetch a single membership by its membershipNumber, if visible for the current subject.'
    operationId: getSingleMembershipByMembershipNumber
    parameters:
-        - $ref: 'auth.yaml#/components/parameters/currentSubject'
        - $ref: 'auth.yaml#/components/parameters/assumedRoles'
        - name: membershipNumber
          in: path
@@ -4,7 +4,6 @@ get:
    description: 'Fetch a single membership by its uuid, if visible for the current subject.'
    operationId: getSingleMembershipByUuid
    parameters:
-        - $ref: 'auth.yaml#/components/parameters/currentSubject'
        - $ref: 'auth.yaml#/components/parameters/assumedRoles'
        - name: membershipUUID
          in: path
@@ -32,7 +31,6 @@ patch:
    description: 'Updates a single membership by its uuid, if permitted for the current subject.'
    operationId: patchMembership
    parameters:
-        -   $ref: 'auth.yaml#/components/parameters/currentSubject'
        -   $ref: 'auth.yaml#/components/parameters/assumedRoles'
        -   name: membershipUUID
            in: path
@@ -63,7 +61,6 @@ delete:
    description: 'Delete a single membership by its uuid, if permitted for the current subject.'
    operationId: deleteMembershipByUuid
    parameters:
-        - $ref: 'auth.yaml#/components/parameters/currentSubject'
        - $ref: 'auth.yaml#/components/parameters/assumedRoles'
        - name: membershipUUID
          in: path
@@ -6,7 +6,6 @@ get:
        - hs-office-memberships
    operationId: getListOfMemberships
    parameters:
-        - $ref: 'auth.yaml#/components/parameters/currentSubject'
        - $ref: 'auth.yaml#/components/parameters/assumedRoles'
        - name: partnerUuid
          in: query
@@ -42,7 +41,6 @@ post:
        - hs-office-memberships
    operationId: postNewMembership
    parameters:
-        - $ref: 'auth.yaml#/components/parameters/currentSubject'
        - $ref: 'auth.yaml#/components/parameters/assumedRoles'
    requestBody:
        description: A JSON object describing the new membership.
@@ -4,7 +4,6 @@ get:
    description: 'Fetch a single business partner by its partner-number (prefixed with "P-"), if visible for the current subject.'
    operationId: getSinglePartnerByPartnerNumber
    parameters:
-        - $ref: 'auth.yaml#/components/parameters/currentSubject'
        - $ref: 'auth.yaml#/components/parameters/assumedRoles'
        - name: partnerNumber
          in: path
@@ -4,7 +4,6 @@ get:
    description: 'Fetch a single business partner by its uuid, if visible for the current subject.'
    operationId: getSinglePartnerByUuid
    parameters:
-        - $ref: 'auth.yaml#/components/parameters/currentSubject'
        - $ref: 'auth.yaml#/components/parameters/assumedRoles'
        - name: partnerUUID
          in: path
@@ -32,7 +31,6 @@ patch:
    description: 'Updates a single business partner by its uuid, if permitted for the current subject.'
    operationId: patchPartner
    parameters:
-        -   $ref: 'auth.yaml#/components/parameters/currentSubject'
        -   $ref: 'auth.yaml#/components/parameters/assumedRoles'
        -   name: partnerUUID
            in: path
@@ -63,7 +61,6 @@ delete:
    description: 'Delete a single business partner by its uuid, if permitted for the current subject.'
    operationId: deletePartnerByUuid
    parameters:
-        - $ref: 'auth.yaml#/components/parameters/currentSubject'
        - $ref: 'auth.yaml#/components/parameters/assumedRoles'
        - name: partnerUUID
          in: path
@@ -5,7 +5,6 @@ get:
        - hs-office-partners
    operationId: getListOfPartners
    parameters:
-        - $ref: 'auth.yaml#/components/parameters/currentSubject'
        - $ref: 'auth.yaml#/components/parameters/assumedRoles'
        - name: name
          in: query
@@ -33,7 +32,6 @@ post:
        - hs-office-partners
    operationId: postNewPartner
    parameters:
-        - $ref: 'auth.yaml#/components/parameters/currentSubject'
        - $ref: 'auth.yaml#/components/parameters/assumedRoles'
    requestBody:
        content:
@@ -4,7 +4,6 @@ get:
    description: 'Fetch a single business person by its uuid, if visible for the current subject.'
    operationId: getSinglePersonByUuid
    parameters:
-        - $ref: 'auth.yaml#/components/parameters/currentSubject'
        - $ref: 'auth.yaml#/components/parameters/assumedRoles'
        - name: personUUID
          in: path
@@ -32,7 +31,6 @@ patch:
    description: 'Updates a single person by its uuid, if permitted for the current subject.'
    operationId: patchPerson
    parameters:
-        -   $ref: 'auth.yaml#/components/parameters/currentSubject'
        -   $ref: 'auth.yaml#/components/parameters/assumedRoles'
        -   name: personUUID
            in: path
@@ -63,7 +61,6 @@ delete:
    description: 'Delete a single business person by its uuid, if permitted for the current subject.'
    operationId: deletePersonByUuid
    parameters:
-        - $ref: 'auth.yaml#/components/parameters/currentSubject'
        - $ref: 'auth.yaml#/components/parameters/assumedRoles'
        - name: personUUID
          in: path
@@ -5,7 +5,6 @@ get:
        - hs-office-persons
    operationId: getListOfPersons
    parameters:
-        - $ref: 'auth.yaml#/components/parameters/currentSubject'
        - $ref: 'auth.yaml#/components/parameters/assumedRoles'
        - name: name
          in: query
@@ -33,7 +32,6 @@ post:
        - hs-office-persons
    operationId: postNewPerson
    parameters:
-        - $ref: 'auth.yaml#/components/parameters/currentSubject'
        - $ref: 'auth.yaml#/components/parameters/assumedRoles'
    requestBody:
        content:
@@ -4,7 +4,6 @@ get:
    description: 'Fetch a single person relation by its uuid, if visible for the current subject.'
    operationId: getSingleRelationByUuid
    parameters:
-        - $ref: 'auth.yaml#/components/parameters/currentSubject'
        - $ref: 'auth.yaml#/components/parameters/assumedRoles'
        - name: relationUUID
          in: path
@@ -32,7 +31,6 @@ patch:
    description: 'Updates a single person relation by its uuid, if permitted for the current subject.'
    operationId: patchRelation
    parameters:
-        -   $ref: 'auth.yaml#/components/parameters/currentSubject'
        -   $ref: 'auth.yaml#/components/parameters/assumedRoles'
        -   name: relationUUID
            in: path
@@ -63,7 +61,6 @@ delete:
    description: 'Delete a single person relation by its uuid, if permitted for the current subject.'
    operationId: deleteRelationByUuid
    parameters:
-        - $ref: 'auth.yaml#/components/parameters/currentSubject'
        - $ref: 'auth.yaml#/components/parameters/assumedRoles'
        - name: relationUUID
          in: path
@@ -7,7 +7,6 @@ get:
        - hs-office-relations
    operationId: getListOfRelations
    parameters:
-        - $ref: 'auth.yaml#/components/parameters/currentSubject'
        - $ref: 'auth.yaml#/components/parameters/assumedRoles'
        - name: personUuid
          in: query
@@ -60,7 +59,6 @@ post:
        - hs-office-relations
    operationId: postNewRelation
    parameters:
-        - $ref: 'auth.yaml#/components/parameters/currentSubject'
        - $ref: 'auth.yaml#/components/parameters/assumedRoles'
    requestBody:
        content:
@@ -4,7 +4,6 @@ get:
    description: 'Fetch a single SEPA Mandate by its uuid, if visible for the current subject.'
    operationId: getSingleSepaMandateByUuid
    parameters:
-        - $ref: 'auth.yaml#/components/parameters/currentSubject'
        - $ref: 'auth.yaml#/components/parameters/assumedRoles'
        - name: sepaMandateUUID
          in: path
@@ -32,7 +31,6 @@ patch:
    description: 'Updates a single SEPA Mandate by its uuid, if permitted for the current subject.'
    operationId: patchSepaMandate
    parameters:
-        -   $ref: 'auth.yaml#/components/parameters/currentSubject'
        -   $ref: 'auth.yaml#/components/parameters/assumedRoles'
        -   name: sepaMandateUUID
            in: path
@@ -63,7 +61,6 @@ delete:
    description: 'Delete a single SEPA Mandate by its uuid, if permitted for the current subject.'
    operationId: deleteSepaMandateByUuid
    parameters:
-        - $ref: 'auth.yaml#/components/parameters/currentSubject'
        - $ref: 'auth.yaml#/components/parameters/assumedRoles'
        - name: sepaMandateUUID
          in: path
@@ -5,7 +5,6 @@ get:
        - hs-office-sepaMandates
    operationId: getListOfSepaMandates
    parameters:
-        - $ref: 'auth.yaml#/components/parameters/currentSubject'
        - $ref: 'auth.yaml#/components/parameters/assumedRoles'
        - name: iban
          in: query
@@ -33,7 +32,6 @@ post:
        - hs-office-sepaMandates
    operationId: postNewSepaMandate
    parameters:
-        - $ref: 'auth.yaml#/components/parameters/currentSubject'
        - $ref: 'auth.yaml#/components/parameters/assumedRoles'
    requestBody:
        description: A JSON object describing the new SEPA-Mandate.
@@ -3,7 +3,6 @@ get:
    - rbac-grants
  operationId: getListOfGrantsByUuid
  parameters:
-    - $ref: 'auth.yaml#/components/parameters/currentSubject'
    - $ref: 'auth.yaml#/components/parameters/assumedRoles'
    - name: grantedRoleUuid
      in: path
@@ -38,7 +37,6 @@ delete:
        - rbac-grants
    operationId: deleteRoleGrantFromSubject
    parameters:
-        - $ref: 'auth.yaml#/components/parameters/currentSubject'
        - $ref: 'auth.yaml#/components/parameters/assumedRoles'
        - name: grantedRoleUuid
          in: path
@@ -3,7 +3,6 @@ get:
        - rbac-grants
    operationId: getListOfSubjectGrants
    parameters:
-        - $ref: 'auth.yaml#/components/parameters/currentSubject'
        - $ref: 'auth.yaml#/components/parameters/assumedRoles'
    responses:
        "200":
@@ -20,7 +19,6 @@ post:
        - rbac-grants
    operationId: postNewRoleGrantToSubject
    parameters:
-        - $ref: 'auth.yaml#/components/parameters/currentSubject'
        - $ref: 'auth.yaml#/components/parameters/assumedRoles'
    requestBody:
        required: true
@@ -3,7 +3,6 @@ get:
        - rbac-roles
    operationId: getListOfRoles
    parameters:
-        - $ref: 'auth.yaml#/components/parameters/currentSubject'
        - $ref: 'auth.yaml#/components/parameters/assumedRoles'
    responses:
        "200":
@@ -4,7 +4,6 @@ get:
    description: 'List all visible permissions granted to the given subject; reduced '
    operationId: getListOfSubjectPermissions
    parameters:
-        - $ref: 'auth.yaml#/components/parameters/currentSubject'
        - $ref: 'auth.yaml#/components/parameters/assumedRoles'
        - name: subjectUuid
          in: path
@@ -4,7 +4,6 @@ get:
    description: 'Fetch a single subject by its id, if visible for the current subject.'
    operationId: getSingleSubjectByUuid
    parameters:
-        - $ref: 'auth.yaml#/components/parameters/currentSubject'
        - $ref: 'auth.yaml#/components/parameters/assumedRoles'
        - name: subjectUuid
          in: path
@@ -31,7 +30,6 @@ delete:
        - rbac-subjects
    operationId: deleteSubjectByUuid
    parameters:
-        - $ref: 'auth.yaml#/components/parameters/currentSubject'
        - $ref: 'auth.yaml#/components/parameters/assumedRoles'
        - name: subjectUuid
          in: path
@@ -4,7 +4,6 @@ get:
    description: List accessible RBAC subjects with optional filter by name.
    operationId: getListOfSubjects
    parameters:
-        - $ref: 'auth.yaml#/components/parameters/currentSubject'
        - $ref: 'auth.yaml#/components/parameters/assumedRoles'
        - name: name
          in: query
@@ -6,7 +6,6 @@ get:
    operationId: listCustomers

    parameters:
-        - $ref: 'auth.yaml#/components/parameters/currentSubject'
        - $ref: 'auth.yaml#/components/parameters/assumedRoles'
        - name: prefix
          in: query
@@ -34,7 +33,6 @@ post:
        - testCustomers
    operationId: addCustomer
    parameters:
-        - $ref: 'auth.yaml#/components/parameters/currentSubject'
        - $ref: 'auth.yaml#/components/parameters/assumedRoles'
    requestBody:
        content:
@@ -3,7 +3,6 @@ patch:
        - testPackages
    operationId: updatePackage
    parameters:
-        -   $ref: 'auth.yaml#/components/parameters/currentSubject'
        -   $ref: 'auth.yaml#/components/parameters/assumedRoles'
        -   name: packageUUID
            in: path
@@ -3,7 +3,6 @@ get:
        - testPackages
    operationId: listPackages
    parameters:
-        - $ref: 'auth.yaml#/components/parameters/currentSubject'
        - $ref: 'auth.yaml#/components/parameters/assumedRoles'
        - name: name
          in: query