SecurityPreMatchingFilter is overriding the SecurityContext when using webserver security

[fssouza]

Environment Details

• Helidon Version: 2.5.4
• Helidon MP
• JDK version: 17.0.3
• OS: Mac OS
• Docker version (if applicable): N/A

---

Problem Description

An authenticated SecurityContext is being replaced by an unauthenticated one after all filters are executed

Steps to reproduce

Setup Helidon Security using "web server security". Example:

security:
  providers:
    - spectra-auth:
        idcsTenantCertChain: '<idcsTenantCertChain>'
        authentication:
          authenticate: true
        audience: "<audience>"
        idcsUrl: "<idcsUrl>"
        scope: "<scope>"
  web-server:
    paths:
      # authenticate all paths
      - path: "/myapplication/*"
        authenticate: true
        spectra-auth:
          authentication:
            authenticate: true

Put a break point in the following lines in SecurityPreMatchingFilter:

    public void filter(ContainerRequestContext request) {
        SecurityTracing tracing = SecurityTracing.get(); // BREAK POINT 1
        SecurityContext securityContext = this.security().contextBuilder(Integer.toString(CONTEXT_COUNTER.incrementAndGet(), 36)).tracingSpan((SpanContext)tracing.findParent().orElse((Object)null)).build();
        Contexts.context().ifPresent((ctx) -> {
            ctx.register(securityContext);
        });
        ((Ref)this.injectionManager.getInstance((new GenericType<Ref<SecurityContext>>() {
        }).getType())).set(securityContext);  // BREAK POINT 2
        if (this.featureConfig().shouldUsePrematchingAuthentication()) {
            this.doFilter(request, securityContext);
        }

    }

In debug mode, execute a request using a valid Bearer Token. This is the result when executing expressions in both break points:

• Break Point 1
  • Contexts.context().get().get(SecurityContext.class).get().isAuthenticated()
  • Result: true
  • Contexts.context().get().get(SecurityContext.class).get().userName()
  • Result:
• Break Point 2
  • Contexts.context().get().get(SecurityContext.class).get().isAuthenticated()
  • Result: false
  • Contexts.context().get().get(SecurityContext.class).get().userName()
  • Result: null

In other words this this the block replacing the existing SecurityContext:

        Contexts.context().ifPresent((ctx) -> {
            ctx.register(securityContext);
        });

[fssouza]

@tomas-langer this is the issue we discussed over slack

[fssouza]

I believe I'm running on another issue that has this one as a root cause. The EndpointConfig I'm getting in the AbacProvider is missing the "abac" config in the configMap This is my web-server configuration: And this is the security context before being overridden: