Closed FroMage closed 5 months ago
Well, at least, the tests show this, but RestAssured
doesn't care, unlike Chrome.
Alright, so this might be a Quarkus bug, either in security, or in RESTEasy Reactive, because what happens is that I'm getting an auth challenge from HttpAuthenticationMechanism.ChallengeSender
which sets the response code and adds a Location
header directly to the Vert.x response, and then an AuthenticationFailedException
is thrown, resulting in my @ServerExceptionMapper
being called and also setting a Location
by returning a Response.seeOther()
and we end up with two Location
headers.
I'm not entirely sure what the behaviour should be, but I suspect that at the very least, any Response
data set by the exception mapper should override the ones set previously, if only because the Response
is not meant to come on top of anything prior to it, but override it from scratch. So, the exception mapper's Location
should "win" and override the security challenge one, don't you think @sberyozkin @geoand ?
So, the exception mapper's Location should "win" and override the security challenge one, don't you think @sberyozkin @geoand ?
I completely agree
OK, I'll open a Quarkus issue. Meanwhile I've added a workaround.
I'm not sure what is wrong with this cookie, perhaps it's just expired, but I'm getting invalid responses such as:
Well, flash message is
{"message":"Invalid session (bad signature), you've been logged out"}
so that's a hint. But why twoLocation
?