Closed davidfrickert closed 1 year ago
/cc @sberyozkin
(Altough the reproducer doesn't have one, I have no problem testing a resource that has no custom exception mappers in it)
@michalvavrik Hey Michal, you are an expert now in this area :-), have a look when you get a chance please
@sberyozkin :-D I'll look today or tomorrow (when time allows).
io.quarkus.resteasy.reactive.common.deployment.ResteasyReactiveCommonProcessor#setUpDenyAllJaxRs
adds DenyAll
(and RolesAllowed
for default-roles-allowed
) around exception mappers methods and judging by ServerExceptionMapper
annotation Javadoc, it's completely valid to have them in the resource. I'll rewrite the way we identify resource methods there.
UPDATE: looks like it also affect classic one and any resource method that can be intercepted, not just exception mappers.
@michalvavrik Hi Michal, please take your time, IMHO it is not an urgent issue
Hi, I'm experiencing the same exception in Quarkus 3.2.4. I do use custom exception mapper in the reactive REST endpoint (via the annotated method in the endpoint class), but I don't do anything special in this method - I don't access SecurityIdentity in it or such - just plain java logic without calls to any services or similar.
This exception is triggered by a client invoking an @Authenticated
endpoint, but not providing Bearer token (using OIDC authentication in service mode). The correct behaviour would be UNAUTHORIZED or FORBIDDEN, but I get INTERNAL SERVER ERROR due to this problem. Correctly authenticated requests have no problem though.
This started happening after some changes in the app, namely:
@Transactional
REST endpoint method where I register a beforeCompletion callback that waits for some CompletableFutore.join() (which is just a wrapper for a Kafka Producer callback when message is sent to Kafka) and afterCompletion callback that either commit(s) or abort(s) Kafka transaction. I use plain Kafka client without any bindings to Quarkus (such as Quarkus reactive messaging).quarkus.http.auth.proactive=false
I have a feeling that this last change is the culprit.
@plevart I'll need reproducer, can you open issue and ping me there, please? creating one based on your feedback would require a lot of guessing, therefore more time.
I have a feeling that this last change is the culprit.
absolutely, it shouldn't be necessary unless I'm something missing
Describe the bug
It seems that
quarkus.security.jaxrs.deny-unannotated-endpoints = true
has some problems withquarkus-test-security
. This only seems to be a problem on Resources with exception mappers inside the class.Stacktrace:
Expected behavior
Test returns appropriate status code depending on the test case (401/403)
Actual behavior
Test fails with HTTP 500
How to Reproduce?
https://github.com/davidfrickert/quarkus-issue-reproducer/tree/security-test-resource-exception-mappers-auth
Run test
GreetingResourceImplTest
. Expected 403, actually is 500 with the error on the issue description.Output of
uname -a
orver
Linux dfrickert 5.15.74-4-MANJARO #1 SMP PREEMPT Sat Oct 15 18:49:48 UTC 2022 x86_64 GNU/Linux
Output of
java -version
openjdk version "17.0.5" 2022-10-18 OpenJDK Runtime Environment (build 17.0.5+1) OpenJDK 64-Bit Server VM (build 17.0.5+1, mixed mode)
GraalVM version (if different from Java)
N/A
Quarkus version or git rev
2.13.3.Final
Build tool (ie. output of
mvnw --version
orgradlew --version
)Apache Maven 3.8.6 (84538c9988a25aec085021c365c560670ad80f63) Maven home: /opt/maven Java version: 17.0.5, vendor: N/A, runtime: /usr/lib/jvm/java-17-openjdk Default locale: en_US, platform encoding: UTF-8 OS name: "linux", version: "5.15.74-4-manjaro", arch: "amd64", family: "unix"
Additional information
No response