Quarkus: Optional activation of Quarkus Security as JAX-RS filter

Created on 14 Apr 2020  路  7Comments  路  Source: quarkusio/quarkus

Description
At the moment Quarkus Security is activated before a JAX-RS chain starts. The following issues are some of the issues that JAX-RS users may be seeing:

  • They can't intercept Quarkus Security exceptions with ExceptionMapper
  • Token auto-propagation which is free for MP RestClient is not possible

Implementation ideas
Activate Quarkus Security, when requested by the configuration property, as the very 1st prematch JAX-RS ContainerRequestFilter

CC @stuartwdouglas Hi Stuart not sure how feasible it is, and even if it is, if the complexity can be too high just to meet the above 2 cases, but lets talk a bit about it and see if it makes sense, thanks

aresecurity kinenhancement
Source
picture sberyozkin
👍1

Most helpful comment

Hey Everybody, in the current quarkus (1.7.0) there is stil lthe behaviour that you get an 500 instead of an 403 when the JWT Token has expired. Will there be a Fix coming??

picture KaiHawai on 19 Aug 2020
👍4

All 7 comments

Hi Stuart @stuartwdouglas Can we discuss this option a bit more ? Without it we can't support the user provided custom JAX-RS exception mappers dealing with 401/403...Thanks

sberyozkin picture sberyozkin on 25 May 2020
👍1

Some of this already works, the rest can't really be done in a secure way.

Permission checks are done via CDI interceptors, so the failure is a normal exception that can be mapped as normal. If you want to map authentication failures as well as authorisation then you need to disable proactive auth, and then you can use an exception mapper for the resulting AuthenticationFailedException, as it will be generated from the interceptor rather than early in security handling.

What is the issue with token propagation?

stuartwdouglas picture stuartwdouglas on 26 May 2020
🚀1

@stuartwdouglas Thanks for the tip! It's sound interesting about _proactive Authentication_!

juandiii picture juandiii on 26 May 2020

@stuartwdouglas This is cool, I'll give it a go and add a test a bit later on and also update the doc that the lazy authentication should be done for it to work...

sberyozkin picture sberyozkin on 26 May 2020

@stuartwdouglas

What is the issue with token propagation?

I'll need to check again, MP REST Client can auto-propagate the token, I thought, when I looked at it last time, it was not possible with the (proactive) approach, will check...

sberyozkin picture sberyozkin on 26 May 2020

The test for modifying the identity from a filter is here: https://github.com/quarkusio/quarkus/blob/70f8288021d7eea10f8e53d8cf22bef2cc924aef/extensions/resteasy/deployment/src/test/java/io/quarkus/resteasy/test/security/ReplaceIdentityLazyAuthRolesAllowedJaxRsTestCase.java#L17

stuartwdouglas picture stuartwdouglas on 27 May 2020

Hey Everybody, in the current quarkus (1.7.0) there is stil lthe behaviour that you get an 500 instead of an 403 when the JWT Token has expired. Will there be a Fix coming??

KaiHawai picture KaiHawai on 19 Aug 2020
👍4
Was this page helpful?
0 / 5 - 0 ratings

Related issues

rdifrango picture rdifrango  路  62Comments
GregJohnStewart picture GregJohnStewart  路  51Comments
kny78 picture kny78  路  49Comments
maxandersen picture maxandersen  路  55Comments
mariofusco picture mariofusco  路  115Comments