Quarkus: Keycloak policy enforcer's path are not respected in dev mode

Created on 25 May 2020 · 8Comments · Source: quarkusio/quarkus

Describe the bug
Keycloak's paths related properties are not respected in Quarkus dev mode.

quarkus.keycloak.policy-enforcer.enable=true
quarkus.keycloak.policy-enforcer.paths.health.name=Health-check
quarkus.keycloak.policy-enforcer.paths.health.path=/health/*
quarkus.keycloak.policy-enforcer.paths.health.enforcement-mode=DISABLED

Having such a config when an app is started using ./mvnw quarkus:dev mode requests end with HTTP 401. On the other hand, running the same app with regular java -jar command ends with expected HTTP 200.

Expected behavior
Keycloak's config is not respected in dev mode and resources under /health are still secured.

Actual behavior
Request to e.g. /health/live should end with HTTP 200.

To Reproduce
Steps to reproduce the behavior:

./mvnw clean package
./mvnw quarkus:dev

Configuration

quarkus.keycloak.policy-enforcer.enable=true
quarkus.keycloak.policy-enforcer.paths.health.name=Health-check
quarkus.keycloak.policy-enforcer.paths.health.path=/health/*
quarkus.keycloak.policy-enforcer.paths.health.enforcement-mode=DISABLED

Environment (please complete the following information)

Output of uname -a or ver: Darwin WS-C02V82MSHV2Q 19.4.0 Darwin Kernel Version 19.4.0: Wed Mar 4 22:28:40 PST 2020; root:xnu-6153.101.6~15/RELEASE_X86_64 x86_64
Output of java -version:

openjdk version "11.0.1" 2018-10-16
OpenJDK Runtime Environment 18.9 (build 11.0.1+13)
OpenJDK 64-Bit Server VM 18.9 (build 11.0.1+13, mixed mode)

GraalVM version (if different from Java): N/A
Quarkus version or git rev: 1.4.2
Build tool (ie. output of mvnw --version or gradlew --version):

Apache Maven 3.6.3 (cecedd343002696d0abb50b32b541b8a6ba2883f)
Maven home: /Users/tzr/.m2/wrapper/dists/apache-maven-3.6.3-bin/1iopthnavndlasol9gbrbg6bf2/apache-maven-3.6.3
Java version: 11.0.1, vendor: Oracle Corporation, runtime: /Library/Java/JavaVirtualMachines/openjdk-11.0.1.jdk/Contents/Home
Default locale: pl_PL, platform encoding: UTF-8
OS name: "mac os x", version: "10.15.4", arch: "x86_64", family: "mac"

aredevmode arekeycloak-authorization kinbug

Source

tomekzar

All 8 comments

If anyone would be so nice and point me a place where should I start my investigation I would like to fix this by myself.

tomekzar on 25 May 2020

/cc @sberyozkin @pedroigor could you guide @tomekzar ?

gsmet on 25 May 2020

/cc @stuartwdouglas too maybe

gsmet on 25 May 2020

@pedroigor has reported the same issue at #8204, and according to the last user comment a regression has started happening in 1.4.2, all was good in 1.3.2.
Hi @stuartwdouglas perhaps we need to update quarkus-keycloak-authorization to sync with some recent dev mode changes ?

sberyozkin on 25 May 2020

This is probably most relevant, what Pedro commented at #8204 :

If you run the application in dev mode, the paths you defined to the policy enforcer (e.g.: quarkus.keycloak.policy-enforcer.paths.1.path=/swagger-ui/*) is not loaded and that causes the policy enforcer to deny the request.

sberyozkin on 25 May 2020

Thank you! I tried to implement this last week and wasn't sure what I was doing wrong. I can confirm it works as expected in 1.4.1, so it must have been introduced in 1.4.2.