Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Quarkus Security issue in the Native Executable #12594

Closed
overthetop opened this issue Oct 8, 2020 · 7 comments · Fixed by #36874
Closed

Quarkus Security issue in the Native Executable #12594

overthetop opened this issue Oct 8, 2020 · 7 comments · Fixed by #36874
Labels
area/security kind/bug Something isn't working
Milestone

Comments

@overthetop
Copy link

Quarkus version: 1.8.1

I have two quarkus profile configurations for our security. One for the prod and another for the insecure profile:

quarkus.http.auth.permission.auth.paths=/*

quarkus.http.auth.permission.auth.policy=authenticated
%insecure.quarkus.http.auth.permission.auth.policy=permit

So what happens:

  1. Set env var QUARKUS_PROFILE="insecure"
  2. Build the native executable
  3. Set env var QUARKUS_PROFILE="prod"
  4. Run the native executable

Result:
My endpoints are not secured

Expected result:
Security setting much change depending on the runtime profile

So my security setting for the "prod" profile is not applied and all the endpoints are not secured. It seems that when building the native executable the settings from the "build profile" (the profile that is set during build time "insecure") are recorded and there is not way to change them during runtime with a different profile.
If I'm not building a native executable and I'm running Quarkus in JVM mode, everything works as expected and when I change the runtime profile, security is applied.
We need to have different security settings (for each quarkus profile) for our different envirouments.
How can I do that?

@overthetop overthetop added the kind/bug Something isn't working label Oct 8, 2020
@sberyozkin
Copy link
Member

It sounds more like a general configuration/profile issue when applied to the native mode.

I see a closed #3062 linking to #3150. It should work, hi Guillaume, can you clarify please ?

@overthetop
Copy link
Author

@sberyozkin I've just tested my setup from above, but this time setting -Dquarkus.profile and the security is still not applied

@overthetop
Copy link
Author

I guess @sberyozkin wanted to tag @gsmet :)

@overthetop
Copy link
Author

@gsmet is there a chance that issue gets a little attention?

@gsmet
Copy link
Member

gsmet commented Oct 21, 2020

These configuration properties are fixed at build time so changing the profile won't change anything.

@gsmet
Copy link
Member

gsmet commented Oct 21, 2020

(I'm not saying it's a good thing they are but that's a fact :))

@Valentin-Nikolov
Copy link

@gsmet what is the workaround to change the profile then? Do you plan to make some fix on that?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
area/security kind/bug Something isn't working
Projects
None yet
Development

Successfully merging a pull request may close this issue.

4 participants