Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

RolesAllowed overrides OpenAPI definitions for 401 and 403 responses #23534

Closed
nderwin opened this issue Feb 8, 2022 · 4 comments · Fixed by #25638
Closed

RolesAllowed overrides OpenAPI definitions for 401 and 403 responses #23534

nderwin opened this issue Feb 8, 2022 · 4 comments · Fixed by #25638
Assignees
Labels
Milestone

Comments

@nderwin
Copy link
Contributor

nderwin commented Feb 8, 2022

Describe the bug

I noticed the when I added APIResponse annotations to my REST endpoint to document the 401 and 403 responses, the OpenAPI documentation overrides my descriptions, and instead shows "Not Authorized" (401) and "Not Allowed" (403). I've traced this down to using the RolesAllowed annotation. If I use Authenticated, or no annotation at all, then the documentation reflects the APIResponse annotations.

Expected behavior

OpenAPI documentation should be using the provided APIResponse annotations to document the 401 and 403 endpoint responses.

Actual behavior

OpenAPI documentation is using hard-coded "Not Authorized" and "Not Allowed" response descriptions for the 401 and 403 response status codes. This appears to be coming from

How to Reproduce?

See attached reproducer.

  1. Run in dev mode (./mvnw clean compile quarkus:dev)
  2. check the OpenAPI documentation at http://localhost:8080/q/openapi.json
  3. Note that the 401 and 403 documentation use the references
  4. Change the GreetingResource class to use the RolesAllowed annotation (either at the class or method level, doesn't matter)
  5. refresh the OpenAPI documentation
  6. Note that the 401 and 403 documentation is now ignoring the references, and is instead hard-coded to "Not Authorized" and "Not Allowed"

Output of uname -a or ver

Linux laverne 5.11.0-40-generic #44~20.04.2-Ubuntu SMP Tue Oct 26 18:07:44 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux

Output of java -version

openjdk version "11.0.13" 2021-10-19

GraalVM version (if different from Java)

No response

Quarkus version or git rev

2.7.1.Final

Build tool (ie. output of mvnw --version or gradlew --version)

Apache Maven 3.8.4 (9b656c72d54e5bacbed989b64718c159fe39b537)

Additional information

No response

@nderwin nderwin added the kind/bug Something isn't working label Feb 8, 2022
@quarkus-bot
Copy link

quarkus-bot bot commented Feb 8, 2022

@nderwin
Copy link
Contributor Author

nderwin commented Feb 8, 2022

Reproducer: openapi-example.zip

@phillip-kruger
Copy link
Member

Thanks, I think this is the auto security that does this. I'll have a look a.s.a.p

@phillip-kruger phillip-kruger self-assigned this Feb 8, 2022
@nderwin
Copy link
Contributor Author

nderwin commented May 19, 2022

Created #25638 to address this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
3 participants