Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Exception mapper not handling failed login attempts #24790

Closed
soldev21 opened this issue Apr 6, 2022 · 6 comments · Fixed by #29228
Closed

Exception mapper not handling failed login attempts #24790

soldev21 opened this issue Apr 6, 2022 · 6 comments · Fixed by #29228
Labels
area/security kind/bug Something isn't working
Milestone

Comments

@soldev21
Copy link

soldev21 commented Apr 6, 2022

Describe the bug

I want to log failed login attempt.
So I generated quarkus RESTEasy JAX-RS example from https://code.quarkus.io/
Then applied some changes shown below.

1.Added some security configs
2.Added two exception mappers. AuthenticationFailedException and AuthenticationCompletionException
3.Edited the test class.
Despite of changes above the exception mappers don't catch any exception regarding the failed Basic authentication attempt.

Any thoughts on this?

Expected behavior

Catch AuthenticationFailedException and AuthenticationCompletionException in according exception mappers.

Actual behavior

Bypass the exception mappers.

How to Reproduce?

  1. git clone https://github.com/soldev21/quarkus-security-exception-mapper.git
  2. cd quarkus-security-exception-mapper
  3. Run ./mvnw compile quarkus:dev
  4. Open http://localhost:8080/ in browser and try to login with fake credentials

Output of uname -a or ver

Ubuntu 21.10

Output of java -version

openjdk version "11.0.13"

GraalVM version (if different from Java)

No response

Quarkus version or git rev

2.7.5.Final

Build tool (ie. output of mvnw --version or gradlew --version)

Apache Maven 3.8.4

Additional information

No response

@soldev21 soldev21 added the kind/bug Something isn't working label Apr 6, 2022
@soldev21
Copy link
Author

soldev21 commented May 4, 2022

Hi @sberyozkin, is there any estimation or plan regarding this issue. I did some investigation and found class named io.quarkus.vertx.http.runtime.security.HttpAuthenticator. It has Uni<SecurityIdentity> attemptAuthentication(final RoutingContext routingContext) method which seems handles all authentication process with predefined HttpAuthenticationMechanisms. Can we intercept this method somehow? Or is this appropriate way to intercept authentication process?

@geoand
Copy link
Contributor

geoand commented Oct 19, 2022

@sberyozkin is this perhaps handled now?

@sberyozkin
Copy link
Member

Hi @geoand I'm just checking issues and have found your comment, sorry. I think so, Michal, @michalvavrik, you've fixed it, right ?

@geoand
Copy link
Contributor

geoand commented Nov 11, 2022

👌

@michalvavrik
Copy link
Member

@sberyozkin nope, I only fixed it for RESTEasy Reactive, but I just got familiar with how RESTEasy Classic process requests and there is a way to fix it too. Will do, thx for a hint

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
area/security kind/bug Something isn't working
Projects
None yet
5 participants