You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Due to a configuration bug, runtime defaults were leaking to static init. With that fixed, some tests started to fail because the default is false, and tests expected events to be available. Regardless, the EagerSecurityFilter configuration cannot be changed after the build because @Provider is initialized during static init.
This was discovered with #40225, and the mapping was changed to BUILD_AND_RUN_TIME_FIXED to fix the tests, but we must decide what the correct behavior should be.
The text was updated successfully, but these errors were encountered:
I'd suggest we can initialize SecurityEventHelper lazily (on the first request) inside RESTEasy Classic. Implementation in Quarkus REST is better as it's initialized on application startup. If my memory serves well, in other cases it's only used at runtime, but we need to check when fixing this issue.
Regarding security impact of this bug - if quarkus.security.events.enabled runtime value wasn't reflected, it would mean that security events were not produced in case the property were only set at runtime. In my eyes, it's a bug, but not a vulnerability.
I recall that for the csrf work, I had to convert @Provider to ServerHandler, though that was for Quarkus REST.
Lazy initialization for the Resteasy Classic case sounds reasonable
JaxRsPermissionChecker is using it as well (it actually receives it as method parameter in one of cases from this filter). so I'll just put it there. Thanks for a feedback.
Describe the bug
The
SecurityConfig
mapping is marked asRUNTIME
:quarkus/extensions/security/runtime/src/main/java/io/quarkus/security/runtime/SecurityConfig.java
Lines 11 to 13 in c06cf1e
But its configuration is used during
STATIC_INIT
:quarkus/extensions/resteasy-classic/resteasy/runtime/src/main/java/io/quarkus/resteasy/runtime/EagerSecurityFilter.java
Lines 60 to 68 in 81386fd
Due to a configuration bug, runtime defaults were leaking to static init. With that fixed, some tests started to fail because the default is
false
, and tests expected events to be available. Regardless, theEagerSecurityFilter
configuration cannot be changed after the build because@Provider
is initialized during static init.This was discovered with #40225, and the mapping was changed to
BUILD_AND_RUN_TIME_FIXED
to fix the tests, but we must decide what the correct behavior should be.The text was updated successfully, but these errors were encountered: