Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

@RoleAllowed Issue with Reactive Routes #4544

Closed
mareleventh opened this issue Oct 14, 2019 · 5 comments · Fixed by #7951
Closed

@RoleAllowed Issue with Reactive Routes #4544

mareleventh opened this issue Oct 14, 2019 · 5 comments · Fixed by #7951
Labels
area/security kind/bug Something isn't working
Milestone

Comments

@mareleventh
Copy link

Describe the bug
Vert.x route always accessible instead of throw unauthorized exception ( 401 ) If I send a request without a bearer token.

Expected behavior
Quarkus must throw unauthorized exception 401 if the request doesn't came with the bearer token

Actual behavior
The request without bearer token is accepted without throw unauthorized 401.

To Reproduce

UserRoutes.class

import io.quarkus.vertx.web.Route;
import io.vertx.core.http.HttpMethod;
import io.vertx.core.json.JsonArray;
import io.vertx.reactivex.core.Vertx;
import io.vertx.reactivex.ext.web.RoutingContext;

import javax.annotation.security.RolesAllowed;
import javax.enterprise.context.ApplicationScoped;
import javax.inject.Inject;
import java.util.Collections;

@ApplicationScoped
public class UserRoutes {
    @Inject
    protected Vertx vertx;


    @Route(
            path = "/v1/clients/:client/users",
            methods = HttpMethod.GET,
            produces = "application/json"
    )
    @RolesAllowed("SuperUser")
    public void authorize(RoutingContext context) {
        context.response().end(new JsonArray(Collections.emptyList()).encodePrettily());
    }
}

So as I do to the class above. I have the endpoint :
I assume my client is master

http://localhost:8080/v1/clients/master/users

first I send a request with a bearer token :

eyJraWQiOiJ0ZXN0a2lkIiwidHlwIjoiSldUIiwiYWxnIjoiUlMyNTYifQ.eyJ1cG4iOiJ0ZXN0QGdtYWlsLmNvbSIsImF1dGhfdGltZSI6MTU3MTAzOTUzMiwiaXNzIjoiaHR0cDpcL1wvbG9jYWxob3N0OjgwODAiLCJncm91cHMiOlsiVGVzdEdyb3VwIiwiVGVzdEdyb3VwMiJdLCJyb2xlTWFwcGluZ3MiOnsiVGVzdEdyb3VwMiI6Ik1hbmFnZXIiLCJUZXN0R3JvdXAiOiJTdXBlclVzZXIifSwiZXhwIjoxNTcxMDQ0NTMyLCJpYXQiOjE1NzEwMzk1MzJ9.YzfQVWL0Vo96uOpuCZgt0awJAwsU5_uLnq-AmMYDOuX9btxp8gqaLFEhDVq6RJehJuO1MqKgXbnYFCO0ydChFS6AsfKmTyW9eHEPnd2vjFiYZRvZSP7Kcg58Obzr0YSfC2XzfIrAVQivgHmbo_STLBGmtf4uNNwet8LDLkLQv6H2CuEqAyfy0E-VTOtCKIecAglPQIZ0y5O3irKk8CbOtHFRZZeZmjiXH1K_6MxeRzM1Br75iDFx-HNchZ_cnZWSvgILk2iM2hw6sSMW1JPu9nq4qHNPhbjoVwK6CGH8uHIFl3UUrEssFTy1EyKlZ5dBlzocm4YTIq4rcryzzlNU3Q

Then this is result in my quarkus log :

2019-10-14 15:31:44,334 INFO  [io.sma.jwt.aut.pri.DefaultJWTTokenParser] (vert.x-eventloop-thread-1) Updated groups to: [TestGroup, TestGroup2, Manager, SuperUser]

The result on web browser is [ ] (I forced it to empty collections )

Timeline with insomnia :

* Preparing request to http://localhost:8080/v1/clients/master/users
* Using libcurl/7.64.1 (SecureTransport) LibreSSL/2.8.3 zlib/1.2.11 nghttp2/1.39.2
* Current time is 2019-10-14T08:37:54.275Z
* Disable timeout
* Enable automatic URL encoding
* Enable SSL validation
* Enable cookie sending with jar of 2 cookies
* Found bundle for host localhost: 0x7f977907ee70 [can pipeline]
* Could pipeline, but not asked to!
* Re-using existing connection! (#7) with host localhost
* Connected to localhost (::1) port 8080 (#7)

> GET /v1/clients/master/users HTTP/1.1
> Host: localhost:8080
> User-Agent: insomnia/7.0.1
> Cookie: JSESSIONID=87dSYxM3rWeuaJLHDnNK0yrOXU1OIoDtf5aMr1H-
> Authorization: Bearer eyJraWQiOiJ0ZXN0a2lkIiwidHlwIjoiSldUIiwiYWxnIjoiUlMyNTYifQ.eyJ1cG4iOiJ0ZXN0QGdtYWlsLmNvbSIsImF1dGhfdGltZSI6MTU3MTA0MTY5NCwiaXNzIjoiaHR0cDpcL1wvbG9jYWxob3N0OjgwODAiLCJncm91cHMiOlsiVGVzdEdyb3VwIiwiVGVzdEdyb3VwMiJdLCJyb2xlTWFwcGluZ3MiOnsiVGVzdEdyb3VwMiI6Ik1hbmFnZXIiLCJUZXN0R3JvdXAiOiJTdXBlclVzZXIifSwiZXhwIjoxNTcxMDQ2Njk0LCJpYXQiOjE1NzEwNDE2OTR9.VOXxBYslMCDnL885DTSfMoOIsidbXQt6Wo904zlgfWMw1_-BhfPqZPNvGMGnVF-b-FdCm8mFnakrmj6Tmp-oQ75pngKB8TnO3IqRoulZOTNXpkVNUf04ZcSgTtpehSVBLcUn_96yTaTbq1Olkpz9gTLFCxW3g2dg8o2MRvByKdtehs7cbn5o8bR8I7zLu9Od_Z4wU2YFoi-MBldwsrYGPAd-SpV_wM-3dhGIutry7TWImx9GSwUBHY43iyPs_YBOLJbeuwyjOrVrJJpEBsWb6exJLI0ze_fMuZO59A--z7bGURUFmkZ-RR1mraqzk06Z15KnuHwD8ieGO0Icrfi8mA
> Accept: */*

< HTTP/1.1 200 OK
< content-length: 3


* Received 3 B chunk
* Connection #7 to host localhost left intact

then I send another request with no authentication to that endpoint:

then nothing show in the logs console and the result on the web browser is [ ]

Timeline with insomnia :

* Preparing request to http://localhost:8080/v1/clients/master/users
* Using libcurl/7.64.1 (SecureTransport) LibreSSL/2.8.3 zlib/1.2.11 nghttp2/1.39.2
* Current time is 2019-10-14T08:39:35.415Z
* Disable timeout
* Enable automatic URL encoding
* Enable SSL validation
* Enable cookie sending with jar of 2 cookies
* Found bundle for host localhost: 0x7f977907ee70 [can pipeline]
* Could pipeline, but not asked to!
* Re-using existing connection! (#7) with host localhost
* Connected to localhost (::1) port 8080 (#7)

> GET /v1/clients/master/users HTTP/1.1
> Host: localhost:8080
> User-Agent: insomnia/7.0.1
> Cookie: JSESSIONID=87dSYxM3rWeuaJLHDnNK0yrOXU1OIoDtf5aMr1H-
> Accept: */*

< HTTP/1.1 200 OK
< content-length: 3


* Received 3 B chunk
* Connection #7 to host localhost left intact

the quarkus settings in my pom.xml :

<properties>
        <project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
        <surefire-plugin.version>2.22.0</surefire-plugin.version>
        <quarkus.version>0.24.0</quarkus.version>
        <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
        <maven.compiler.source>1.8</maven.compiler.source>
        <maven.compiler.target>1.8</maven.compiler.target>
    </properties>
    <dependencyManagement>
        <dependencies>
            <dependency>
                <groupId>io.quarkus</groupId>
                <artifactId>quarkus-bom</artifactId>
                <version>${quarkus.version}</version>
                <type>pom</type>
                <scope>import</scope>
            </dependency>
        </dependencies>
    </dependencyManagement>

Configuration

# Add your application.properties here, if applicable.
# Configuration file
# key = value
mp.jwt.verify.publickey.location=META-INF/secure/pkey.pem
mp.jwt.verify.issuer=http://localhost:8080
quarkus.smallrye-jwt.auth-mechanism=MP-JWT
quarkus.smallrye-jwt.enabled=true
# configure your datasource
quarkus.datasource.url=jdbc:postgresql://localhost:5432/masterdb
quarkus.datasource.driver=org.postgresql.Driver
quarkus.datasource.username=dev
quarkus.datasource.password=dev@123
# drop and create the database at startup (use `update` to only update the schema or `drop-and-create` to recreate schema)
quarkus.hibernate-orm.database.generation=update

Environment (please complete the following information):

  • Output of uname -a or ver: Darwin Kevins-MacBook-Pro.local 19.0.0 Darwin Kernel Version 19.0.0: Wed Sep 25 20:18:50 PDT 2019; root:xnu-6153.11.26~2/RELEASE_X86_64 x86_64
  • Output of java -version: openjdk version "1.8.0_212" OpenJDK Runtime Environment Corretto-8.212.04.2 (build 1.8.0_212-b04) OpenJDK 64-Bit Server VM Corretto-8.212.04.2 (build 25.212-b04, mixed mode)
  • GraalVM version (if different from Java): None
  • Quarkus version or git rev: 0.24.0

Thanks and Sorry about my English.
Kevins

@mareleventh mareleventh added the kind/bug Something isn't working label Oct 14, 2019
@mareleventh mareleventh changed the title @RoleAllowed Issue on Reactive Routes @RoleAllowed Issue in Reactive Routes Oct 14, 2019
@mareleventh mareleventh changed the title @RoleAllowed Issue in Reactive Routes @RoleAllowed Issue with Reactive Routes Oct 14, 2019
@sberyozkin
Copy link
Member

Possibly related to #3049

@sberyozkin
Copy link
Member

@stuartwdouglas Hi Stuart; should adding @Authenticated be effective in this case ? (with or without @RolesAllowed) ?

@sberyozkin
Copy link
Member

Hi @KelvinBT just a quick question, is it only with the reactive routes that you see this issue ? Or with some 'plain' JAX-RS endpoint as well ? (I'll confirm anyway, but if you've already tried, let me know please)

@stuartwdouglas
Copy link
Member

This can be solved with the new HTTP permission layer on 0.25:

quarkus.http.auth.permission.all.paths=/*                           
quarkus.http.auth.permission.all.policy=authenticated

@mareleventh
Copy link
Author

mareleventh commented Oct 21, 2019

Hi @KelvinBT just a quick question, is it only with the reactive routes that you see this issue ? Or with some 'plain' JAX-RS endpoint as well ? (I'll confirm anyway, but if you've already tried, let me know please)

@sberyozkin

Sorry for late reply,
FYI : 0.24.0 it happens on Reactive Routes with Vert.x only. @RolesAllowed with JAX-RS endpoints still working as usual.

This can be solved with the new HTTP permission layer on 0.25:

quarkus.http.auth.permission.all.paths=/*                           
quarkus.http.auth.permission.all.policy=authenticated

Thanks @stuartwdouglas

It fixed the issue but we ran into new issue.
as I'm aware when you use /* for determined the security path. This will forced all requests to came with bearer token.

I created a route with @permitAll:

 @Route(
            path = "/v1/test2",
            methods = HttpMethod.GET,
            produces = "application/json"
    )
    @PermitAll
    public void test2(RoutingContext context) {
        context.response().end(
                "Hello!"
        );
    }

Expected Behavior:
Quarkus should response with "Hello!" in body.
Actual Behavior:
Quarkus response with 401 unauthorized.

This affect both JAX-RS and Reactive Routes on 0.25.0 with

quarkus.http.auth.permission.all.paths=/*                           
quarkus.http.auth.permission.all.policy=authenticated

in application.properties

stuartwdouglas added a commit to stuartwdouglas/quarkus that referenced this issue Mar 19, 2020
stuartwdouglas added a commit to stuartwdouglas/quarkus that referenced this issue Mar 19, 2020
@gsmet gsmet modified the milestones: 1.4.0, 1.3.1.Final Mar 21, 2020
gsmet pushed a commit to gsmet/quarkus that referenced this issue Mar 24, 2020
viniciusfcf pushed a commit to viniciusfcf/quarkus-fork that referenced this issue Sep 7, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
area/security kind/bug Something isn't working
Projects
None yet
Development

Successfully merging a pull request may close this issue.

4 participants