REST Assured-Test with Basic Auth fails since 0.24.0

[wicksim]

Describe the bug
I've a test, which uses REST Assured to test an REST-endpoint. This endpoint is secured with a @RolesAllowed-annotation. In production, we use MP-JWT, in test-environment the Basic-Auth-Mechanism quarkus.security.file is used. Since 0.24.0, i get an HTTP-Status-Code 403 instead of 200. Last working version is 0.23.2.

given()
.auth().preemptive().basic("test", "pass")
.when()
.body(new Order(1, 5))
.contentType(ContentType.JSON)
.put("/order")
.then()
.statusCode(200);

Expected behavior
Returned HTTP-Status-Code is 200.

Actual behavior
Returned HTTP-Status-Code is 403.

To Reproduce
Steps to reproduce the behavior:

1. Use first steps example
2. Add @RolesAllowed-annotation to REST-method
3. Add quarkus-elytron-security-Dependency
4. Configure application.properties, test-users.properties and test-roles.properties
5. Modify given test-code: add .auth().preemptive().basic("test", "pass")

Configuration

quarkus.smallrye-jwt.enabled=false
quarkus.security.file.enabled=true
quarkus.security.file.users=test-users.properties
quarkus.security.file.roles=test-roles.properties
quarkus.security.file.auth-mechanism=BASIC

Screenshots
(If applicable, add screenshots to help explain your problem.)

Environment (please complete the following information):

• Output of uname -a or ver: Microsoft Windows [Version 10.0.17763.737]
• Output of java -version: java version "1.8.0_181"
• GraalVM version (if different from Java):
• Quarkus version or git rev: 0.24.0/0.25.0 (both not working)

Additional context
(Add any other context about the problem here.)
test-roles.properties

test=customer

test-users.properties

test=pass

[geoand]

@sberyozkin is this something you are aware of perhaps?

[sberyozkin]

@geoand Not yet, @stuartwdouglas, Stuart, is http security policy setting required to let the requests pass, something along the lines advised for #4544 ?

[stuartwdouglas]

For 0.25 this needs to be migrated to the new security layer. In particular:

• You need to depend on elytron-security-properties-file
• Property names are now: quarkus.security.users.file.* rather than quarkus.security.file.*
• Basic auth is enabled via quarkus.http.auth.basic=true

[wicksim]

It works now, but:

• It doesn't work, when adding quarkus-elytron-security-properties-file-dependency with test-scope
• I'm getting WARN: Unrecognized configuration key "quarkus.security.users.file.auth-mechanism" provided when providing this property. It's not neccessary in my case, but it's mentioned on https://quarkus.io/guides/elytron-properties-guide.html
• As a beginner, the relation to quarkus.http.auth.basic=true is not clear to me and there is nothing mentioned on https://quarkus.io/guides/elytron-properties-guide.html

[stuartwdouglas]

Looks like this was missed in the guides (TBH it does not actually matter at the moment, as BASIC auth is the default if none is explicitly defined).

The old configuration did not really make sense, because you can really use a single auth method, however each Elytron realm had its own property to configure the method. If you configured say one with basic and one with form it was not clear which method would actually be used. The new implementation tries to seperate the method and the identity provider as much as possible.

[wicksim]

I'm fine with that...closing the issue.