-
Notifications
You must be signed in to change notification settings - Fork 2.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Prevent repeated Quarkus Security exception handling that lead to duplicate headers during OIDC redirect #30026
Prevent repeated Quarkus Security exception handling that lead to duplicate headers during OIDC redirect #30026
Conversation
Failing Jobs - Building 101796c
Full information is available in the Build summary check run. Failures⚙️ JVM Tests - JDK 17 MacOS M1 #- Failing: extensions/micrometer/deployment
! Skipped: extensions/micrometer-registry-prometheus/deployment extensions/quartz/deployment extensions/scheduler/deployment and 21 more 📦 extensions/micrometer/deployment✖
|
|
...time/src/main/java/io/quarkus/resteasy/reactive/server/runtime/ResteasyReactiveRecorder.java
Show resolved
Hide resolved
@michalvavrik Thanks for the fix, it looks good. What I'm somewhat uncertain about, is why do we have to do these essentially workarounds for the proactive auth case. |
Or run the default handler only if no authentication exceptions have been detected at the build time and just skip a non-default handler altogether if the default handler has set a RouringContext property that it has handled the exception ? May be it is a better option |
Hi Sergey @sberyozkin , in short I don't see this as workaround, this PR adds extra condition to RESTEasy Reactive and Classic failure handlers that says "only run exception mappers when proactive=true if user defined custom exception mapper", but we can discuss it. Below are my answers.
nope, it's only run when proactive auth is enabled, both RESTEasy Reactive and RESTEasy Classic removes it (that's not my change, it was there already) as they wanted exception mappers to handle exception
that's exactly what this change is doing; I can come with different mechanism to determine that default handler did its job (event attribute with default handler signature or headers check), but I like this one as header check is prone to changes and I'm not sure default auth handler should add attribute we don't need, it doesn't provide any extra information. If it is there, we know it run as proactive auth is enabled.
that would mean to add default auth failure handler as actual Vert.x failure handler, but it is not. The auth failure handler is called here when
That could be done, but it was one of iterations we had and you basically said we should not allow extensions to stop default auth failure from running (at least that's how I understood it) - please don't make me to search for that comment, there was too many of them :-D. ATM that can't be done as:
|
Btw. I think your comments are justifiable (makes sense) - when Stuart wrote the default auth failure handler, it always ended event, therefore following situations could not happen. I turned how it is used little bit, but trying to keeping changes small I left default auth failure handler intact (except it does not end event). |
Sure, sounds like this is as best as we can have it, but what do you think about this one,
OK, I see what you mean based on the earlier comments
Sure, what I meant was not that Vertx HTTP extension would start checking Resteasy classic or reactive mappers, etc.
Can that work/be easy enough to support ? |
True, we already have them, we could propagate them to Vert.x HTTP extension.
It works like this (I know you know this, but I need to provide context):
|
@michalvavrik OK, thanks, we need to fix this duplication problem asap anyway, and the fix is OK, so I'm going to merge. |
@acoburn Hi Aaron, did you mean that you saw this problem with |
Sure, I'm happy to do that. There have been many changes regarding exception mappers lately, let's keep it as is for a while. |
+1 to question, fyi Aaron - I tested your reproducer with 2.14.3.Final and could not reproduce it. |
Thanks, I was curious if a backport to 2.14 was needed, lets just have a backport (to 2.15) label for now only |
I definitely saw this problem in the 2.15 release. In our codebase where this issue appeared, I also saw it in 2.14.3, so it is curious that the reproducer on 2.14.3 doesn't surface the problem. In any case, fixing this for 2.15 would be great. |
Okay, thank you for letting us know @acoburn , but @sberyozkin this fix can't be backported to 2.14 anyway, please don't do that, thanks. |
fixes: #30011
When proactive auth is enabled both default auth failure handler and builtin exception mappers were setting headers, which lead to duplicate headers that some browsers could not handle (Safari). Now repeated Quarkus Security exception handling is prevented as we only handle them (iff proactive = true) when custom exception mappers has been defined. There is no point running built in ex. mappers as they do exactly same as default auth failure handler had done.
I added tests that are independent on auth mechanism, but I checked fix with OIDC in both classic and reactive.