-
Notifications
You must be signed in to change notification settings - Fork 2.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Credentials are ignored for websocket connections. #13565
Comments
/cc @sberyozkin |
@defnull but WebSockets work over the upgraded channel where no |
They work with or without |
Okay, more details: If If |
The security annotations probably work as intended, but they always fail because the principal is never authenticated for websockets. The So the only actual problem is the missing authentication during the websocket handshake if credentials are provided. I'll edit the issue description. That said, perhaps this is now a feature request an not longer a bug. I'm not sure. |
This is still an issue in June of 2022 - Making a Websocket Endpoint with |
I concur with @SIMULATAN , I'm seeing the same issue. I'm using quarkus 2.7.5 final. I too removed the authorization header and couldn't catch the error in the
|
Hi Guys, I have being trying for a while now to spike using quarkus/oidc/keycloak idendenty propagation for websockets using
I have not being able so far to get any of them working using bearer token. Had anyone being able to get this working? Any status on this ticket? Thank you |
For anyone insterested, as work arround for now (vertx sockjs eventbus); I'm overriding the io.quarkus.vertx.web.runtime.RouteHandler.handle(RoutingContext context) whithin each user session and keeping the ManagedContext active for the lifespan of the session. |
@mkamneng I am trying to get WebSocket security working and have posted a question on SO here: https://stackoverflow.com/questions/75141521/quarkus-how-to-secure-websocket-when-using-keycloak-oidc So far no luck. I was wondering whether you might be able to offer some guidance? Thank you, |
Describe the bug
There is currently no way (I know of) to protect a
@ServerEndpoint
with standard basic auth. TheAuthorization
header is ignored and theSession.getUserPrincipal()
property is not populated, which contradicts the "Proactive Authentication" principle described in quarkus docs.Security annotations like
@RolesAllowed
are applied and work as expected (they prevent the annotated methods from being called and throwio.quarkus.security.UnauthorizedException
) but they will always fail because no principal is present. It's a bit unintuitive that these errors do not close the websocket connection, but that's not required by the spec I guess.Expected behavior
If an
Authorization
header is present in the initial websocket handshake and basic auth is enabled as a feature, the handshake request should be authenticated as usual. Bad credentials should abort the handshake and not start a websocket session.Actual behavior
The
Authorization
header is completely ignored for websocket connections.To Reproduce
Take an example project with working basic auth and add this:
Now try to connect with a websocket client with or without
Authorization
headers set. Browsers understandws://test:test@localhost:8080/ws
URIs. In both cases, with or without credentials, anio.quarkus.security.UnauthorizedException
will be logged and the connection will be closed abruptly (no end frame). If the@RolesAllowed
is on a method, the session is created but then fails when calling the annotated method. In that case, the connection is not closed.Configuration
quarkus.http.auth.basic=true
Environment (please complete the following information):
java -version
: 14.0.2+12-Ubuntu-120.04The text was updated successfully, but these errors were encountered: