New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Unable to Overwrite Response using Security-JPA & RestEasy-Classic #27180
Comments
/cc @sberyozkin |
Is there any update on this? As this is preventing me from updating further than 2.7.5 |
Hello, I can reproduce it. I'll have a look and let you know. |
Hi @sberyozkin ,
from inside of your methods (see issue description above, the very same is done in docs here https://quarkus.io/guides/security-customization#dealing-with-more-than-one-httpauthenticationmechanism), then custom auth mechanism method Line 140 in 647dfdc
I understand that your intention here #16446 was to do right challenge, not all the challenges. I also realize @BrainShit can do this
or
and reproducer is fixed! From here, these are just my opinions, not facts:
I want to fix the issue (unless you think there is none :-)), but I need to hear what is expected behavior - can you specify algorithm how correct Thanks a lot! |
@sberyozkin I re-read docs now and following paragraph In some cases such a default logic of selecting the challenge is exactly what is required by a given application, but sometimes it may not meet the requirements. In such cases (or indeed in other similar cases where you'd like to change the order in which the mechanisms are asked to handle the current authentication or challenge request), you can create a custom mechanism and choose which mechanism should create a challenge, for example: suggests to use an example that won't work as I described above (please see my previous comment), because I'd prefer to hear from you once you have time for this (no hurry) as it's not explained why 6 mechanisms I listed above are preferred to a custom mechanism. I read the PRs that submitted these changes and it's not clear, but I can run a few tests to find out. |
#22206 #22483 #22404 gave me an idea, I'll try to figure it out on my own. Originally HttpAuthenticationMechanism.getCredentialTransport was only used to fail when more than one auth mechanism with the same cred transport is used. Now it is also used to find the best candidate for a challenge (for ex, if basic and oidc/web-app are used and basic fails then it is guaranteed basic will return the challenge, even without the priority based sorting). It is also now used for a path-specific authentication: https://quarkus.io/guides/security#path-specific-authentication-mechanism.
|
@michalvavrik Apologies, seeing/reading your analysis only now as I've noticed your PR... |
np |
fixes: quarkusio#27180 (cherry picked from commit 48d0c87)
Describe the bug
I'm currently unable to overwrite the Response with a CustomFormAuthenticationMechanism when using security-jpa with quarkus using RestEasy-Classic. I did not test ReastEasy-Reactive.
The last known version this was possible was using 2.7.5.Final.
If there's anything else you need let me know!
Here's my Implementation of the HttpAuthenticationMechanism
Expected behavior
Changed Challenge Data with changed Response should be returned resulting in a 401 Response
Actual behavior
Default Response (302) is returned
How to Reproduce?
Reproducer: https://github.com/BrainShit/custom-formauth-reproducer
Output of
uname -a
orver
No response
Output of
java -version
11.0.8 2020-07-14
GraalVM version (if different from Java)
No response
Quarkus version or git rev
2.11.2.Final
Build tool (ie. output of
mvnw --version
orgradlew --version
)No response
Additional information
No response
The text was updated successfully, but these errors were encountered: