RR - use exception mappers on auth failure exceptions for proactive auth #29590

michalvavrik · 2022-11-30T18:50:40Z

This is proposal to enable RESTEasy Reactive exception mappers to handle AuthenticationCompletionException, AuthenticationFailedException, AuthenticationRedirectException, ForbiddenException when quarkus.http.auth.proactive=true. I suggest we weight the arguments and decide whether the change is needed in some form or the PR should be closed.

Pros:

user can use exception mappers when quarkus.http.auth.proactive=false
it's JAX-RS way that user asked for in the past
HTTP path matching policy may lead to 403 that will be customizable via exception mappers (after this PR, not down to proactive=true), currently it's only customizable via failure handlers
by accident, above-mentioned already works for RESTEasy Classic since 2.14 (however we can regress it) and classic/reactive behavior should be same

Cons:

IMO in reported issues, users seemed complacent about using proactive=false (once Sergey suggested it)
custom exception mapper that catches AuthenticationFailedException thrown by OIDC is unlikely to send challenge
currenlty users can customize response via failure handlers after the default auth failure handler has send challenge and failed event (iff auth mechanism didn't end response), therefore it's safer

sberyozkin · 2022-12-04T12:00:28Z

@michalvavrik Sorry for the delay.
Can you please add a test showing that fault handlers can still be used with the proactive auth enabled if preferred unless we already have the existing test ? I'm not sure why you remove the doc section explaining how to use the fault handlers.
Thanks

michalvavrik · 2022-12-04T12:05:31Z

@sberyozkin sure, I'll think about it and may add tests next week. I removed the docs section as it says with proactive=true the only way to customize response is to use failure handler, which would no more be true. My issue with user defined failure handler when proactive=true is that with RESTEasy Reactive/Classic they would need negative priority and I don't want to advice that to users. I think primary way for RESTEasy Reactive/Classic should be exception mappers and failure handlers are available for special cases or for non-JAX-RS users (Reactive Routes, pure lambdas?).

michalvavrik · 2022-12-04T12:06:57Z

Maybe there is another way, let me think about it, I'm currently on sick leave.

sberyozkin · 2022-12-04T12:11:09Z

@michalvavrik Sorry, take care, no rush at all, lets talk in a few days (I'd consider keeping the doc section but adjusting the advice only when/how to use it - ex, if both basic and code flow are enabled, etc)

sberyozkin · 2022-12-15T15:37:22Z

@michalvavrik Hey, so the only question on my part here, is the fault route path still working with this PR (can you link to the test please), and if yes, then my only change request is to keep the info about using fault routes in the docs (with some minor updates - it won't longer be the only option)

michalvavrik · 2022-12-15T15:59:26Z

@michalvavrik Hey, so the only question on my part here, is the fault route path still working with this PR (can you link to the test please), and if yes, then my only change request is to keep the info about using fault routes in the docs (with some minor updates - it won't longer be the only option)

Simply priority adjustment will make failure handlers working again and then I will return docs section & add all relevant tests. I'll do that.

michalvavrik · 2022-12-15T21:20:34Z

I've added an example and caution note to docs regarding auth mechanism challenge. Together existing test coverage and added tests covers both exception mappers and failure handlers in RESTEasy Reactive and Classic.

docs/src/main/asciidoc/security-built-in-authentication-support-concept.adoc

sberyozkin · 2022-12-16T10:43:15Z

@michalvavrik Great work, thanks, left a few minor doc suggestions only

quarkusio#29896

michalvavrik · 2022-12-16T11:29:24Z

Docs looks better with your comments, thank you.

quarkus-bot · 2022-12-16T15:42:15Z

Failing Jobs - Building `8ed165f`

Status	Name	Step	Failures	Logs	Raw logs
✔️	Gradle Tests - JDK 11
✖	Gradle Tests - JDK 11 Windows	`Build`	Failures	Logs	Raw logs

Full information is available in the Build summary check run.

Failures

⚙️ Gradle Tests - JDK 11 Windows #

- Failing: integration-tests/gradle

📦 integration-tests/gradle

✖ io.quarkus.gradle.devmode.JandexMultiModuleProjectDevModeTest.main line 21 - More details - Source on GitHub

org.awaitility.core.ConditionTimeoutException: Condition with lambda expression in io.quarkus.test.devmode.util.DevModeTestUtils that uses java.util.function.Supplier, java.util.function.Supplierjava.util.concurrent.atomic.AtomicReference, java.util.concurrent.atomic.AtomicReferencejava.lang.String, java.lang.Stringboolean was not fulfilled within 1 minutes.
	at org.awaitility.core.ConditionAwaiter.await(ConditionAwaiter.java:167)
	at org.awaitility.core.CallableCondition.await(CallableCondition.java:78)

michalvavrik requested a review from sberyozkin November 30, 2022 18:50

quarkus-bot bot added area/documentation area/resteasy-reactive area/smallrye labels Nov 30, 2022

quarkus-bot bot added this to To do in Quarkus Documentation Nov 30, 2022

michalvavrik marked this pull request as draft December 4, 2022 12:08

sberyozkin mentioned this pull request Dec 15, 2022

smallrye jwt 401 cannot be intercepted by ExceptionMapper #29896

Closed

sberyozkin added the triage/backport? label Dec 15, 2022

michalvavrik force-pushed the feature/rr-proactive-auth-ex-mappers branch from 3ff5df2 to 8721761 Compare December 15, 2022 21:17

quarkus-bot bot added the area/vertx label Dec 15, 2022

michalvavrik marked this pull request as ready for review December 15, 2022 21:19

This comment has been minimized.

Sign in to view