Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Refactor RESTEasy Classic default JAX-RS security to make endpoint detection more robust #38622

Merged
merged 1 commit into from
Feb 12, 2024
Merged

Refactor RESTEasy Classic default JAX-RS security to make endpoint detection more robust #38622

merged 1 commit into from
Feb 12, 2024

Conversation

michalvavrik
Copy link
Member

@michalvavrik michalvavrik commented Feb 6, 2024
edited
Loading

This solution replaces build time detection of endpoints which proved to be an issue in past. I think it's more secure as annotation inheritance discord between CDI and JAX-RS is really complex.

@quarkus-bot

This comment has been minimized.

Sign in to view
@sberyozkin
Copy link
Member

sberyozkin commented Feb 7, 2024
edited
Loading

Michal, @michalvavrik Thanks, it does look like it simplifies things, but I'd like to question if it is necessary to do this security related refactoring for the legacy extension, where everything is settled now, and we recommend the Resteasy Reactive extension.

The code is simpler but it is a new code and we already cover the deny all use case with your fixes, tests

@michalvavrik
Copy link
Member Author

michalvavrik commented Feb 7, 2024
edited
Loading

if it is necessary to do this security related refactoring for the legacy extension

this extension is not deprecated, I'll treat it differently when the deprecation happens; right now, there is product level support and according to discussion on renaming of RESTEasy Reactive, this extension is one used by majority of Jakarta REST users

where everything is settled now

Maybe I didn't describe it correctly in the PR description - current detection of endpoints is far from perfect, I did my best, but I don't believe I covered every inheritance combination. There is theoretical chance I covered all of them, but I think that's what we had thought last time. This is hardening PR.

@michalvavrik michalvavrik force-pushed the feature/refactor-rc-jaxrs-default-security branch from 284b4af to 46b39c8 Compare February 7, 2024 11:22
@michalvavrik
Copy link
Member Author

BTW I couldn't do this originally because of the order of 2 PRs, this needed to be based on the combination of previous RC fixes.

@quarkus-bot
Copy link

quarkus-bot bot commented Feb 7, 2024

Status for workflow Quarkus CI

This is the status report for running Quarkus CI on commit 46b39c8.

✅ The latest workflow run for the pull request has completed successfully.

It should be safe to merge provided you have a look at the other checks in the summary.

Flaky tests - Develocity

⚙️ JVM Tests - JDK 17

📦 extensions/smallrye-reactive-messaging-kafka/deployment

io.quarkus.smallrye.reactivemessaging.kafka.deployment.dev.KafkaDevServicesDevModeTestCase.sseStream - History

  • Assertion condition defined as a io.quarkus.smallrye.reactivemessaging.kafka.deployment.dev.KafkaDevServicesDevModeTestCase Expecting size of: [] to be greater than or equal to 2 but was 0 within 10 seconds. - org.awaitility.core.ConditionTimeoutException
org.awaitility.core.ConditionTimeoutException: 
Assertion condition defined as a io.quarkus.smallrye.reactivemessaging.kafka.deployment.dev.KafkaDevServicesDevModeTestCase 
Expecting size of:
  []
to be greater than or equal to 2 but was 0 within 10 seconds.
	at org.awaitility.core.ConditionAwaiter.await(ConditionAwaiter.java:167)
	at org.awaitility.core.AssertionCondition.await(AssertionCondition.java:119)
	at org.awaitility.core.AssertionCondition.await(AssertionCondition.java:31)

@sberyozkin
Copy link
Member

I'd like to wait till Monday, @stuartwdouglas - have a quick look please if you can, it looks good

@zakkak zakkak mentioned this pull request Feb 9, 2024
Merged
@sberyozkin sberyozkin merged commit 432b59a into quarkusio:main Feb 12, 2024
48 checks passed
@quarkus-bot quarkus-bot bot added this to the 3.9 - main milestone Feb 12, 2024
@michalvavrik michalvavrik deleted the feature/refactor-rc-jaxrs-default-security branch February 12, 2024 17:49
@sberyozkin sberyozkin mentioned this pull request Apr 9, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sberyozkin sberyozkin sberyozkin approved these changes

Assignees
No one assigned
Labels
area/resteasy-classic area/security triage/flaky-test
Projects
None yet
Milestone
3.9.0.CR1
Development

Successfully merging this pull request may close these issues.
2 participants
@michalvavrik @sberyozkin