quarkus: Random HTTP 401 failures from endpoints secured with `@RolesAllowed`
Describe the bug
Expected behavior
401 can only be returned for unauthenticated requests
Actual behavior
According to the report, 401 might happen due to an anonymous SecurityIdentity even when the authentication credentials are provided
How to Reproduce?
https://github.com/florian-signoret-ibm/quarkus-basic-auth-issue
Output of uname -a or ver
No response
Output of java -version
No response
GraalVM version (if different from Java)
No response
Quarkus version or git rev
No response
Build tool (ie. output of mvnw --version or gradlew --version)
No response
Additional information
No response
About this issue
- Original URL
- State: closed
- Created a year ago
- Comments: 51 (42 by maintainers)
I tested and could not reproduce the issue Thanks!
I created https://github.com/quarkusio/quarkus-github-bot/issues/342 .
No, in order to test the fix, you would have to follow build main https://github.com/quarkusio/quarkus/blob/main/CONTRIBUTING.md#building-main then use quarkus version 999-SNAPSHOT and group id io.quarkus (not a platform in it).
Great stuff, thanks for your help Julien @jponge
Yes
On Tue, Jun 27, 2023 at 2:27 PM Sergey Beryozkin @.***> wrote:
There’s a fix in Mutiny.
Yea, but this test is exactly the code that is run in
HttpSecurityRecorderwhere the bug is. I was trying to reproduce the bug, not demonstrate memoization 😃Hey @michalvavrik Thanks for spending the time on this one. I wonder, if there is indeed a race condition with the Vert.x context propagation. Hey @cescoffier @jponge, can you check please https://github.com/quarkusio/quarkus/issues/33602#issuecomment-1575635342 ? Might be an interesting issue related to the way Mutiny handles it
I’ll have a look.
Hello @sberyozkin I updated the project to log, for incoming requests, an internal ID, the authorization header and the principal name. For the failing request, you will notice that the authorization header is present, but the principal is null.
Thanks for the heads up