quarkus: Unable to change unauthenticated response with `quarkus-resteasy-reactive`
Describe the bug
I tried to add a custom exception mapper for unauthenticated exceptions. Followed the instruction on https://quarkus.io/guides/security-built-in-authentication#how-to-customize-authentication-exception-responses. However, although the exception mapper is defined, it’s never being invoked. Switching the proactive auth on and off does not have any impact.
The exception mapper is the same as in the documentation:
import io.quarkus.security.AuthenticationFailedException;
import javax.annotation.Priority;
import javax.ws.rs.Priorities;
import javax.ws.rs.core.Context;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.UriInfo;
import javax.ws.rs.ext.ExceptionMapper;
import javax.ws.rs.ext.Provider;
@Provider
@Priority(Priorities.AUTHENTICATION)
public class AuthenticationFailedExceptionMapper implements ExceptionMapper<AuthenticationFailedException> {
@Context
UriInfo uriInfo;
@Override
public Response toResponse(AuthenticationFailedException exception) {
// on purpose change to 5xx
return Response.status(500).entity("Custom body").build();
}
}
Expected behavior
Response can be customized.
Actual behavior
Always returns the same response:
$ curl 'http://localhost:8080/hello' -u scott:wrong -v
* Trying 127.0.0.1:8080...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 8080 (#0)
* Server auth using Basic with user 'scott'
> GET /hello HTTP/1.1
> Host: localhost:8080
> Authorization: Basic c2NvdHQ6cmVhZGU=
> User-Agent: curl/7.68.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 401 Unauthorized
* Authentication problem. Ignoring this.
< www-authenticate: basic realm="Quarkus"
< content-length: 0
<
* Connection #0 to host localhost left intact
How to Reproduce?
Here is the reproducible example: https://github.com/ivansenic/quarkus-25732
Output of uname -a or ver
Linux ise-Precision-5550 5.13.0-41-generic #46~20.04.1-Ubuntu SMP Wed Apr 20 13:16:21 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
Output of java -version
openjdk version “17.0.3” 2022-04-19 OpenJDK Runtime Environment (build 17.0.3+7-Ubuntu-0ubuntu0.20.04.1) OpenJDK 64-Bit Server VM (build 17.0.3+7-Ubuntu-0ubuntu0.20.04.1, mixed mode, sharing)
GraalVM version (if different from Java)
No response
Quarkus version or git rev
2.9.1.Final
Build tool (ie. output of mvnw --version or gradlew --version)
Maven home: /home/ise/.m2/wrapper/dists/apache-maven-3.8.4-bin/52ccbt68d252mdldqsfsn03jlf/apache-maven-3.8.4 Java version: 17.0.3, vendor: Private Build, runtime: /usr/lib/jvm/java-17-openjdk-amd64 Default locale: en_US, platform encoding: UTF-8 OS name: “linux”, version: “5.13.0-41-generic”, arch: “amd64”, family: “unix”
Additional information
No response
About this issue
- Original URL
- State: closed
- Created 2 years ago
- Reactions: 1
- Comments: 22 (21 by maintainers)
Commits related to this issue
- Let RESTEasy Reactive exc. mappers handle failed auth (proactive=false) fixes: #25732, #22971, #26314 (for proactive=false) — committed to michalvavrik/quarkus by michalvavrik 2 years ago
- Let RESTEasy Reactive exc. mappers handle failed auth (proactive=false) fixes: #25732, #22971, #26314 (for proactive=false) — committed to michalvavrik/quarkus by michalvavrik 2 years ago
- Let RESTEasy Reactive exc. mappers handle failed auth (proactive=false) fixes: #25732, #22971, #26314 (for proactive=false) — committed to michalvavrik/quarkus by michalvavrik 2 years ago
- Let RESTEasy Reactive exc. mappers handle failed auth (proactive=false) fixes: #25732, #22971, #26314 (for proactive=false) — committed to igorregis/quarkus by michalvavrik 2 years ago
- Let RESTEasy Reactive exc. mappers handle failed auth (proactive=false) fixes: #25732, #22971, #26314 (for proactive=false) — committed to igorregis/quarkus by michalvavrik 2 years ago
- Let RESTEasy Reactive exc. mappers handle failed auth (proactive=false) fixes: #25732, #22971, #26314 (for proactive=false) — committed to igorregis/quarkus by michalvavrik 2 years ago
- Let RESTEasy Reactive exc. mappers handle failed auth (proactive=false) fixes: #25732, #22971, #26314 (for proactive=false) — committed to igorregis/quarkus by michalvavrik 2 years ago
- Let RESTEasy Reactive exc. mappers handle failed auth (proactive=false) fixes: #25732, #22971, #26314 (for proactive=false) — committed to tmihalac/quarkus by michalvavrik 2 years ago
- Implement RBAC & Authentication for swatch-contracts https://issues.redhat.com/browse/SWATCH-849 I had to move `openapi.yaml` to `src/main/resources/META-INF` so that it would be picked up by `OpenA... — committed to RedHatInsights/rhsm-subscriptions by kahowell a year ago
- Implement RBAC & Authentication for swatch-contracts https://issues.redhat.com/browse/SWATCH-849 I had to move `openapi.yaml` to `src/main/resources/META-INF` so that it would be picked up by `OpenA... — committed to RedHatInsights/rhsm-subscriptions by kahowell a year ago
Yup hooking into challenge works… Just in case that somebody needs it, here is the reference on how I am setting the custom response: https://github.com/stargate/stargate/blob/304cff3ace476737ab1309a44a20b26bed8a7ad7/sgv2-docsapi/src/main/java/io/stargate/sgv2/docsapi/api/common/security/HeaderBasedAuthenticationMechanism.java#L88-L125
As far as I am concerned, the issue is resolved.
Thanks @geoand @sberyozkin
I just tried your sample and handling the exception with the
ExceptionMapperdoes not work for RESTEasy Classic either.@sberyozkin I think this is best handled by you, since I am lacking a lot of the security context. At the very least, I think we need to update the documentation to specify under which conditions using an
ExceptionMapperworks.@ivansenic Nice one, thanks for quickly verifying the custom mechanism option. @geoand Yeah, I’ll review which security exceptions can be mapped, and add a note re dealing with
AuthenticationFailedExceptionThanks a lot @sberyozkin!
Completely understood 😀