Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Do not set 'realm=Quarkus' in Basic auth challenge #27342

Merged
merged 1 commit into from Aug 18, 2022
Merged

Do not set 'realm=Quarkus' in Basic auth challenge #27342

merged 1 commit into from Aug 18, 2022

Conversation

sberyozkin
Copy link
Member

Fixes #27291

Currently, reporting an optional realm property in the Basic auth chalenge WWW-Authenticate: Basic realm="Quarkus" by default has 2 problems: 1) it affects the clients which are not prepared/expect a realm property as reported on Zulip and 2) it leaks an implementation detail, a minor case of the information exposure.

So this PR simply makes a quarkus.http.realm property optional for the realm reported only if it is required. It is really a bug fix so proposing a backport as well

@quarkus-bot
Copy link

quarkus-bot bot commented Aug 17, 2022

Failing Jobs - Building c8843a7

Status Name Step Failures Logs Raw logs
✔️ JVM Tests - JDK 11
JVM Tests - JDK 11 Windows Build Failures Logs Raw logs
✔️ JVM Tests - JDK 17
✔️ JVM Tests - JDK 18

Full information is available in the Build summary check run.

Failures

⚙️ JVM Tests - JDK 11 Windows #

- Failing: extensions/vertx-http/deployment 
! Skipped: extensions/agroal/deployment extensions/amazon-lambda-http/deployment extensions/amazon-lambda-rest/deployment and 309 more

📦 extensions/vertx-http/deployment

io.quarkus.vertx.http.http2.Http2Test.testHttp2EnabledSsl line 57 - More details - Source on GitHub

java.util.concurrent.ExecutionException: javax.net.ssl.SSLHandshakeException: Failed to create SSL connection
	at java.base/java.util.concurrent.CompletableFuture.reportGet(CompletableFuture.java:395)
	at java.base/java.util.concurrent.CompletableFuture.get(CompletableFuture.java:1999)

@sberyozkin sberyozkin merged commit 8787a2a into quarkusio:main Aug 18, 2022
@quarkus-bot quarkus-bot bot added this to the 2.13 - main milestone Aug 18, 2022
@sberyozkin sberyozkin deleted the do_not_report_basic_quarkus_realm branch August 18, 2022 15:30
@gsmet gsmet modified the milestones: 2.13 - main, 2.12.0.Final Aug 23, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@gsmet gsmet gsmet approved these changes

@gastaldi gastaldi Awaiting requested review from gastaldi

@stuartwdouglas stuartwdouglas Awaiting requested review from stuartwdouglas

Assignees
No one assigned
Labels
area/oidc area/vertx kind/bugfix
Projects
None yet
Milestone
2.12.0.Final
Development

Successfully merging this pull request may close these issues.

BasicAuthenticationMechanism challenge contains a Quarkus realm property
2 participants
@sberyozkin @gsmet