New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use failure handlers for security exceptions before JAX-RS chain starts #28967
Use failure handlers for security exceptions before JAX-RS chain starts #28967
Conversation
This comment has been minimized.
This comment has been minimized.
8678a5e
to
1a299fc
Compare
Failing Jobs - Building 1a299fc
Full information is available in the Build summary check run. Failures⚙️ JVM Tests - JDK 11 Windows #- Failing: extensions/opentelemetry/deployment
! Skipped: integration-tests/micrometer-prometheus integration-tests/opentelemetry integration-tests/opentelemetry-grpc and 5 more 📦 extensions/opentelemetry/deployment✖
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, thanks @michalvavrik.
Next, we can revisit your idea of allowing to get into the application code to map the error even if the proactive authentication is enabled, and combine it with the generic failure handler approach
For RESTEasy Reactive that would be as simple as removing this boolean https://github.com/quarkusio/quarkus/blob/main/extensions/resteasy-reactive/quarkus-resteasy-reactive/runtime/src/main/java/io/quarkus/resteasy/reactive/server/runtime/ResteasyReactiveRecorder.java#L228. It has no real value except of stopping exception mappers from receiving auth failures when proactive auth is enabled :-) For classic it might be harder, don't know yet. We can wait with next step as there have been a lot of changes in that area (whatever you want); now I have #5751 to deal with and it's strongly related. |
fixes: #28489
fixes: #28488
Make it possible to customize response when Quarkus Security authentication exceptions are thrown before JAX-RS chain started. That is done by failing event when proactive security is enabled and ensuring default failure handler
QuarkusErrorHandler
sends response if it wasn't sent downstream. We should provide a way to customize response as users were asking for it and currently it's not possible f.e. whensmallrye-jwt
receives invalid token to customize response.