-
Notifications
You must be signed in to change notification settings - Fork 2.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Repeating @PermissionsAllowed annotations totally disable method authentication #44185
Comments
/cc @geoand (kotlin) |
Before I start, https://quarkus.io/guides/security-authorize-web-endpoints-reference#endpoint-security-annotations-and-jakarta-rest-inheritance says you should only use security annotations on implementations. In order to not break existing behavior, we kept these of interface checks, that worked in past, working. That also makes user friendly validation exception really hard, although it is possible.
We have great many tests like these. I think your scenario differs and in order to determine where, I need to run this. |
Honestly:
doesn't give me information, because I don't know what permissions your identity has. Sorry for stupid question, but do you understand that your identity needs both |
So |
One more thing @AlexanderUkhta , are you using Quarkus REST or RESTEasy Classic? Better provide a reproducer. |
Sure, as I've written above - that was the expected behavior, but the access is granted anyway.
I'll send you a link with an example a bit later. |
Sure, sorry, I missed that.
Thanks. It doesn't need to be minimal, just something that can be run (even after adjustments). |
@AlexanderUkhta I think I have guessed it. Better not spend time on it and don't create the reproducer. Please forget about the reproducer. Let's just confirm me 2 things:
|
We have it documented at https://quarkus.io/guides/security-authorize-web-endpoints-reference#endpoint-security-annotations-and-jakarta-rest-inheritance as well |
Yes, you're right.
I've just tried to move my
My interface now:
My implementation is sth like (let's assume, that auditor is just some module, which suspend methods are to be called):
And that is my test (kerberos auth is used and roles/permissions are stored in db):
Above everything is fine.
Now only my method annotations quantity is changed:
In this case I've got an exception:
Seems to be a problem with a blocking call in Line 194 in a98a3f9
|
Thank you for confirming @AlexanderUkhta , and thanks for reporting this.
that's this one I think #44068, maybe have a look, I provided there context |
We don't want to support security annotations on interfaces, but what you describe here is bad user experience and we can definitely do better. I'll take care of it this or next week. |
…us-googlecloud-jsonlogging!24) This MR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [io.quarkus:quarkus-extension-processor](https://github.com/quarkusio/quarkus) | | patch | `3.16.1` -> `3.16.3` | | [io.quarkus:quarkus-extension-maven-plugin](https://github.com/quarkusio/quarkus) | build | patch | `3.16.1` -> `3.16.3` | | [io.quarkus:quarkus-bom](https://github.com/quarkusio/quarkus) | import | patch | `3.16.1` -> `3.16.3` | | [io.quarkus:quarkus-maven-plugin](https://github.com/quarkusio/quarkus) | build | patch | `3.16.1` -> `3.16.3` | --- ### Release Notes <details> <summary>quarkusio/quarkus</summary> ### [`v3.16.3`](quarkusio/quarkus@3.16.2...3.16.3) [Compare Source](quarkusio/quarkus@3.16.2...3.16.3) ### [`v3.16.2`](https://github.com/quarkusio/quarkus/releases/tag/3.16.2) [Compare Source](quarkusio/quarkus@3.16.1...3.16.2) ##### Complete changelog - [#​34824](quarkusio/quarkus#34824) - AmazonLambdaRecorder Handler Discovery Erroneously Considers Decorators - [#​38086](quarkusio/quarkus#38086) - Documentation about `RecordCodecProvider` in MongoDB with Panache - [#​42149](quarkusio/quarkus#42149) - Upgrade Postgres 16 - [#​44039](quarkusio/quarkus#44039) - WebSockets Next: create a new event loop context for each client - [#​44132](quarkusio/quarkus#44132) - Update getting-started-reactive.adoc - [#​44149](quarkusio/quarkus#44149) - Fix Config Error Screen - [#​44152](quarkusio/quarkus#44152) - Do not throw NPE in AfterAll interceptor if application didn't start - [#​44155](quarkusio/quarkus#44155) - Amazon Lambda - Support decorators - [#​44156](quarkusio/quarkus#44156) - Make OidcRequestContextProperties modifiable - [#​44178](quarkusio/quarkus#44178) - Bump com.fasterxml.jackson:jackson-bom from 2.18.0 to 2.18.1 - [#​44183](quarkusio/quarkus#44183) - Properly apply the update recipes in version order - [#​44184](quarkusio/quarkus#44184) - Add Support for Trusted Proxy Detection on Forwarded Requests - [#​44185](quarkusio/quarkus#44185) - Repeating `@PermissionsAllowed` annotations totally disable method authentication - [#​44189](quarkusio/quarkus#44189) - Small improvements to the Deploying to Google Cloud guide - [#​44190](quarkusio/quarkus#44190) - ResteasyReactiveProcessor#setupEndpoints reports duplicate endpoints when a rest client matches a resource - [#​44191](quarkusio/quarkus#44191) - Update PostgreSQL image to 17 - [#​44201](quarkusio/quarkus#44201) - Broken link - [#​44202](quarkusio/quarkus#44202) - Broken link? - [#​44203](quarkusio/quarkus#44203) - Make OidcRequestContextProperties modifiable - [#​44204](quarkusio/quarkus#44204) - Fix broken doc links - [#​44207](quarkusio/quarkus#44207) - Bump bouncycastle.version from 1.78.1 to 1.79 - [#​44209](quarkusio/quarkus#44209) - Bump io.quarkus.develocity:quarkus-project-develocity-extension from 1.1.6 to 1.1.7 - [#​44221](quarkusio/quarkus#44221) - Add extension description for websockets next - [#​44227](quarkusio/quarkus#44227) - Add stork-configuration-generator as an annotationProcessorPath - [#​44229](quarkusio/quarkus#44229) - ContainerResponseFilter with `@Priority(Integer.MIN_VALUE)` will be actually invoked with max priority - [#​44232](quarkusio/quarkus#44232) - Quartz: use a more reasonable default for quarkus.quartz.thread-count - [#​44235](quarkusio/quarkus#44235) - 3.16: `@WithTestResource` starts all test resources (regression) - [#​44237](quarkusio/quarkus#44237) - Properly implement priority of ContainerResponseFilter - [#​44238](quarkusio/quarkus#44238) - Refactor SecurityTransformerUtils to consider repeated annotations - [#​44239](quarkusio/quarkus#44239) - Replace oidc auth facebook screenshots with generic ones - [#​44244](quarkusio/quarkus#44244) - Bump `quarkiverse-parent` to 18 - [#​44245](quarkusio/quarkus#44245) - Delete disabled job - [#​44248](quarkusio/quarkus#44248) - Ignore client interfaces when detecting duplicate endpoints - [#​44263](quarkusio/quarkus#44263) - Quarkus Dev UI - Clicking on gRPC - Services - service implementation class Uncaught exception received by Vert.x - [#​44277](quarkusio/quarkus#44277) - Dev UI Open in IDE make sure lineNumber is in quotes - [#​44279](quarkusio/quarkus#44279) - Limit `MATCHING_RESOURCES` TestResources to the test that declares them - [#​44281](quarkusio/quarkus#44281) - Included pages within a fragment ignores rendered=false property. - [#​44298](quarkusio/quarkus#44298) - Qute: fix rendered=false if a fragment includes nested fragment - [#​44300](quarkusio/quarkus#44300) - When testing request payload is populated with string "null" if enable-reflection-free-serializers enabled - [#​44309](quarkusio/quarkus#44309) - Avoid deserializing null nodes in reflection free Jackson serialization - [#​44316](quarkusio/quarkus#44316) - Duplicated field serialization using the generated reflection free Jackson serializers - [#​44317](quarkusio/quarkus#44317) - Avoid duplicated field serialization in reflection free Jackson serializers - [#​44321](quarkusio/quarkus#44321) - Use Java 21 by default in the Deploying to Google Cloud guide - [#​44322](quarkusio/quarkus#44322) - Explain in MongoDB docs that records are supported - [#​44324](quarkusio/quarkus#44324) - Take config annotation when trying to match test resources </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever MR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this MR and you won't be reminded about these updates again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this MR, check this box --- This MR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNC4yNC4wIiwidXBkYXRlZEluVmVyIjoiMzQuMjQuMCJ9-->
Describe the bug
Currently using the latest Quarkus 3.15.1.
I have my security annotations being used in the resource interface. While the method is annotated with a single
@PermissionsAllowed
annotation or is marked as@Authenticated
- it all works fine. If the method is annotated with repeating@PermissionsAllowed
, any auth or permission validation does not work (Got 200 OK on any request).Please see my test resource with comments below:
If I put the
@Authenticated
additionally on the interface level - it all works fine. However, I can't use the@Authenticated
annotation this way due to some limitations of my resource generator and because I still need to keep some api methods public.Expected behavior
Repeating
@PermissionsAllowed
annotations on a method should work as multiple permissions, that all are needed to access the api method.Actual behavior
Interface method, which is annotated with repeating
@PermissionsAllowed
and the interface is not marked with@Authenticated
- always returns 200 OK.How to Reproduce?
No response
Output of
uname -a
orver
Darwin Kernel Version 21.6.0: Mon Jun 24 00:56:10 PDT 2024; root:xnu-8020.240.18.709.2~1/RELEASE_X86_64 x86_64
Output of
java -version
openjdk version "21.0.4" 2024-07-16 LTS OpenJDK Runtime Environment Corretto-21.0.4.7.1 (build 21.0.4+7-LTS) OpenJDK 64-Bit Server VM Corretto-21.0.4.7.1 (build 21.0.4+7-LTS, mixed mode, sharing)
Quarkus version or git rev
3.15.1
Build tool (ie. output of
mvnw --version
orgradlew --version
)------------------------------------------------------------ Gradle 8.6 ------------------------------------------------------------ Build time: 2024-02-02 16:47:16 UTC Revision: d55c486870a0dc6f6278f53d21381396d0741c6e Kotlin: 1.9.20 Groovy: 3.0.17 Ant: Apache Ant(TM) version 1.10.13 compiled on January 4 2023 JVM: 18.0.2 (Amazon.com Inc. 18.0.2+9-FR) OS: Mac OS X 12.7.6 x86_64
Additional information
No response
The text was updated successfully, but these errors were encountered: