Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enabling both basic auth and form auth in quarkus does not work #7768

Closed
pazepaze opened this issue Mar 11, 2020 · 0 comments · Fixed by #8006
Closed

Enabling both basic auth and form auth in quarkus does not work #7768

pazepaze opened this issue Mar 11, 2020 · 0 comments · Fixed by #8006
Labels
area/security kind/bug Something isn't working
Milestone
1.3.1.Final

Comments

@pazepaze
Copy link

pazepaze commented Mar 11, 2020
edited
Loading

Description
I tried enabling both basic and form authentication in quarkus 1.2.1.Final. According to the documentation when enabling both form and basic auth, basic auth should work in silent mode. As far as i understand this means that basic auth is used when an authorization header is sent.

Expected behavior
When enabling both form and basic auth and sending a GET request with valid Authorization header to a rest endpoint, basic auth should be used, the user should be authenticated successfully and the rest resource should be called.

Actual behavior
The request is forwarded to the form login page (default=login.html). It does not matter whether Authorization header is set and if credentials are valid. Form authentication will always be used instead of basic auth. When I disable form authentication and only enable basic auth, then basic auth works as expected.

To Reproduce
Steps to reproduce the behavior:

  1. Start with the code.quarkus.io project setup enabling "Properties File based Security"
  2. Add to the application.properties file:
quarkus.http.auth.form.enabled=true
quarkus.http.auth.basic=true

quarkus.security.users.file.enabled=true
quarkus.security.users.file.users=test-users.properties
quarkus.security.users.file.roles=test-roles.properties
quarkus.security.users.file.realm-name=MyRealm
quarkus.security.users.file.plain-text=true

Add test-users.properties with content:

admin=admin

and test-roles.properties with content:

admin=adminrole
  1. Add annotation @RolesAllowed("adminrole") to the example rest resource at /hello
  2. Send a GET request to /hello with Authorization header for user admin, password admin and observe that you get a 302 response instead of a 200.

Environment:

  • Output of uname -a or ver: Linux N302 5.3.0-40-generic add OneToManyPersister to reflected classes for hibernate #32-Ubuntu SMP Fri Jan 31 20:24:34 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
  • Output of java -version: openjdk version "1.8.0_242"
    OpenJDK Runtime Environment (build 1.8.0_242-8u242-b08-0ubuntu3~19.10-b08)
    OpenJDK 64-Bit Server VM (build 25.242-b08, mixed mode)
  • GraalVM version (if different from Java):
  • Quarkus version or git rev: 1.2.1.Final
@pazepaze pazepaze added the kind/bug Something isn't working label Mar 11, 2020
stuartwdouglas added a commit to stuartwdouglas/quarkus that referenced this issue Mar 20, 2020
@stuartwdouglas
Multiple authentication fixes
244ca3d 
- Use synthetic beans to configure form and basic auth
- Allow multiple authentication mechanisms
- Better default behaviour based on what is configured

Fixes quarkusio#7768
Fixes quarkusio#5284
@stuartwdouglas stuartwdouglas mentioned this issue Mar 20, 2020
Merged
stuartwdouglas added a commit to stuartwdouglas/quarkus that referenced this issue Mar 20, 2020
@stuartwdouglas
Multiple authentication fixes
5ccd864 
- Use synthetic beans to configure form and basic auth
- Allow multiple authentication mechanisms
- Better default behaviour based on what is configured

Fixes quarkusio#7768
Fixes quarkusio#5284
stuartwdouglas added a commit to stuartwdouglas/quarkus that referenced this issue Mar 26, 2020
@stuartwdouglas
Multiple authentication fixes
53b3b48 
- Use synthetic beans to configure form and basic auth
- Allow multiple authentication mechanisms
- Better default behaviour based on what is configured

Fixes quarkusio#7768
Fixes quarkusio#5284
gsmet pushed a commit to gsmet/quarkus that referenced this issue Mar 26, 2020
@stuartwdouglas @gsmet
Multiple authentication fixes
14baf21 
- Use synthetic beans to configure form and basic auth
- Allow multiple authentication mechanisms
- Better default behaviour based on what is configured

Fixes quarkusio#7768
Fixes quarkusio#5284
gsmet pushed a commit to gsmet/quarkus that referenced this issue Mar 26, 2020
@stuartwdouglas @gsmet
Multiple authentication fixes
9022ab2 
- Use synthetic beans to configure form and basic auth
- Allow multiple authentication mechanisms
- Better default behaviour based on what is configured

Fixes quarkusio#7768
Fixes quarkusio#5284
@gsmet gsmet added this to the 1.3.1.Final milestone Mar 26, 2020
viniciusfcf pushed a commit to viniciusfcf/quarkus-fork that referenced this issue Sep 7, 2020
@stuartwdouglas @viniciusfcf
Multiple authentication fixes
ab01ee9 
- Use synthetic beans to configure form and basic auth
- Allow multiple authentication mechanisms
- Better default behaviour based on what is configured

Fixes quarkusio#7768
Fixes quarkusio#5284
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/security kind/bug Something isn't working
Projects
None yet
Milestone
1.3.1.Final
Development

Successfully merging a pull request may close this issue.

Authentication fixes stuartwdouglas/quarkus
3 participants
@sberyozkin @gsmet @pazepaze