From ec79685d695a8902745bc43b099b4f15c08a8353 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michal=20Vav=C5=99=C3=ADk?= <mvavrik@redhat.com>
Date: Thu, 22 Dec 2022 03:04:57 +0100
Subject: [PATCH] Prevent duplicate Location headers during OIDC redirection

fixes: #30011
---
 .../ResteasyStandaloneBuildStep.java          |  54 ++++++++-
 ...thenticationFailedExceptionHeaderTest.java | 100 ++++++++++++++++
 ...enticationRedirectExceptionHeaderTest.java | 109 ++++++++++++++++++
 .../ResteasyStandaloneRecorder.java           |  38 +++++-
 .../deployment/ResteasyReactiveProcessor.java |  42 ++++++-
 ...thenticationFailedExceptionHeaderTest.java |  91 +++++++++++++++
 ...enticationRedirectExceptionHeaderTest.java | 100 ++++++++++++++++
 .../runtime/ResteasyReactiveRecorder.java     |  37 +++++-
 .../security/HttpSecurityRecorder.java        |   3 +
 9 files changed, 570 insertions(+), 4 deletions(-)
 create mode 100644 extensions/resteasy-classic/resteasy/deployment/src/test/java/io/quarkus/resteasy/test/security/AuthenticationFailedExceptionHeaderTest.java
 create mode 100644 extensions/resteasy-classic/resteasy/deployment/src/test/java/io/quarkus/resteasy/test/security/AuthenticationRedirectExceptionHeaderTest.java
 create mode 100644 extensions/resteasy-reactive/quarkus-resteasy-reactive/deployment/src/test/java/io/quarkus/resteasy/reactive/server/test/security/AuthenticationFailedExceptionHeaderTest.java
 create mode 100644 extensions/resteasy-reactive/quarkus-resteasy-reactive/deployment/src/test/java/io/quarkus/resteasy/reactive/server/test/security/AuthenticationRedirectExceptionHeaderTest.java

diff --git a/extensions/resteasy-classic/resteasy/deployment/src/main/java/io/quarkus/resteasy/deployment/ResteasyStandaloneBuildStep.java b/extensions/resteasy-classic/resteasy/deployment/src/main/java/io/quarkus/resteasy/deployment/ResteasyStandaloneBuildStep.java
index a78f85e87933d9..a63334d0cbdf11 100644
--- a/extensions/resteasy-classic/resteasy/deployment/src/main/java/io/quarkus/resteasy/deployment/ResteasyStandaloneBuildStep.java
+++ b/extensions/resteasy-classic/resteasy/deployment/src/main/java/io/quarkus/resteasy/deployment/ResteasyStandaloneBuildStep.java
@@ -5,6 +5,12 @@
 
 import java.util.Optional;
 
+import javax.ws.rs.ext.ExceptionMapper;
+
+import org.jboss.jandex.DotName;
+import org.jboss.jandex.IndexView;
+import org.jboss.jandex.Type;
+
 import io.quarkus.builder.item.SimpleBuildItem;
 import io.quarkus.deployment.Capabilities;
 import io.quarkus.deployment.Capability;
@@ -14,19 +20,27 @@
 import io.quarkus.deployment.annotations.ExecutionTime;
 import io.quarkus.deployment.annotations.Record;
 import io.quarkus.deployment.builditem.ApplicationArchivesBuildItem;
+import io.quarkus.deployment.builditem.CombinedIndexBuildItem;
 import io.quarkus.deployment.builditem.ExecutorBuildItem;
 import io.quarkus.deployment.builditem.FeatureBuildItem;
 import io.quarkus.deployment.builditem.ShutdownContextBuildItem;
 import io.quarkus.resteasy.common.deployment.ResteasyInjectionReadyBuildItem;
+import io.quarkus.resteasy.runtime.AuthenticationCompletionExceptionMapper;
+import io.quarkus.resteasy.runtime.AuthenticationFailedExceptionMapper;
+import io.quarkus.resteasy.runtime.AuthenticationRedirectExceptionMapper;
 import io.quarkus.resteasy.runtime.ResteasyVertxConfig;
 import io.quarkus.resteasy.runtime.standalone.ResteasyStandaloneRecorder;
 import io.quarkus.resteasy.server.common.deployment.ResteasyDeploymentBuildItem;
+import io.quarkus.security.AuthenticationCompletionException;
+import io.quarkus.security.AuthenticationFailedException;
+import io.quarkus.security.AuthenticationRedirectException;
 import io.quarkus.vertx.core.deployment.CoreVertxBuildItem;
 import io.quarkus.vertx.http.deployment.DefaultRouteBuildItem;
 import io.quarkus.vertx.http.deployment.FilterBuildItem;
 import io.quarkus.vertx.http.deployment.HttpRootPathBuildItem;
 import io.quarkus.vertx.http.deployment.RequireVirtualHttpBuildItem;
 import io.quarkus.vertx.http.deployment.RouteBuildItem;
+import io.quarkus.vertx.http.runtime.HttpBuildTimeConfig;
 import io.quarkus.vertx.http.runtime.VertxHttpRecorder;
 import io.vertx.core.Handler;
 import io.vertx.ext.web.RoutingContext;
@@ -34,6 +48,7 @@
 public class ResteasyStandaloneBuildStep {
 
     private static final int REST_ROUTE_ORDER_OFFSET = 500;
+    private static final DotName EXCEPTION_MAPPER = DotName.createSimple(ExceptionMapper.class.getName());
 
     public static final class ResteasyStandaloneBuildItem extends SimpleBuildItem {
 
@@ -75,6 +90,8 @@ public void boot(ShutdownContextBuildItem shutdown,
             BuildProducer<RouteBuildItem> routes,
             BuildProducer<FilterBuildItem> filterBuildItemBuildProducer,
             CoreVertxBuildItem vertx,
+            CombinedIndexBuildItem combinedIndexBuildItem,
+            HttpBuildTimeConfig vertxConfig,
             ResteasyStandaloneBuildItem standalone,
             Optional<RequireVirtualHttpBuildItem> requireVirtual,
             ExecutorBuildItem executorBuildItem,
@@ -90,11 +107,28 @@ public void boot(ShutdownContextBuildItem shutdown,
         Handler<RoutingContext> handler = recorder.vertxRequestHandler(vertx.getVertx(),
                 executorBuildItem.getExecutorProxy(), resteasyVertxConfig);
 
+        final boolean noCustomAuthCompletionExMapper;
+        final boolean noCustomAuthFailureExMapper;
+        final boolean noCustomAuthRedirectExMapper;
+        if (vertxConfig.auth.proactive) {
+            noCustomAuthCompletionExMapper = notFoundCustomExMapper(AuthenticationCompletionException.class.getName(),
+                    AuthenticationCompletionExceptionMapper.class.getName(), combinedIndexBuildItem.getIndex());
+            noCustomAuthFailureExMapper = notFoundCustomExMapper(AuthenticationFailedException.class.getName(),
+                    AuthenticationFailedExceptionMapper.class.getName(), combinedIndexBuildItem.getIndex());
+            noCustomAuthRedirectExMapper = notFoundCustomExMapper(AuthenticationRedirectException.class.getName(),
+                    AuthenticationRedirectExceptionMapper.class.getName(), combinedIndexBuildItem.getIndex());
+        } else {
+            // with disabled proactive auth we need to handle exceptions anyway as default auth failure handler did not
+            noCustomAuthCompletionExMapper = false;
+            noCustomAuthFailureExMapper = false;
+            noCustomAuthRedirectExMapper = false;
+        }
         // failure handler for auth failures that occurred before the handler defined right above started processing the request
         // we add the failure handler right before QuarkusErrorHandler
         // so that user can define failure handlers that precede exception mappers
         final Handler<RoutingContext> failureHandler = recorder.vertxFailureHandler(vertx.getVertx(),
-                executorBuildItem.getExecutorProxy(), resteasyVertxConfig);
+                executorBuildItem.getExecutorProxy(), resteasyVertxConfig, noCustomAuthCompletionExMapper,
+                noCustomAuthFailureExMapper, noCustomAuthRedirectExMapper, vertxConfig.auth.proactive);
         filterBuildItemBuildProducer.produce(FilterBuildItem.ofAuthenticationFailureHandler(failureHandler));
 
         // Exact match for resources matched to the root path
@@ -117,6 +151,24 @@ public void boot(ShutdownContextBuildItem shutdown,
         recorder.start(shutdown, requireVirtual.isPresent());
     }
 
+    private static boolean notFoundCustomExMapper(String exSignatureStr, String exMapperSignatureStr, IndexView index) {
+        for (var implementor : index.getAllKnownImplementors(EXCEPTION_MAPPER)) {
+            if (exMapperSignatureStr.equals(implementor.name().toString())) {
+                continue;
+            }
+            for (Type interfaceType : implementor.interfaceTypes()) {
+                if (EXCEPTION_MAPPER.equals(interfaceType.name())) {
+                    final String mapperExSignature = interfaceType.asParameterizedType().arguments().get(0).name().toString();
+                    if (exSignatureStr.equals(mapperExSignature)) {
+                        return false;
+                    }
+                    break;
+                }
+            }
+        }
+        return true;
+    }
+
     @BuildStep
     @Record(value = ExecutionTime.STATIC_INIT)
     public FilterBuildItem addDefaultAuthFailureHandler(ResteasyStandaloneRecorder recorder) {
diff --git a/extensions/resteasy-classic/resteasy/deployment/src/test/java/io/quarkus/resteasy/test/security/AuthenticationFailedExceptionHeaderTest.java b/extensions/resteasy-classic/resteasy/deployment/src/test/java/io/quarkus/resteasy/test/security/AuthenticationFailedExceptionHeaderTest.java
new file mode 100644
index 00000000000000..740494074d9d65
--- /dev/null
+++ b/extensions/resteasy-classic/resteasy/deployment/src/test/java/io/quarkus/resteasy/test/security/AuthenticationFailedExceptionHeaderTest.java
@@ -0,0 +1,100 @@
+package io.quarkus.resteasy.test.security;
+
+import static io.vertx.core.http.HttpHeaders.LOCATION;
+import static org.junit.jupiter.api.Assertions.assertEquals;
+
+import java.util.Set;
+
+import javax.enterprise.context.ApplicationScoped;
+import javax.ws.rs.GET;
+import javax.ws.rs.Path;
+
+import org.jboss.shrinkwrap.api.asset.StringAsset;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.RegisterExtension;
+
+import io.quarkus.security.AuthenticationFailedException;
+import io.quarkus.security.identity.AuthenticationRequestContext;
+import io.quarkus.security.identity.IdentityProvider;
+import io.quarkus.security.identity.IdentityProviderManager;
+import io.quarkus.security.identity.SecurityIdentity;
+import io.quarkus.security.identity.request.AuthenticationRequest;
+import io.quarkus.security.identity.request.BaseAuthenticationRequest;
+import io.quarkus.test.QuarkusUnitTest;
+import io.quarkus.vertx.http.runtime.security.ChallengeData;
+import io.quarkus.vertx.http.runtime.security.HttpAuthenticationMechanism;
+import io.restassured.RestAssured;
+import io.restassured.http.Header;
+import io.smallrye.mutiny.Uni;
+import io.vertx.ext.web.RoutingContext;
+
+public class AuthenticationFailedExceptionHeaderTest {
+
+    private static final String APP_PROPS = "" +
+            "quarkus.http.auth.permission.default.paths=/*\n" +
+            "quarkus.http.auth.permission.default.policy=authenticated";
+
+    @RegisterExtension
+    static QuarkusUnitTest runner = new QuarkusUnitTest()
+            .withApplicationRoot((jar) -> jar
+                    .addAsResource(new StringAsset(APP_PROPS), "application.properties"));
+
+    @Test
+    public void testHeaders() {
+        // case-insensitive test that there is only one location header
+        // there has been duplicate location when both default auth failure handler and auth ex mapper send challenge
+        var response = RestAssured
+                .given()
+                .redirects()
+                .follow(false)
+                .when()
+                .get("/secured-route");
+        response.then().statusCode(302);
+        assertEquals(1, response.headers().asList().stream().map(Header::getName).map(String::toLowerCase)
+                .filter(LOCATION.toString()::equals).count());
+    }
+
+    @Path("/hello")
+    public static class HelloResource {
+        @GET
+        public String hello() {
+            return "hello";
+        }
+    }
+
+    @ApplicationScoped
+    public static class FailingAuthenticator implements HttpAuthenticationMechanism {
+
+        @Override
+        public Uni<SecurityIdentity> authenticate(RoutingContext context, IdentityProviderManager identityProviderManager) {
+            return Uni.createFrom().failure(new AuthenticationFailedException());
+        }
+
+        @Override
+        public Set<Class<? extends AuthenticationRequest>> getCredentialTypes() {
+            return Set.of(BaseAuthenticationRequest.class);
+        }
+
+        @Override
+        public Uni<ChallengeData> getChallenge(RoutingContext context) {
+            return Uni.createFrom().item(new ChallengeData(302, LOCATION, "http://localhost:8080/"));
+        }
+
+    }
+
+    @ApplicationScoped
+    public static class BasicIdentityProvider implements IdentityProvider<BaseAuthenticationRequest> {
+
+        @Override
+        public Class<BaseAuthenticationRequest> getRequestType() {
+            return BaseAuthenticationRequest.class;
+        }
+
+        @Override
+        public Uni<SecurityIdentity> authenticate(
+                BaseAuthenticationRequest simpleAuthenticationRequest,
+                AuthenticationRequestContext authenticationRequestContext) {
+            return Uni.createFrom().nothing();
+        }
+    }
+}
diff --git a/extensions/resteasy-classic/resteasy/deployment/src/test/java/io/quarkus/resteasy/test/security/AuthenticationRedirectExceptionHeaderTest.java b/extensions/resteasy-classic/resteasy/deployment/src/test/java/io/quarkus/resteasy/test/security/AuthenticationRedirectExceptionHeaderTest.java
new file mode 100644
index 00000000000000..b46efe9d16aefb
--- /dev/null
+++ b/extensions/resteasy-classic/resteasy/deployment/src/test/java/io/quarkus/resteasy/test/security/AuthenticationRedirectExceptionHeaderTest.java
@@ -0,0 +1,109 @@
+package io.quarkus.resteasy.test.security;
+
+import static io.vertx.core.http.HttpHeaders.CACHE_CONTROL;
+import static io.vertx.core.http.HttpHeaders.LOCATION;
+import static org.junit.jupiter.api.Assertions.assertEquals;
+
+import java.util.Set;
+
+import javax.enterprise.context.ApplicationScoped;
+import javax.ws.rs.GET;
+import javax.ws.rs.Path;
+
+import org.jboss.shrinkwrap.api.asset.StringAsset;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.RegisterExtension;
+
+import io.quarkus.security.AuthenticationRedirectException;
+import io.quarkus.security.identity.AuthenticationRequestContext;
+import io.quarkus.security.identity.IdentityProvider;
+import io.quarkus.security.identity.IdentityProviderManager;
+import io.quarkus.security.identity.SecurityIdentity;
+import io.quarkus.security.identity.request.AuthenticationRequest;
+import io.quarkus.security.identity.request.BaseAuthenticationRequest;
+import io.quarkus.test.QuarkusUnitTest;
+import io.quarkus.vertx.http.runtime.security.ChallengeData;
+import io.quarkus.vertx.http.runtime.security.HttpAuthenticationMechanism;
+import io.restassured.RestAssured;
+import io.restassured.http.Header;
+import io.restassured.response.Response;
+import io.smallrye.mutiny.Uni;
+import io.vertx.ext.web.RoutingContext;
+
+public class AuthenticationRedirectExceptionHeaderTest {
+
+    private static final String APP_PROPS = "" +
+            "quarkus.http.auth.permission.default.paths=/*\n" +
+            "quarkus.http.auth.permission.default.policy=authenticated";
+
+    @RegisterExtension
+    static QuarkusUnitTest runner = new QuarkusUnitTest()
+            .withApplicationRoot((jar) -> jar
+                    .addAsResource(new StringAsset(APP_PROPS), "application.properties"));
+
+    @Test
+    public void testHeaders() {
+        // case-insensitive test that Pragma, cache-control and location headers are only present once
+        // there were duplicate headers when both default auth failure handler and auth ex mapper set headers
+        var response = RestAssured
+                .given()
+                .redirects()
+                .follow(false)
+                .when()
+                .get("/secured-route");
+        response.then().statusCode(302);
+        assertEquals(1, getHeaderCount(response, LOCATION.toString()));
+        assertEquals(1, getHeaderCount(response, CACHE_CONTROL.toString()));
+        assertEquals(1, getHeaderCount(response, "Pragma"));
+    }
+
+    private static int getHeaderCount(Response response, String headerName) {
+        headerName = headerName.toLowerCase();
+        return (int) response.headers().asList().stream().map(Header::getName).map(String::toLowerCase)
+                .filter(headerName::equals).count();
+    }
+
+    @Path("/hello")
+    public static class HelloResource {
+        @GET
+        public String hello() {
+            return "hello";
+        }
+    }
+
+    @ApplicationScoped
+    public static class RedirectingAuthenticator implements HttpAuthenticationMechanism {
+
+        @Override
+        public Uni<SecurityIdentity> authenticate(RoutingContext context, IdentityProviderManager identityProviderManager) {
+            return Uni.createFrom().failure(new AuthenticationRedirectException(302, "https://quarkus.io/"));
+        }
+
+        @Override
+        public Set<Class<? extends AuthenticationRequest>> getCredentialTypes() {
+            return Set.of(BaseAuthenticationRequest.class);
+        }
+
+        @Override
+        public Uni<ChallengeData> getChallenge(RoutingContext context) {
+            return Uni.createFrom().item(new ChallengeData(302, "header-name", "header-value"));
+        }
+
+    }
+
+    @ApplicationScoped
+    public static class BasicIdentityProvider implements IdentityProvider<BaseAuthenticationRequest> {
+
+        @Override
+        public Class<BaseAuthenticationRequest> getRequestType() {
+            return BaseAuthenticationRequest.class;
+        }
+
+        @Override
+        public Uni<SecurityIdentity> authenticate(
+                BaseAuthenticationRequest simpleAuthenticationRequest,
+                AuthenticationRequestContext authenticationRequestContext) {
+            return Uni.createFrom().nothing();
+        }
+    }
+}
diff --git a/extensions/resteasy-classic/resteasy/runtime/src/main/java/io/quarkus/resteasy/runtime/standalone/ResteasyStandaloneRecorder.java b/extensions/resteasy-classic/resteasy/runtime/src/main/java/io/quarkus/resteasy/runtime/standalone/ResteasyStandaloneRecorder.java
index 253be4d73b8ab1..9a290ac4a2c111 100644
--- a/extensions/resteasy-classic/resteasy/runtime/src/main/java/io/quarkus/resteasy/runtime/standalone/ResteasyStandaloneRecorder.java
+++ b/extensions/resteasy-classic/resteasy/runtime/src/main/java/io/quarkus/resteasy/runtime/standalone/ResteasyStandaloneRecorder.java
@@ -78,7 +78,9 @@ public Handler<RoutingContext> vertxRequestHandler(Supplier<Vertx> vertx, Execut
         return null;
     }
 
-    public Handler<RoutingContext> vertxFailureHandler(Supplier<Vertx> vertx, Executor executor, ResteasyVertxConfig config) {
+    public Handler<RoutingContext> vertxFailureHandler(Supplier<Vertx> vertx, Executor executor, ResteasyVertxConfig config,
+            boolean noCustomAuthCompletionExMapper, boolean noCustomAuthFailureExMapper, boolean noCustomAuthRedirectExMapper,
+            boolean proactive) {
         if (deployment == null) {
             return null;
         } else {
@@ -90,6 +92,40 @@ public Handler<RoutingContext> vertxFailureHandler(Supplier<Vertx> vertx, Execut
 
                 @Override
                 public void handle(RoutingContext request) {
+
+                    // special handling when proactive auth is enabled as then we know default auth failure handler already run
+                    if (proactive && request.get(QuarkusHttpUser.AUTH_FAILURE_HANDLER) instanceof DefaultAuthFailureHandler) {
+                        // we want to prevent repeated handling of exceptions if user don't want to handle exception himself
+                        // we do not pass exception to abort handlers if proactive auth is enabled and user did not
+                        // provide custom ex. mapper; we replace default auth failure handler as soon as we can, so that
+                        // we can handle Quarkus Security Exceptions ourselves
+                        if (request.failure() instanceof AuthenticationFailedException) {
+                            if (noCustomAuthFailureExMapper) {
+                                request.next();
+                            } else {
+                                // allow response customization
+                                super.handle(request);
+                            }
+                            return;
+                        } else if (request.failure() instanceof AuthenticationCompletionException) {
+                            if (noCustomAuthCompletionExMapper) {
+                                request.next();
+                            } else {
+                                // allow response customization
+                                super.handle(request);
+                            }
+                            return;
+                        } else if (request.failure() instanceof AuthenticationRedirectException) {
+                            if (noCustomAuthRedirectExMapper) {
+                                request.next();
+                            } else {
+                                // allow response customization
+                                super.handle(request);
+                            }
+                            return;
+                        }
+                    }
+
                     if (request.failure() instanceof AuthenticationFailedException
                             || request.failure() instanceof AuthenticationCompletionException
                             || request.failure() instanceof AuthenticationRedirectException
diff --git a/extensions/resteasy-reactive/quarkus-resteasy-reactive/deployment/src/main/java/io/quarkus/resteasy/reactive/server/deployment/ResteasyReactiveProcessor.java b/extensions/resteasy-reactive/quarkus-resteasy-reactive/deployment/src/main/java/io/quarkus/resteasy/reactive/server/deployment/ResteasyReactiveProcessor.java
index 92dfa45304f3eb..688b05dc843a9f 100644
--- a/extensions/resteasy-reactive/quarkus-resteasy-reactive/deployment/src/main/java/io/quarkus/resteasy/reactive/server/deployment/ResteasyReactiveProcessor.java
+++ b/extensions/resteasy-reactive/quarkus-resteasy-reactive/deployment/src/main/java/io/quarkus/resteasy/reactive/server/deployment/ResteasyReactiveProcessor.java
@@ -188,6 +188,7 @@
 import io.quarkus.runtime.LaunchMode;
 import io.quarkus.runtime.RuntimeValue;
 import io.quarkus.security.AuthenticationCompletionException;
+import io.quarkus.security.AuthenticationFailedException;
 import io.quarkus.security.AuthenticationRedirectException;
 import io.quarkus.security.ForbiddenException;
 import io.quarkus.vertx.http.deployment.FilterBuildItem;
@@ -1203,7 +1204,26 @@ public void setupDeployment(BeanContainerBuildItem beanContainerBuildItem,
         if (!requestContextFactoryBuildItem.isPresent()) {
             RuntimeValue<RestInitialHandler> restInitialHandler = recorder.restInitialHandler(deployment);
             Handler<RoutingContext> handler = recorder.handler(restInitialHandler);
-            Handler<RoutingContext> failureHandler = recorder.failureHandler(restInitialHandler);
+
+            final boolean noCustomAuthCompletionExMapper;
+            final boolean noCustomAuthFailureExMapper;
+            final boolean noCustomAuthRedirectExMapper;
+            if (vertxConfig.auth.proactive) {
+                noCustomAuthCompletionExMapper = notFoundCustomExMapper(AuthenticationCompletionException.class.getName(),
+                        AuthenticationCompletionExceptionMapper.class.getName(), exceptionMapping);
+                noCustomAuthFailureExMapper = notFoundCustomExMapper(AuthenticationFailedException.class.getName(),
+                        AuthenticationFailedExceptionMapper.class.getName(), exceptionMapping);
+                noCustomAuthRedirectExMapper = notFoundCustomExMapper(AuthenticationRedirectException.class.getName(),
+                        AuthenticationRedirectExceptionMapper.class.getName(), exceptionMapping);
+            } else {
+                // with disabled proactive auth we need to handle exceptions anyway as default auth failure handler did not
+                noCustomAuthCompletionExMapper = false;
+                noCustomAuthFailureExMapper = false;
+                noCustomAuthRedirectExMapper = false;
+            }
+
+            Handler<RoutingContext> failureHandler = recorder.failureHandler(restInitialHandler, noCustomAuthCompletionExMapper,
+                    noCustomAuthFailureExMapper, noCustomAuthRedirectExMapper, vertxConfig.auth.proactive);
 
             // we add failure handler right before QuarkusErrorHandler
             // so that user can define failure handlers that precede exception mappers
@@ -1225,6 +1245,26 @@ public void setupDeployment(BeanContainerBuildItem beanContainerBuildItem,
         }
     }
 
+    private static boolean notFoundCustomExMapper(String builtInExSignature, String builtInMapperSignature,
+            ExceptionMapping exceptionMapping) {
+        for (var entry : exceptionMapping.getMappers().entrySet()) {
+            if (builtInExSignature.equals(entry.getKey())
+                    && !entry.getValue().getClassName().startsWith(builtInMapperSignature)) {
+                return false;
+            }
+        }
+        for (var entry : exceptionMapping.getRuntimeCheckMappers().entrySet()) {
+            if (builtInExSignature.equals(entry.getKey())) {
+                for (var resourceExceptionMapper : entry.getValue()) {
+                    if (!resourceExceptionMapper.getClassName().startsWith(builtInMapperSignature)) {
+                        return false;
+                    }
+                }
+            }
+        }
+        return true;
+    }
+
     @BuildStep
     @Record(value = ExecutionTime.STATIC_INIT)
     public FilterBuildItem addDefaultAuthFailureHandler(ResteasyReactiveRecorder recorder) {
diff --git a/extensions/resteasy-reactive/quarkus-resteasy-reactive/deployment/src/test/java/io/quarkus/resteasy/reactive/server/test/security/AuthenticationFailedExceptionHeaderTest.java b/extensions/resteasy-reactive/quarkus-resteasy-reactive/deployment/src/test/java/io/quarkus/resteasy/reactive/server/test/security/AuthenticationFailedExceptionHeaderTest.java
new file mode 100644
index 00000000000000..4b4c3d67efe797
--- /dev/null
+++ b/extensions/resteasy-reactive/quarkus-resteasy-reactive/deployment/src/test/java/io/quarkus/resteasy/reactive/server/test/security/AuthenticationFailedExceptionHeaderTest.java
@@ -0,0 +1,91 @@
+package io.quarkus.resteasy.reactive.server.test.security;
+
+import static io.vertx.core.http.HttpHeaders.LOCATION;
+import static org.jboss.resteasy.reactive.RestResponse.StatusCode.FOUND;
+import static org.junit.jupiter.api.Assertions.assertEquals;
+
+import java.util.Set;
+
+import javax.enterprise.context.ApplicationScoped;
+
+import org.jboss.shrinkwrap.api.asset.StringAsset;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.RegisterExtension;
+
+import io.quarkus.security.AuthenticationFailedException;
+import io.quarkus.security.identity.AuthenticationRequestContext;
+import io.quarkus.security.identity.IdentityProvider;
+import io.quarkus.security.identity.IdentityProviderManager;
+import io.quarkus.security.identity.SecurityIdentity;
+import io.quarkus.security.identity.request.AuthenticationRequest;
+import io.quarkus.security.identity.request.BaseAuthenticationRequest;
+import io.quarkus.test.QuarkusUnitTest;
+import io.quarkus.vertx.http.runtime.security.ChallengeData;
+import io.quarkus.vertx.http.runtime.security.HttpAuthenticationMechanism;
+import io.restassured.RestAssured;
+import io.restassured.http.Header;
+import io.smallrye.mutiny.Uni;
+import io.vertx.ext.web.RoutingContext;
+
+public class AuthenticationFailedExceptionHeaderTest {
+
+    private static final String APP_PROPS = "" +
+            "quarkus.http.auth.permission.default.paths=/*\n" +
+            "quarkus.http.auth.permission.default.policy=authenticated";
+
+    @RegisterExtension
+    static QuarkusUnitTest runner = new QuarkusUnitTest()
+            .withApplicationRoot((jar) -> jar
+                    .addAsResource(new StringAsset(APP_PROPS), "application.properties"));
+
+    @Test
+    public void testHeaders() {
+        // case-insensitive test that there is only one location header
+        // there has been duplicate location when both default auth failure handler and auth ex mapper send challenge
+        var response = RestAssured
+                .given()
+                .redirects()
+                .follow(false)
+                .when()
+                .get("/secured-route");
+        response.then().statusCode(FOUND);
+        assertEquals(1, response.headers().asList().stream().map(Header::getName).map(String::toLowerCase)
+                .filter(LOCATION.toString()::equals).count());
+    }
+
+    @ApplicationScoped
+    public static class FailingAuthenticator implements HttpAuthenticationMechanism {
+
+        @Override
+        public Uni<SecurityIdentity> authenticate(RoutingContext context, IdentityProviderManager identityProviderManager) {
+            return Uni.createFrom().failure(new AuthenticationFailedException());
+        }
+
+        @Override
+        public Set<Class<? extends AuthenticationRequest>> getCredentialTypes() {
+            return Set.of(BaseAuthenticationRequest.class);
+        }
+
+        @Override
+        public Uni<ChallengeData> getChallenge(RoutingContext context) {
+            return Uni.createFrom().item(new ChallengeData(FOUND, LOCATION, "http://localhost:8080/"));
+        }
+
+    }
+
+    @ApplicationScoped
+    public static class BasicIdentityProvider implements IdentityProvider<BaseAuthenticationRequest> {
+
+        @Override
+        public Class<BaseAuthenticationRequest> getRequestType() {
+            return BaseAuthenticationRequest.class;
+        }
+
+        @Override
+        public Uni<SecurityIdentity> authenticate(
+                BaseAuthenticationRequest simpleAuthenticationRequest,
+                AuthenticationRequestContext authenticationRequestContext) {
+            return Uni.createFrom().nothing();
+        }
+    }
+}
diff --git a/extensions/resteasy-reactive/quarkus-resteasy-reactive/deployment/src/test/java/io/quarkus/resteasy/reactive/server/test/security/AuthenticationRedirectExceptionHeaderTest.java b/extensions/resteasy-reactive/quarkus-resteasy-reactive/deployment/src/test/java/io/quarkus/resteasy/reactive/server/test/security/AuthenticationRedirectExceptionHeaderTest.java
new file mode 100644
index 00000000000000..35157e762ad775
--- /dev/null
+++ b/extensions/resteasy-reactive/quarkus-resteasy-reactive/deployment/src/test/java/io/quarkus/resteasy/reactive/server/test/security/AuthenticationRedirectExceptionHeaderTest.java
@@ -0,0 +1,100 @@
+package io.quarkus.resteasy.reactive.server.test.security;
+
+import static io.vertx.core.http.HttpHeaders.CACHE_CONTROL;
+import static io.vertx.core.http.HttpHeaders.LOCATION;
+import static org.jboss.resteasy.reactive.RestResponse.StatusCode.FOUND;
+import static org.junit.jupiter.api.Assertions.assertEquals;
+
+import java.util.Set;
+
+import javax.enterprise.context.ApplicationScoped;
+
+import org.jboss.shrinkwrap.api.asset.StringAsset;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.RegisterExtension;
+
+import io.quarkus.security.AuthenticationRedirectException;
+import io.quarkus.security.identity.AuthenticationRequestContext;
+import io.quarkus.security.identity.IdentityProvider;
+import io.quarkus.security.identity.IdentityProviderManager;
+import io.quarkus.security.identity.SecurityIdentity;
+import io.quarkus.security.identity.request.AuthenticationRequest;
+import io.quarkus.security.identity.request.BaseAuthenticationRequest;
+import io.quarkus.test.QuarkusUnitTest;
+import io.quarkus.vertx.http.runtime.security.ChallengeData;
+import io.quarkus.vertx.http.runtime.security.HttpAuthenticationMechanism;
+import io.restassured.RestAssured;
+import io.restassured.http.Header;
+import io.restassured.response.Response;
+import io.smallrye.mutiny.Uni;
+import io.vertx.ext.web.RoutingContext;
+
+public class AuthenticationRedirectExceptionHeaderTest {
+
+    private static final String APP_PROPS = "" +
+            "quarkus.http.auth.permission.default.paths=/*\n" +
+            "quarkus.http.auth.permission.default.policy=authenticated";
+
+    @RegisterExtension
+    static QuarkusUnitTest runner = new QuarkusUnitTest()
+            .withApplicationRoot((jar) -> jar
+                    .addAsResource(new StringAsset(APP_PROPS), "application.properties"));
+
+    @Test
+    public void testHeaders() {
+        // case-insensitive test that Pragma, cache-control and location headers are only present once
+        // there were duplicate headers when both default auth failure handler and auth ex mapper set headers
+        var response = RestAssured
+                .given()
+                .redirects()
+                .follow(false)
+                .when()
+                .get("/secured-route");
+        response.then().statusCode(FOUND);
+        assertEquals(1, getHeaderCount(response, LOCATION.toString()));
+        assertEquals(1, getHeaderCount(response, CACHE_CONTROL.toString()));
+        assertEquals(1, getHeaderCount(response, "Pragma"));
+    }
+
+    private static int getHeaderCount(Response response, String headerName) {
+        headerName = headerName.toLowerCase();
+        return (int) response.headers().asList().stream().map(Header::getName).map(String::toLowerCase)
+                .filter(headerName::equals).count();
+    }
+
+    @ApplicationScoped
+    public static class RedirectingAuthenticator implements HttpAuthenticationMechanism {
+
+        @Override
+        public Uni<SecurityIdentity> authenticate(RoutingContext context, IdentityProviderManager identityProviderManager) {
+            return Uni.createFrom().failure(new AuthenticationRedirectException(FOUND, "https://quarkus.io/"));
+        }
+
+        @Override
+        public Set<Class<? extends AuthenticationRequest>> getCredentialTypes() {
+            return Set.of(BaseAuthenticationRequest.class);
+        }
+
+        @Override
+        public Uni<ChallengeData> getChallenge(RoutingContext context) {
+            return Uni.createFrom().item(new ChallengeData(FOUND, "header-name", "header-value"));
+        }
+
+    }
+
+    @ApplicationScoped
+    public static class BasicIdentityProvider implements IdentityProvider<BaseAuthenticationRequest> {
+
+        @Override
+        public Class<BaseAuthenticationRequest> getRequestType() {
+            return BaseAuthenticationRequest.class;
+        }
+
+        @Override
+        public Uni<SecurityIdentity> authenticate(
+                BaseAuthenticationRequest simpleAuthenticationRequest,
+                AuthenticationRequestContext authenticationRequestContext) {
+            return Uni.createFrom().nothing();
+        }
+    }
+}
diff --git a/extensions/resteasy-reactive/quarkus-resteasy-reactive/runtime/src/main/java/io/quarkus/resteasy/reactive/server/runtime/ResteasyReactiveRecorder.java b/extensions/resteasy-reactive/quarkus-resteasy-reactive/runtime/src/main/java/io/quarkus/resteasy/reactive/server/runtime/ResteasyReactiveRecorder.java
index 6cc91a1899e501..49eaf3c7159eef 100644
--- a/extensions/resteasy-reactive/quarkus-resteasy-reactive/runtime/src/main/java/io/quarkus/resteasy/reactive/server/runtime/ResteasyReactiveRecorder.java
+++ b/extensions/resteasy-reactive/quarkus-resteasy-reactive/runtime/src/main/java/io/quarkus/resteasy/reactive/server/runtime/ResteasyReactiveRecorder.java
@@ -212,13 +212,48 @@ public void accept(RoutingContext routingContext) {
         return new ResteasyReactiveVertxHandler(eventCustomizer, initialHandler);
     }
 
-    public Handler<RoutingContext> failureHandler(RuntimeValue<RestInitialHandler> restInitialHandlerRuntimeValue) {
+    public Handler<RoutingContext> failureHandler(RuntimeValue<RestInitialHandler> restInitialHandlerRuntimeValue,
+            boolean noCustomAuthCompletionExMapper, boolean noCustomAuthFailureExMapper, boolean noCustomAuthRedirectExMapper,
+            boolean proactive) {
         final RestInitialHandler restInitialHandler = restInitialHandlerRuntimeValue.getValue();
         // process auth failures with abort handlers
         return new Handler<RoutingContext>() {
             @Override
             public void handle(RoutingContext event) {
 
+                // special handling when proactive auth is enabled as then we know default auth failure handler already run
+                if (proactive && event.get(QuarkusHttpUser.AUTH_FAILURE_HANDLER) instanceof DefaultAuthFailureHandler) {
+                    // we want to prevent repeated handling of exceptions if user don't want to handle exception himself
+                    // we do not pass exception to abort handlers if proactive auth is enabled and user did not
+                    // provide custom ex. mapper; we replace default auth failure handler as soon as we can, so that
+                    // we can handle Quarkus Security Exceptions ourselves
+                    if (event.failure() instanceof AuthenticationFailedException) {
+                        if (noCustomAuthFailureExMapper) {
+                            event.next();
+                        } else {
+                            // allow response customization
+                            restInitialHandler.beginProcessing(event, event.failure());
+                        }
+                        return;
+                    } else if (event.failure() instanceof AuthenticationCompletionException) {
+                        if (noCustomAuthCompletionExMapper) {
+                            event.next();
+                        } else {
+                            // allow response customization
+                            restInitialHandler.beginProcessing(event, event.failure());
+                        }
+                        return;
+                    } else if (event.failure() instanceof AuthenticationRedirectException) {
+                        if (noCustomAuthRedirectExMapper) {
+                            event.next();
+                        } else {
+                            // allow response customization
+                            restInitialHandler.beginProcessing(event, event.failure());
+                        }
+                        return;
+                    }
+                }
+
                 if (event.failure() instanceof AuthenticationFailedException
                         || event.failure() instanceof AuthenticationCompletionException
                         || event.failure() instanceof AuthenticationRedirectException
diff --git a/extensions/vertx-http/runtime/src/main/java/io/quarkus/vertx/http/runtime/security/HttpSecurityRecorder.java b/extensions/vertx-http/runtime/src/main/java/io/quarkus/vertx/http/runtime/security/HttpSecurityRecorder.java
index 205a6857b0e21d..0c294203a3e2f8 100644
--- a/extensions/vertx-http/runtime/src/main/java/io/quarkus/vertx/http/runtime/security/HttpSecurityRecorder.java
+++ b/extensions/vertx-http/runtime/src/main/java/io/quarkus/vertx/http/runtime/security/HttpSecurityRecorder.java
@@ -318,6 +318,9 @@ protected DefaultAuthFailureHandler() {
 
         @Override
         public void accept(RoutingContext event, Throwable throwable) {
+            if (event.response().ended()) {
+                return;
+            }
             throwable = extractRootCause(throwable);
             //auth failed
             if (throwable instanceof AuthenticationFailedException) {