JAX-RS endpoints no longer being hit with 3.0.3 or 3.0.4 #174
Comments
|
You're doing a POST without a CSRF token, that's why it doesn't work. I agree there should be an error message, though. If you're using public Application extends Controller {
@Inject
CsrfTokenParameterProvider csrf;
public String csrf(){
return csrf.getToken();
}
}All of this works OOTB if using What is the context in which you're calling this |
|
I was calling it from the When using the latest version that automatic redirection no longer works. |
|
Well, it's not that it doesn't work, it's that it requires a CSRF token. All POST methods with a form body now require it. That has always been the goal, but issues prevented it from working properly. Can you obtain a token before making your Note that if you actually login from your browser, this will work out of the box. |
|
Ok, so you're saying it's a new requirement to have a CSRF token now, where before it was optional or it just worked without it. Well, we have people who use their old scripts which use the CURL method to do the login and obtain the auth cookie. Is there a way I can modify my login endpoint to grab the token for them and then complete the login if it isn't present? We have two login points, one for the browser and another for the curl endpoints. I've tested the browser one with the latest version and it works as you said. |
|
The problem is that the minute you serve HTML and have forms, you want CSRF protection. But this is not convenient for REST users. But, whatever endpoint you make available in your application will be callable via the browser via injection if you're out of luck. If your scripts can make two calls, they can obtain a CSRF token using the method I posted above. Or perhaps you may want to support another form of authentication for your script calls? What login method do you use ATM to obtain an auth cookie? |
|
This application is a legacy application that was written in Scala/Play 2.x. It used the built in authentication mechanism in Play security. I converted the application to use Renarde and Renarde Security with JDBC authentication since they were storing their user information and passwords in the database. |
|
With this, you mean? https://quarkus.io/guides/security-jdbc |
|
Well, unfortunately no, they are doing their own lookups in a few tables to get the id and then find the password (hash) in another table and then use BCrypt to compare the incoming passwords with the one stored in the database. Then if found, they return the User object, otherwise throw error. For example, they hit the Ideally, I would've used what you mentioned but the code I'm working with is many years old and not well laid out so I couldn't touch a lot. Even better, I would use Keycloak and OIDC but that is a big upgrade for them and no time at the moment. |
|
OK, so are you using this? https://docs.quarkiverse.io/quarkus-renarde/dev/security.html#custom_authentication_with_jwt |
|
Yes that it. |
|
For scripts, there are two alternatives, IMO:
I tried to find how to enable basic auth in Renarde and it appears I must do something to support it. Would it make your clients easier or are you more interested in option 1? |
Trying the latest versions of renarde security (3.0.3 or 3.0.4) with Quarkus 3.4.1 causes my endpoints to no longer be hit.
I have a
/loginendpoint which works fine with previous versions, but trying them with the latest versions causes them to either silenty fail or not be hit at all (hard to tell since there are no errors).Using this request for both versions and changing nothing else in the code.
curl -v -c support_cookiefile --data "[email protected]&password=secret" http://localhost:8080/loginCURL OUTPUT
3.0.2
3.0.4
The text was updated successfully, but these errors were encountered: