quarkus.security.jaxrs.deny-unannotated-endpoints=true does overrule @TestSecurity(authorizationEnabled = false) #19896
Labels
Milestone
Comments
|
/cc @sberyozkin |
TheParad0X
changed the title
|
@sberyozkin @FroMage @stuartwdouglas what do you believe the expected behavior to be? I believe |
|
Makes sense |
|
This does not sound right, |
|
I'll have a look |
geoand
added a commit
to geoand/quarkus
that referenced
this issue
Sep 7, 2021
…ecurity feature The use of `quarkus.security.jaxrs.deny-unannotated-endpoints=true` essentially results in the addition of a `DenyAllInterceptor` to the invocation chain of a JAX-RS endpoint. Because this interceptor did not take into account the `AuthorizationController` (like the `RolesAllowedInterceptor` already does), it would result in endpoints being secured even though security was supposed to be disabled for the specific test. Fixes: quarkusio#19896
geoand
added a commit
to geoand/quarkus
that referenced
this issue
Sep 7, 2021
…ecurity feature The use of `quarkus.security.jaxrs.deny-unannotated-endpoints=true` essentially results in the addition of a `DenyAllInterceptor` to the invocation chain of a JAX-RS endpoint. Because this interceptor did not take into account the `AuthorizationController` (like the `RolesAllowedInterceptor` already does), it would result in endpoints being secured even though security was supposed to be disabled for the specific test. Fixes: quarkusio#19896
geoand
added a commit
that referenced
this issue
Sep 8, 2021
Make @testsecurity work correctly with unannotated JAX-RS endpoints security feature
gsmet
pushed a commit
to gsmet/quarkus
that referenced
this issue
Dec 1, 2021
…ecurity feature The use of `quarkus.security.jaxrs.deny-unannotated-endpoints=true` essentially results in the addition of a `DenyAllInterceptor` to the invocation chain of a JAX-RS endpoint. Because this interceptor did not take into account the `AuthorizationController` (like the `RolesAllowedInterceptor` already does), it would result in endpoints being secured even though security was supposed to be disabled for the specific test. Fixes: quarkusio#19896 (cherry picked from commit b9359bf)
gsmet
pushed a commit
to gsmet/quarkus
that referenced
this issue
Dec 1, 2021
…ecurity feature The use of `quarkus.security.jaxrs.deny-unannotated-endpoints=true` essentially results in the addition of a `DenyAllInterceptor` to the invocation chain of a JAX-RS endpoint. Because this interceptor did not take into account the `AuthorizationController` (like the `RolesAllowedInterceptor` already does), it would result in endpoints being secured even though security was supposed to be disabled for the specific test. Fixes: quarkusio#19896 (cherry picked from commit b9359bf)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the bug
As mentioned here, I was asked to open this issue:
My (REST) Tests are all annotated with io.quarkus.test.security.TestSecurity's
@TestSecurity(authorizationEnabled = false)When adding
quarkus.security.jaxrs.deny-unannotated-endpoints=truethey all fail with a 401 (thus ignoring the authorizationEnabled flag)
Is this the intended behavior?
Expected behavior
To me, @testsecurity(authorizationEnabled = false) should disable security for any endpoint, annotated or not.
Actual behavior
quarkus.security.jaxrs.deny-unannotated-endpoints=true does overrule @testsecurity(authorizationEnabled = false)
As a Workaround, I had to use
@TestSecurity(user = "testUser", roles = {"admin"})How to Reproduce?
No response
Output of
uname -aorverNo response
Output of
java -versionopenjdk version "11.0.12" 2021-07-20 OpenJDK Runtime Environment Temurin-11.0.12+7 (build 11.0.12+7) OpenJDK 64-Bit Server VM Temurin-11.0.12+7 (build 11.0.12+7, mixed mode)
GraalVM version (if different from Java)
No response
Quarkus version or git rev
2.1.2.Final
Build tool (ie. output of
mvnw --versionorgradlew --version)Apache Maven 3.8.2
Additional information
No response
The text was updated successfully, but these errors were encountered: