When multiple authentication mechanisms are available, http path permission is not working properly

[Serkan80]

Describe the bug

I have an issue with how the http path permission works when I have multiple auth. mechanisms.

Basically I have 2 endpoints with different auth. mechanisms:

• /auth : basic auth
• /gateway/* : bearer auth

And when I configure it like this:

quarkus.http.auth.permission.basic.paths=/auth/*
quarkus.http.auth.permission.basic.policy=authenticated
quarkus.http.auth.permission.basic.auth-mechanism=basic

quarkus.http.auth.permission.bearer.paths=/gateway/*
quarkus.http.auth.permission.bearer.policy=authenticated
quarkus.http.auth.permission.bearer.auth-mechanism=bearer

The Principal object has no username when I call the /auth endpoint.

And if I replace the config above with implementing HttpAuthenticationMechanism interface then everything works fine.

See also the reproducer here:
https://github.com/Serkan80/quarkus-issue-reproducers/tree/master/http-path-permission-issue

Expected behavior

I expect that the provided config above should work, without the need to implement a custom HttpAuthenticationMechanism.

Actual behavior

No response

How to Reproduce?

No response

Output of uname -a or ver

No response

Output of java -version

jdk 17

Quarkus version or git rev

3.8.3

Build tool (ie. output of mvnw --version or gradlew --version)

Maven 3.8.6

Additional information

No response

[quarkus-bot]

/cc @pedroigor (bearer-token)

[sberyozkin]

@Serkan80 You should enable the Basic authentication: https://quarkus.io/guides/security-basic-authentication-howto

[Serkan80]

But why does Basic auth work out of the box when I remove the http path config and provide a custom HttpAuthMechism (without explicitly enabling basic auth) ?

[sberyozkin]

@Serkan80 As far as I know it is enabled by default if no other mechanisms are registered.

You just need to enable it explicitly now, can you try it please ?

[sberyozkin]

We will need to make it clearer in the docs.

[Serkan80]

I will try it tomorrow and give you an update.

[sberyozkin]

Thanks @Serkan80, effectively this /auth/* path is public, without it. JavaDocs says it: If no authentication mechanisms are configured basic auth is the default. but it is indeed it can be confusing. So we'll need to make it clear in the tutorials.

@michalvavrik, Hi, I wonder if users do @BasicAuthentication or quarkus.http.auth.permission.basic.auth-mechanism=basic, can we optimize and enable this property automatically ? As they have already requested basic authentication with one of these properties ?

[sberyozkin]

@michalvavrik For other mechanisms which are enabled out of the box, it will work, and we do document very clearly that it must be enabled, but users who figured out that it is enabled by default if nothing else is configured, may find it confusing they now have to enable it...

[michalvavrik]

I checked out reproducer. The basic mechanism exists, but is ignored during the lookup because it is a default bean, it is only not ignored when there is no other mechanism as @sberyozkin pointed out. So it works as expected. I think kind/bug is wrong.

@michalvavrik, Hi, I wonder if users do @BasicAuthentication or quarkus.http.auth.permission.basic.auth-mechanism=basic, can we optimize and enable this property automatically ? As they have already requested basic authentication with one of these properties ?

We can do that for the annotation, but we can't detect the permission during the build time. However as it exists, we can add it. It will require some special handling just for this mechanism. I think it's alright to do that.

@michalvavrik For other mechanisms which are enabled out of the box, it will work, and we do document very clearly that it must be enabled, but users who figured out that it is enabled by default if nothing else is configured, may find it confusing they now have to enable it...

TBH I don't know about anything that changed in this sense. So I am confused with the word now. but I agree we should do it. I'll do it, but it's far on my list.

[michalvavrik]

It should be nice easy job, I'll do it some day when I have just a short time for Quarkus :-)

[Serkan80]

@sberyozkin when I explicitly enable basic auth, then it works. But it would be nice if you enable it automatically when you parse this config line:

quarkus.http.auth.permission.basic.auth-mechanism=basic

if basic auth mechanism is available => then set it, otherwise first enable it, then set it (or something).

[michalvavrik]

if basic auth mechanism is available => then set it, otherwise first enable it, then set it (or something).

makes sense, there are some challenges to this approach, for example if you implement custom authentication mechanism that supports UsernamePasswordAuthenticationRequest we actually have no way to tell if the mechanism also support basic scheme. so whatever we do here, it will be breaking changes for custom auth. mechanisms because io.quarkus.vertx.http.runtime.security.BasicAuthenticationMechanism#getCredentialTransport is resolved dynamically for each request.

long story short, we can do that when there are no auth mechanisms provided by users, which will fit your case. so ok.