-
Notifications
You must be signed in to change notification settings - Fork 2.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
WebSockets Next: security integration #40312
Comments
Hi @mkouba, can you explain a little bit how one can retain the property (such as a token) which is available at the on-open step in the WS-Next, such that this property is returned with subsequent on-message steps ? I guess we'll have to follow a step similar to the one shown in https://github.com/quarkusio/quarkus/files/15130826/quarkus-sec-issue.zip (a reproducer for #40307) Another question, is resolving #40307 must be done first before planning this enhancement work ? Thanks Sergey |
I was thinking the authentication must have HTTP request scope rather than to be session-scoped bean. Which would allow us to rely on what we have already. But that's how far I got in studying WS-next reference. Let's see what Martin thinks.
nope, not related |
The problem is that for WebSockets there is only the initial handshake HTTP request and afterwards, after upgrade, when processing incoming messages there's no HTTP request available at all; e.g. we do activate the request context for an
It's not related to WebSockets at all actually ;-) |
Thanks. I guess I need to dig more before I make any conclusions. But AFAICT CDI request context activation, we don't really care as what I wanted to reuse is HTTP Authenticator / Authorizer and they do work with RoutingContext rather than CDI req. ctx. I mean one connection == one authentication. However if WS will send authN headers later, we need something smarter. Okay. |
I guess I need to dig more as well :-)
It's not that it sends the headers later. In fact, WS itself does not send metadata along with messages. That's up to the procotol which is something we don't control. Maybe we could authenticate/authorize the initial handshake request? FYI the opening handshake is described here: https://datatracker.ietf.org/doc/html/rfc6455#section-1.3 BTW this the security part of the Jakarta WS spec: https://jakarta.ee/specifications/websocket/2.1/jakarta-websocket-spec-2.1#security |
Yes, that sounds good to me ATM (see below)
Thank you, I'll study it. Sorry @mkouba I didn't mean to steal @sberyozkin show, could you please also answer his question when the time is right for you. This was helpful though. |
I have to admit that I have no idea yet ;-). In any case, we can extract the information from the initial handshake request and store it either in a
But this reproducer does not provide a working solution, or?
|
Thanks @michalvavrik @mkouba, and yeah, was a good joke, Michal, that it was my show :-) The use case which I have in mind, and is particularly relevant to the Quarkus LangChain4j Chat Bot demos, is when I authenticate to Quarkus with OIDC, and now I request a Chat Bot resource which upgrades the request to the WS Next session. So what Martin said,
Sounds good and hopefully simple enough, IMHO this is the path forward. I'm not sure what is best though, using the session scoped bean or the connection object as a storage. The only requirement is to have @mkouba @michalvavrik, what do you think ? |
The latter is probably better as it will let users avoid having to use I've read https://quarkus.io/guides/websockets-next-reference#cdi-scopes-for-websocket-endpoints, looks like |
Each connection has its own session context. When a server/client endpoint callback is executed this session context is activated automatically. The advantage of the latter approach is that you could access the connection outside an endpoint callback invocation. Which might be helpful but not necessary. |
Thanks @mkouba,
Interesting, I believe with Quarkus LangChain4j, users get responses in scope of the callback. I'm not certain if retaining it in the connection object might increase the likelihood of the identity going stale. I suppose we can start with storing it in the session scope bean, and move it to the connection if necessary or make it configurable. How would we get the security info stored in the WS Next session scope bean though, can we add a |
In general, this is how I'd suggest for a non-security extension to pick up whatever one of the security extensions converted into SecurityIdentity. https://github.com/quarkusio/quarkus-security alone which just SPI should give it, it gives |
+1 |
@sberyozkin @michalvavrik So if I understand it correctly, the only thing we want to do is to capture the |
@mkouba Yes, something like that would be perfect to have I think.
It would be awesome, if you get a chance to look at it Thanks |
- fixes quarkusio#40312 - also create a new Vertx duplicated context for error handler invocation
- fixes quarkusio#40312 - also create a new Vertx duplicated context for error handler invocation
- when quarkus-security is present and quarkus.http.auth.proactive=false, then we force the authentication before the HTTP upgrade so that it's possible to capture the SecurityIdentity and set it afterwards for all endpoint callbacks - fixes quarkusio#40312 - also create a new Vertx duplicated context for error handler invocation
- when quarkus-security is present and quarkus.http.auth.proactive=false, then we force the authentication before the HTTP upgrade so that it's possible to capture the SecurityIdentity and set it afterwards for all endpoint callbacks - fixes quarkusio#40312 - also create a new Vertx duplicated context for error handler invocation
- when quarkus-security is present and quarkus.http.auth.proactive=false, then we force the authentication before the HTTP upgrade so that it's possible to capture the SecurityIdentity and set it afterwards for all endpoint callbacks - fixes quarkusio#40312 - also create a new Vertx duplicated context for error handler invocation
- when quarkus-security is present and quarkus.http.auth.proactive=false, then we force the authentication before the HTTP upgrade so that it's possible to capture the SecurityIdentity and set it afterwards for all endpoint callbacks - fixes quarkusio#40312 - also create a new Vertx duplicated context for error handler invocation (cherry picked from commit f1f7a20)
- when quarkus-security is present and quarkus.http.auth.proactive=false, then we force the authentication before the HTTP upgrade so that it's possible to capture the SecurityIdentity and set it afterwards for all endpoint callbacks - fixes quarkusio#40312 - also create a new Vertx duplicated context for error handler invocation
Description
Follow-up of #39142.
Implementation ideas
No response
The text was updated successfully, but these errors were encountered: