Make sure to resume request when challenging

Fixes #20193
quarkusio · Oct 13, 2021 · d44fa87 · d44fa87
1 parent 044ee5c
commit d44fa87
Show file tree

Hide file tree

Showing 4 changed files with 25 additions and 0 deletions.
diff --git a/...deployment/src/test/java/io/quarkus/vertx/http/security/AbstractRolesAllowedTestCase.java b/...deployment/src/test/java/io/quarkus/vertx/http/security/AbstractRolesAllowedTestCase.java
@@ -240,4 +240,23 @@ public void testWildcardMatchingWithoutSlash() {
                 .assertThat()
                 .statusCode(401);
     }
+
+    @Test
+    public void testLargeBodyRejected() {
+
+        StringBuilder sb = new StringBuilder("HELLO WORLD");
+        for (int i = 0; i < 20; ++i) {
+            sb.append(sb);
+        }
+        for (int i = 0; i < 10; ++i) {
+            RestAssured
+                    .given()
+                    .body(sb.toString())
+                    .post("/roles1")
+                    .then()
+                    .assertThat()
+                    .statusCode(401);
+        }
+
+    }
 }
diff --git a/...deployment/src/test/java/io/quarkus/vertx/http/security/RolesAllowedLazyAuthTestCase.java b/...deployment/src/test/java/io/quarkus/vertx/http/security/RolesAllowedLazyAuthTestCase.java
@@ -19,6 +19,7 @@ public class RolesAllowedLazyAuthTestCase extends AbstractRolesAllowedTestCase {
 
     private static final String APP_PROPS = "" +
             "quarkus.http.auth.basic=true\n" +
+            "quarkus.http.limits.max-body-size=100m\n" +
             "quarkus.http.auth.policy.r1.roles-allowed=test\n" +
             "quarkus.http.auth.policy.r2.roles-allowed=admin\n" +
             "quarkus.http.auth.permission.roles1.paths=/roles1,/deny,/permit,/combined,/wildcard1/*,/wildcard2*\n" +

diff --git a/...tx-http/deployment/src/test/java/io/quarkus/vertx/http/security/RolesAllowedTestCase.java b/...tx-http/deployment/src/test/java/io/quarkus/vertx/http/security/RolesAllowedTestCase.java
@@ -19,6 +19,7 @@ public class RolesAllowedTestCase extends AbstractRolesAllowedTestCase {
 
     private static final String APP_PROPS = "" +
             "quarkus.http.auth.basic=true\n" +
+            "quarkus.http.limits.max-body-size=100m\n" +
             "quarkus.http.auth.policy.r1.roles-allowed=test\n" +
             "quarkus.http.auth.policy.r2.roles-allowed=admin\n" +
             "quarkus.http.auth.permission.roles1.paths=/roles1,/deny,/permit,/combined,/wildcard1/*,/wildcard2*\n" +

diff --git a/...-http/runtime/src/main/java/io/quarkus/vertx/http/runtime/security/HttpAuthenticator.java b/...-http/runtime/src/main/java/io/quarkus/vertx/http/runtime/security/HttpAuthenticator.java
@@ -140,6 +140,10 @@ public Uni<SecurityIdentity> apply(SecurityIdentity data) {
      * @return
      */
     public Uni<Boolean> sendChallenge(RoutingContext routingContext) {
+        //we want to consume any body content if present
+        //challenges won't read the body, and if we don't consume
+        //things can get stuck
+        routingContext.request().resume();
         Uni<Boolean> result = null;
 
         HttpAuthenticationMechanism matchingMech = routingContext.get(HttpAuthenticationMechanism.class.getName());