Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security fixes for RESTEasy Reactive #14563

Merged
merged 2 commits into from
Jan 26, 2021
Merged

Security fixes for RESTEasy Reactive #14563

merged 2 commits into from
Jan 26, 2021

Conversation

stuartwdouglas
Copy link
Member

  • Add ability to deny access to unannotated endpoints
  • Make sure setSecurityContext changes the current identity
  • Port tests from RESTEasy extension

@stuartwdouglas
SecurityContext is application scoped
af26cc4 
Injection of the SecurityContext will result in using
the same SecurityContext for all requests.
@stuartwdouglas
Security fixes for RESTEasy Reactive
0dbb280 
- Add ability to deny access to unannotated endpoints
- Make sure setSecurityContext changes the current identity
- Port tests from RESTEasy extension
@ghost ghost added area/dependencies Pull requests that update a dependency file area/resteasy-classic area/rest area/security labels Jan 25, 2021
geoand
geoand reviewed Jan 25, 2021
View reviewed changes
Copy link
Contributor

@geoand geoand left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks great!

I just added some very minor comments

...n/runtime/src/main/java/io/quarkus/resteasy/reactive/common/runtime/JaxRsSecurityConfig.java
import io.quarkus.runtime.annotations.ConfigRoot;

/**
* @author Michal Szynkiewicz, [email protected]
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe drop these author tags which are incorrect anyway?

...ava/io/quarkus/resteasy/reactive/server/runtime/security/SecurityContextOverrideHandler.java
private CurrentIdentityAssociation getCurrentIdentityAssociation() {
CurrentIdentityAssociation identityAssociation = this.currentIdentityAssociation;
if (identityAssociation == null) {
return this.currentIdentityAssociation = CDI.current().select(CurrentIdentityAssociation.class).get();
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Probably best to be consistent and use Arc.container() instead of CDI.current()

@geoand geoand mentioned this pull request Jan 25, 2021
Merged
@gsmet
Copy link
Member

gsmet commented Jan 25, 2021

Also I believe this should be backported, right?

@gsmet
Copy link
Member

gsmet commented Jan 26, 2021

I think we really need this in for 1.11.1.Final.

Looks like the comments are mostly about details? I can fix them myself or we can merge as is. @geoand WDYT?

@geoand
Copy link
Contributor

geoand commented Jan 26, 2021

Looks like the comments are mostly about details? I can fix them myself or we can merge as is. @geoand WDYT?

Sure yeah, we can definitely merge as is

@gsmet
Copy link
Member

gsmet commented Jan 26, 2021

OK, let's merge it then. This can't stay as is.

@gsmet gsmet merged commit e61bc27 into quarkusio:master Jan 26, 2021
@ghost ghost added this to the 1.12 - master milestone Jan 26, 2021
@gsmet gsmet modified the milestones: 1.12 - master, 1.11.1.Final Jan 26, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@geoand geoand geoand left review comments

@gsmet gsmet gsmet approved these changes

Assignees
No one assigned
Labels
area/dependencies Pull requests that update a dependency file area/rest area/resteasy-classic area/security
Projects
None yet
Milestone
1.11.1.Final
Development

Successfully merging this pull request may close these issues.
3 participants
@stuartwdouglas @gsmet @geoand