NPE during custom bean invocation via PreAuthorize annotation in Quarkus RESTEasy #44511
Comments
|
@deidzen While this issue is being addressed, you may want to to have a look at https://quarkus.io/version/main/guides/security-authorize-web-endpoints-reference#permission-checker We believe it offers a simpler alternative to |
We keep changing it, that is nothing out of ordinary. I will put this issue on my (extended) list. |
|
So what has changed is that we now perform this security check eagerly (before serialization etc.). This should help #44667, but you can only do this for authenticated requests for postponing authorization for anonymous users is not supported in Quarkus. |
|
Could you please add this fix in 3.9.5 version? |
A great lot has changed in this implementation, I think it may require custom backport. Anyway, 3.9.x is not supported anymore, it's not LTS. The latest version is now 3.17 and the latest LTS is 3.15. See https://code.quarkus.io/ streams. |
|
Exactly what @michalvavrik said. Is there a reason why you have not moved up from 3.9? |
|
Is there another way instead of @PreAuthorize to call custom checker with parameters to check availability of endpoint in quarkus 3.9.5? |
Please consider backporting this fix to 3.15 |
I was being careful because I didn't analyze how much Quarkus Spring Security had changed, but I think this fix is isolated and safe as long as tests will pass in backport CI. I'll propose it by adding respective label to the PR. |
|
Thanks a lot! |
Could you please write when approximately the fix is planned to backport in 3.15 ? |
I'd expect it to be included in 3.15.3, considering 3.15.2 was released 3 weeks ago, I'd expect to see 3.15.3 in December. I have no internal release planning knowledge, as far as I know, only source of the truth is https://github.com/quarkusio/quarkus/wiki/Release-Planning. @gsmet will know more, but I am sure he is very busy. |
|
@gsmet, do you know when the fix is going to be backported in 3.15.3? |
|
The next 3.15 LTS micro is currently planned for mid-January. |
@gsmet , are you going to backport this fix in 3.15 in the nearest time ? |
|
That's the plan |
Describe the bug
According to documentation (https://quarkus.io/guides/spring-security#preauthorize), Quarkus supports custom bean invocation via PreAuthorize annotation before method executing
But starting from 3.6.8 version (I personally checked 3.6.8, 3.9.5 and current 3.16.3), this functionality in Quarkus RESTEasy is not working, it throws NullPointerException.
I see that EagerSecurityFilter class mentioned in error stacktrace was changed in 3.6.8 version (6d76eaf#diff-fbf38214479c02a3e1bae50b5b595d13c12c28e64d34246398151ef3b521e5db). Maybe that caused the issue.
Expected behavior
Custom bean is invoked through @PreAuthorize annotation succesfully
Actual behavior
NPE is thrown during custom bean invocation
How to Reproduce?
Reproducer: https://github.com/deidzen/quarkus-preauthorized-test
Steps to reproduce:
mvn clean test. 2 tests will fail with 500 errorjava.lang.NullPointerException: Cannot load from object array because "<parameter2>" is nullFor compare you can switch to 3.6.7 Quarkus version (quarkus-3.6.7-resteasy branch) and try once again - tests will pass
Output of
uname -aorverMicrosoft Windows [Version 10.0.26100.2033]
Output of
java -version17.0.10, vendor: Oracle OpenJDK
Quarkus version or git rev
3.6.8+ (I personally checked 3.6.8, 3.9.5 and current 3.16.3)
Build tool (ie. output of
mvnw --versionorgradlew --version)Apache Maven 3.9.9 (8e8579a9e76f7d015ee5ec7bfcdc97d260186937)
Additional information
No response
The text was updated successfully, but these errors were encountered: