-
Notifications
You must be signed in to change notification settings - Fork 2.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SecurityIdentityAssociation set in a messaging context is not available in outgoing rest calls #38244
Comments
/cc @sberyozkin (security) |
@michalvavrik Hey Michal, can you have a look in the next week or so, I wonder if it may be related to the vertx contexts. Though I'm not sure how it works with the outgoing calls since the identity association represents the incoming call... |
sure @sberyozkin I'll have a look when @mrickly provides reproducer as mentioned in Additional information |
Thanks @michalvavrik, yeah, we have discussed it with @mrickly. @mrickly, something simple, may be even without having to have Kafka involved will do, may be JAX-RS container request filter picking up a bearer access token from HTTP authorization header, without the security enabled in the frontend and then the frontend endpoint attempting to propagate that to the downstream test endpoint using REST client |
@sberyozkin : I doubt that I can reproduce it in that simple scenario (without messaging involved), unless you're asking for a positive example (where it works). |
@mrickly debugging this without reproducer is not feasible, if simple scenario can't be done, just provide a reproducer and I'll try to understand / simplify, let's see. Thank you |
Hi @sberyozkin , @michalvavrik : I invested some time and what I have experienced feels unreal. Sometimes both injection point (Kafka Incoming Filter and Rest Outgoing Filter) will get the same instance of a SecurityIdentityAssociation, sometimes they won't. It apparently matters whether I run or debug the test (even without active breakpoints) in the IDE. Should I expect quantum effects in Quarkus? I have found a thread discussing an almost identical scenario: #21367 |
I can provide no help without seeing actual code and ideally reproducer. I am not able to make any conclusions or give suggestions based on your comments. I'll let others help you, maybe your description will be sufficient for them. Cheers |
@michalvavrik : I understand that. The problem was not reproducible when getting rid of all superfluous libraries, including our own. I will of course update you if I manage to reproduce this apparent randomness in a simple setting. |
np @mrickly , there is a chance @cescoffier could answer you in regards on CDI request scope based on your comments when he finds a time. I just wanted to make it clear I can't, take your time. |
glu-test-reproducer2-service.zip
What I find very strange is that the first RequestContextState to be created will be used globally, for instance whenever the poll method of any kafka consumer thread executes. I wonder whether this behaviour is related to the bug mentioned by @cescoffier in this comment #21367 (comment). It looks wrong to me, even if RequestContext and messaging are not supposed to be used together (which should be documented somewhere). |
oki, thanks, I'll check next week |
just update, I've had other more urgent tasks, but it's still on my radar. I'll check and let you know when I can. |
After little adjustments to your reproducer I was able to reproduce it, indeed it's as described in README. My conclusion is that:
Hey @cescoffier @ozangunalp , please answer following question because at the very least I can't see this documented (and if I am wrong, answer is as easy as pointing me to the docs section, thanks!): I need to understand expected behavior, https://quarkus.io/guides/kafka doesn't explain what is expected in regards to the CDI request scope. When |
It is generally wrong to put For the CDI interceptor to be active the call needs to be made on an injected bean, internal method calls won't get intercepted. Furthermore activating request scope on the BUT, the map operations on that stream will be called on the message's duplicated context so this is effectively what you want. What was described here is a workaround to make sure a Hibernate Session is available for DB operations, and it works because the request scope and message processing are both terminated at the end of that method call. We've been holding back on treating a message processing as a "request" (because it isn't) and therefore only providing workarounds for the usage of request scoped beans for message processing, like Going forward, I am planning to add a config flag to be able to opt-in to activate the request scope on messages. It'll also use |
@michalvavrik , @ozangunalp : Thanks for confirming. We are indeed relying solely on |
The PublisherDecorator#decorate method is called at startup time, on the main thread. When you have |
Thank you for the explanation. So I take it this is not supported scenario ATM, therefore not a bug. |
Describe the bug
We have a
KafkaIncomingDecorator implements PublisherDecorator
where we read a jwt token from the message headers that is then used to set the CurrentIdentityAssociation:We inject the CurrentIdentityAssociation in a
SecurityIdentityPropagationFilter implements ResteasyReactiveClientRequestFilter
. After a framework update, some users have reported that the injected CurrentIdentityAssociation is now anonymous (i.e. it is not the identity set in the decorator).As a provisional fix, we have added the jwt to the ContextLocals and we read it from there in the filter when the identity is anonymous.
Expected behavior
The jwt token set in the decorator is available via CurrentIdentityAssociation in the filter when the message processing performs an outgoing rest call.
Actual behavior
The CurrentIdentityAssociation injected in the filter is anonymous.
How to Reproduce?
No response
Output of
uname -a
orver
No response
Output of
java -version
openjdk 21.0.1 2023-10-17 LTS OpenJDK Runtime Environment Zulu21.30+16-SA (build 21.0.1+12-LTS) OpenJDK 64-Bit Server VM Zulu21.30+16-SA (build 21.0.1+12-LTS, mixed mode, sharing)
Quarkus version or git rev
3.6.4
Build tool (ie. output of
mvnw --version
orgradlew --version
)Apache Maven 3.9.2
Additional information
Will try to provide a small reproducer in the coming days. It is currently not entirely clear whether there were also changes in the user application that might have impacted the behaviour of our code.
The text was updated successfully, but these errors were encountered: