Skip to content

Commit

Permalink
Edit security-proactive-authentication.adoc
Browse files Browse the repository at this point in the history
  • Loading branch information
rolfedh committed Dec 19, 2023
1 parent 4d07a91 commit 971cf67
Showing 1 changed file with 15 additions and 15 deletions.
30 changes: 15 additions & 15 deletions docs/src/main/asciidoc/security-proactive-authentication.adoc
Original file line number Diff line number Diff line change
Expand Up @@ -11,11 +11,11 @@ include::_attributes.adoc[]
:topics: security,authentication

Check warning on line 11 in docs/src/main/asciidoc/security-proactive-authentication.adoc

View workflow job for this annotation

GitHub Actions / Linting with Vale

[vale] reported by reviewdog 🐶 [Quarkus.SentenceLength] Try to keep sentences to an average of 32 words or fewer. Raw Output: {"message": "[Quarkus.SentenceLength] Try to keep sentences to an average of 32 words or fewer.", "location": {"path": "docs/src/main/asciidoc/security-proactive-authentication.adoc", "range": {"start": {"line": 11, "column": 31}}}, "severity": "INFO"}
:extensions: io.quarkus:quarkus-vertx-http

Proactive authentication is enabled in Quarkus by default. This means that if an incoming request has a credential then that request will always be authenticated, even if the target page does not require authentication.
Proactive authentication is enabled in Quarkus by default. If an incoming request has a credential, the request is always authenticated, even if the target page does not require authentication.

[[proactive-authentication]]

Requests with an invalid credential will always be rejected, even when the page is public.
Requests with an invalid credential are always rejected, even when the page is public.

If you only want to authenticate when the target page requires authentication, you can change the default behavior.

Expand All @@ -30,28 +30,28 @@ If you disable proactive authentication, the authentication process runs only wh
An identity can be requested because of security rules that require the user to authenticate or because programmatic access to the current identity is required.

If proactive authentication is in use, accessing `SecurityIdentity` is a blocking operation.
This is because authentication might have yet to happen and accessing `SecurityIdentity` might require calls to external systems, such as databases, that might block the operation.
This is because authentication might have yet to happen, and accessing `SecurityIdentity` might require calls to external systems, such as databases, that might block the operation.

Check warning on line 33 in docs/src/main/asciidoc/security-proactive-authentication.adoc

View workflow job for this annotation

GitHub Actions / Linting with Vale

[vale] reported by reviewdog 🐶 [Quarkus.TermsSuggestions] Depending on the context, consider using ', which (non restrictive clause preceded by a comma)' or 'that (restrictive clause without a comma)' rather than ', that'. Raw Output: {"message": "[Quarkus.TermsSuggestions] Depending on the context, consider using ', which (non restrictive clause preceded by a comma)' or 'that (restrictive clause without a comma)' rather than ', that'.", "location": {"path": "docs/src/main/asciidoc/security-proactive-authentication.adoc", "range": {"start": {"line": 33, "column": 128}}}, "severity": "INFO"}
For blocking applications, this is not an issue.
However, if you have disabled authentication in a reactive application, this will fail because you cannot do blocking operations on the I/O thread.
However, if you have disabled authentication in a reactive application, this fails because you cannot do blocking operations on the I/O thread.
To work around this, you need to `@Inject` an instance of `io.quarkus.security.identity.CurrentIdentityAssociation` and call the `Uni<SecurityIdentity> getDeferredIdentity();` method.
Then, you can subscribe to the resulting `Uni` and will be notified when authentication is complete and the identity is available.
Then, you can subscribe to the resulting `Uni` to be notified when authentication is complete and the identity is available.

[NOTE]
====
You can still access `SecurityIdentity` synchronously with `public SecurityIdentity getIdentity()` in xref:resteasy-reactive.adoc[RESTEasy Reactive] from endpoints that are annotated with `@RolesAllowed`, `@Authenticated`, or with respective configuration authorization checks because authentication has already happened.
The same is also valid for xref:reactive-routes.adoc[Reactive routes] if a route response is synchronous.
====

xref:security-authorize-web-endpoints-reference.adoc#standard-security-annotations[Standard security annotations] on CDI beans are not supported on an I/O thread if a non-void secured method returns a value synchronously and proactive authentication is disabled because they need to access `SecurityIdentity`.
xref:security-authorize-web-endpoints-reference.adoc#standard-security-annotations[Standard security annotations] on Contexts and Dependency Injection (CDI) beans are not supported on an I/O thread if a non-void secured method returns a value synchronously and proactive authentication is disabled because they need to access `SecurityIdentity`.

Check warning on line 45 in docs/src/main/asciidoc/security-proactive-authentication.adoc

View workflow job for this annotation

GitHub Actions / Linting with Vale

[vale] reported by reviewdog 🐶 [Quarkus.Fluff] Depending on the context, consider using 'Rewrite the sentence, or use 'must', instead of' rather than 'need to'. Raw Output: {"message": "[Quarkus.Fluff] Depending on the context, consider using 'Rewrite the sentence, or use 'must', instead of' rather than 'need to'.", "location": {"path": "docs/src/main/asciidoc/security-proactive-authentication.adoc", "range": {"start": {"line": 45, "column": 312}}}, "severity": "INFO"}

In the following example, `HelloResource` and `HelloService` are defined.
Any GET request to `/hello` will run on the I/O thread and throw a `BlockingOperationNotAllowedException` exception.
The following example defines `HelloResource` and `HelloService`.
Any GET request to `/hello` runs on the I/O thread and throws a `BlockingOperationNotAllowedException` exception.

There is more than one way to fix the example:

* Switch to a worker thread by annotating the `hello` endpoint with `@Blocking`.
* Change the `sayHello` method return type by using a reactive or asynchronous data type.
* Move `@RolesAllowed` annotation to the endpoint.
* Move the `@RolesAllowed` annotation to the endpoint.
This could be one of the safest ways because accessing `SecurityIdentity` from endpoint methods is never the blocking operation.
[source,java]
Expand Down Expand Up @@ -97,7 +97,7 @@ public class HelloService {
[[customize-auth-exception-responses]]
== Customize authentication exception responses

You can use Jakarta REST `ExceptionMapper` to capture Quarkus Security authentication exceptions such as `io.quarkus.security.AuthenticationFailedException`, for example:
You can use Jakarta REST `ExceptionMapper` to capture Quarkus Security authentication exceptions such as `io.quarkus.security.AuthenticationFailedException`. For example:

[source,java]
----
Expand Down Expand Up @@ -125,12 +125,12 @@ public class AuthenticationFailedExceptionMapper implements ExceptionMapper<Auth
}
----

CAUTION: Some HTTP authentication mechanisms need to handle authentication exceptions themselves to create a correct authentication challenge.
For example, `io.quarkus.oidc.runtime.CodeAuthenticationMechanism`, which manages OpenID Connect (OIDC) authorization code flow authentication, needs to build a correct redirect URL, cookies, and so on.
For that reason, avoid using custom exception mappers to customize authentication exceptions thrown by such mechanisms.
CAUTION: Some HTTP authentication mechanisms must handle authentication exceptions themselves to create a correct authentication challenge.
For example, `io.quarkus.oidc.runtime.CodeAuthenticationMechanism`, which manages OpenID Connect (OIDC) authorization code flow authentication, must build a correct redirect URL and cookies, among other components.

Check warning on line 129 in docs/src/main/asciidoc/security-proactive-authentication.adoc

View workflow job for this annotation

GitHub Actions / Linting with Vale

[vale] reported by reviewdog 🐶 [Quarkus.TermsSuggestions] Depending on the context, consider using 'by using' or 'that uses' rather than 'using'. Raw Output: {"message": "[Quarkus.TermsSuggestions] Depending on the context, consider using 'by using' or 'that uses' rather than 'using'.", "location": {"path": "docs/src/main/asciidoc/security-proactive-authentication.adoc", "range": {"start": {"line": 129, "column": 211}}}, "severity": "INFO"}
Therefore, avoid using custom exception mappers to customize authentication exceptions thrown by such mechanisms.
Instead, a safer approach is to ensure that proactive authentication is enabled and to use Vert.x HTTP route failure handlers.
This is because events come to the handler with the correct response status and headers.
You then only need to customize the response, as shown in the following example:
Then, you must only customize the response; for example:

[source,java]
----
Expand Down Expand Up @@ -167,4 +167,4 @@ public class AuthenticationFailedExceptionHandler {
* xref:security-overview.adoc[Quarkus Security overview]
* xref:security-architecture.adoc[Quarkus Security architecture]
* xref:security-authentication-mechanisms.adoc[Authentication mechanisms in Quarkus]
* xref:security-identity-providers.adoc[Identity providers]
* xref:security-identity-providers.adoc[Identity providers]

0 comments on commit 971cf67

Please sign in to comment.