-
Notifications
You must be signed in to change notification settings - Fork 2.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Failed auth with blocking authentication & a custom authentication failure mapper cause HTTP/2 error #34912
Comments
/cc @FroMage (resteasy-reactive), @Sgitario (resteasy-reactive), @geoand (resteasy-reactive), @pedroigor (bearer-token), @sberyozkin (bearer-token,jwt,security), @stuartwdouglas (resteasy-reactive) |
To give better context to this issue, this is the stacktrace I'm seeing:
The problem is that after getting a response with auth failures, RESTEasy Reactive tries to customise the response (see this line), and for doing it, it starts a new context (see here) and pauses the already ended request in here which is fine for HTTP/1.1, but not for HTTP/2 (Vert.x throws the above exception). I'm not very familiar with the above flow, but at first, I don't follow why RESTEasy Reactive creates a new context with the already ended request to customize the response, which I think it's the issue. @michalvavrik can you clarify this? If the above is done on purpose, then we should somehow reset the HTTP/2 connection in VertxResteasyReactiveRequestContext or cc @michalvavrik @geoand @sberyozkin By the way, I had to modify the test from the reproducer to assert that the expected status code is 401, not 200. |
Next context should only be started if RESTEasy Reactive didn't start yet processing. The fact that it is happening after Line 83 in ab18d1b
@Sgitario ^^ I only base on your analysis. I'll need to debug this myself to tell more, but proper fix should be avoiding default auth failure handler. I'll have a look this week, unless you want to handle it yourself. |
Basically, my expectation is to remove default auth failure handler from routing context inside same Vert.X route handler that begin processing, which does a trick. And only start new context when Routing context was failed before RR created one. |
Line 83 in ab18d1b
Ah, I think I understand you now. So the problem is that I create context and then invoke handleException?
If not, I'll leave any other comment till I have time to look so that I don't waste your time. |
Exactly, this is creating a new context with an existing request (which in the case of HTTP/2.0, can't be paused because it's already closed). Take your time next week to have a look at this flow. I'm not familiar with it, but I'd be rather than happy to help with anything). |
Thanks, will do. |
FYI it seems like a general problem when exception is thrown inside this Line 49 in c20d19e
Line 69 in ab18d1b
reproducer was fixed. IMHO we should provide similar executor for also cc @sberyozkin |
I'm sure you're totally right. Removing the resteasy-reactive label. Thanks for checking! |
Describe the bug
When the following combination is enabled:
quarkus.smallrye-jwt.blocking-authentication
istrue
The request fails with
Request has already been read
and results in a500
response instead of the mapped exception response.Expected behavior
HTTP/2 connections correctly support blocking authentication and authentication exception mappers.
Actual behavior
An exception is thrown with
Request has already been read
and a500
response is returned instead of the response returned by the exception mapper.How to Reproduce?
blocking-auth-mapper-fail-2.16.8.zip
blocking-auth-mapper-fail-3.2.1.zip
Running the included test reproduces the issue in both
2.16
and3.2
series.Output of
uname -a
orver
macOS 13.4
Output of
java -version
Java 17.0.4
GraalVM version (if different from Java)
No response
Quarkus version or git rev
3.2.1 & 2.16.8
Build tool (ie. output of
mvnw --version
orgradlew --version
)Gradle 8.1
Additional information
No response
The text was updated successfully, but these errors were encountered: