Repeating @PermissionsAllowed annotations totally disable method authentication

[AlexanderUkhta]

Describe the bug

Currently using the latest Quarkus 3.15.1.

I have my security annotations being used in the resource interface. While the method is annotated with a single @PermissionsAllowed annotation or is marked as @Authenticated - it all works fine. If the method is annotated with repeating @PermissionsAllowed, any auth or permission validation does not work (Got 200 OK on any request).

Please see my test resource with comments below:

@Path("/security_test")
interface TestResourceInterface {
    @GET
    @Path("/one")
    @PermissionsAllowed("zoneA:view")
    suspend fun one(): String     // works fine

    @GET
    @Path("/two")
    @PermissionsAllowed("zoneB:view", "zoneB:update")
    suspend fun two(): String      // works fine

    @GET
    @Path("/three")
    @PermissionsAllowed("zoneC:view")
    @PermissionsAllowed("zoneC:create")
    suspend fun three(): String      // does not work at all

    @GET
    @Path("/four")
    @Authenticated
    suspend fun four(): String       // works fine
}

If I put the @Authenticated additionally on the interface level - it all works fine. However, I can't use the @Authenticated annotation this way due to some limitations of my resource generator and because I still need to keep some api methods public.

Expected behavior

Repeating @PermissionsAllowed annotations on a method should work as multiple permissions, that all are needed to access the api method.

Actual behavior

Interface method, which is annotated with repeating @PermissionsAllowed and the interface is not marked with @Authenticated - always returns 200 OK.

How to Reproduce?

No response

Output of uname -a or ver

Darwin Kernel Version 21.6.0: Mon Jun 24 00:56:10 PDT 2024; root:xnu-8020.240.18.709.2~1/RELEASE_X86_64 x86_64

Output of java -version

openjdk version "21.0.4" 2024-07-16 LTS OpenJDK Runtime Environment Corretto-21.0.4.7.1 (build 21.0.4+7-LTS) OpenJDK 64-Bit Server VM Corretto-21.0.4.7.1 (build 21.0.4+7-LTS, mixed mode, sharing)

Quarkus version or git rev

3.15.1

Build tool (ie. output of mvnw --version or gradlew --version)

------------------------------------------------------------ Gradle 8.6 ------------------------------------------------------------ Build time: 2024-02-02 16:47:16 UTC Revision: d55c486870a0dc6f6278f53d21381396d0741c6e Kotlin: 1.9.20 Groovy: 3.0.17 Ant: Apache Ant(TM) version 1.10.13 compiled on January 4 2023 JVM: 18.0.2 (Amazon.com Inc. 18.0.2+9-FR) OS: Mac OS X 12.7.6 x86_64

Additional information

No response

[quarkus-bot]

/cc @geoand (kotlin)

[geoand]

cc @michalvavrik

[michalvavrik]

Before I start, https://quarkus.io/guides/security-authorize-web-endpoints-reference#endpoint-security-annotations-and-jakarta-rest-inheritance says you should only use security annotations on implementations. In order to not break existing behavior, we kept these of interface checks, that worked in past, working. That also makes user friendly validation exception really hard, although it is possible.

Repeating @PersmissionsAllowed annotations totally disable method authentication

We have great many tests like these. I think your scenario differs and in order to determine where, I need to run this.
@AlexanderUkhta while behavior you describe is intriguing, issue description is not enough because I don't know how your implementation looks like, neither I know how your configuration is setup. If you want me to look at this, can you provide something I can run or at least relevant code snippes (like interface + implementation + info about config setup like proactivate enabled/disabled )?

[michalvavrik]

Honestly:

    @GET
    @Path("/three")
    @PermissionsAllowed("zoneC:view")
    @PermissionsAllowed("zoneC:create")
    suspend fun three(): String      // does not work at all

doesn't give me information, because I don't know what permissions your identity has. Sorry for stupid question, but do you understand that your identity needs both zoneC:view and zoneC:create and you will only be granted access if your identity has both? I am just checking.

[michalvavrik]

So Got 200 OK on any request, you basically say that permission check is not applied. I'll check when you provide above-mentioned config.

[michalvavrik]

One more thing @AlexanderUkhta , are you using Quarkus REST or RESTEasy Classic? Better provide a reproducer.

[AlexanderUkhta]

you will only be granted access if your identity has both?

Sure, as I've written above - that was the expected behavior, but the access is granted anyway.

I'll check when you provide above-mentioned config.

I'll send you a link with an example a bit later.

[michalvavrik]

you will only be granted access if your identity has both?

Sure, as I've written above - that was the expected behavior, but the access is granted anyway.

Sure, sorry, I missed that.

I'll check when you provide above-mentioned config.

I'll send you a link with an example a bit later.

Thanks. It doesn't need to be minimal, just something that can be run (even after adjustments).

[michalvavrik]

@AlexanderUkhta I think I have guessed it. Better not spend time on it and don't create the reproducer. Please forget about the reproducer. Let's just confirm me 2 things:

• it works if you move annotation down to the implementation
• you are using Quarkus REST

[sberyozkin]

We have it documented at https://quarkus.io/guides/security-authorize-web-endpoints-reference#endpoint-security-annotations-and-jakarta-rest-inheritance as well

[AlexanderUkhta]

@michalvavrik

you are using Quarkus REST

Yes, you're right.

it works if you move annotation down to the implementation

I've just tried to move my @PermissionsAllowed annotation to the implementation. Let's look at the snippets below.

1. The case with the single annotation on the impl method.

My interface now:

import io.quarkus.security.Authenticated
import io.quarkus.security.PermissionsAllowed
import jakarta.ws.rs.GET
import jakarta.ws.rs.Path

@Path("/security_test")
interface TestResourceInterface {
    @GET
    @Path("/three")
    suspend fun three(): String
}

My implementation is sth like (let's assume, that auditor is just some module, which suspend methods are to be called):

import io.quarkus.security.PermissionsAllowed
import my.audit.package.BaseAuditEvent
import my.audit.package.LoggingAuditor

class TestResource(
    private val auditor: LoggingAuditor
): TestResourceInterface {

    @PermissionsAllowed("permission:view")
    override suspend fun three(): String = auditor.withAudit(BaseAuditEvent.someEvent) {
        "ok"
    }
}

And that is my test (kerberos auth is used and roles/permissions are stored in db):

@QuarkusTest
class SomeTest {
    @BeforeEach
    fun setUp() {  // some kerberos test pre-configuration
        RestAssured.replaceFiltersWith(
            SpnegoAuthFilter(PRINCIPAL, "someUser"),  
            RequestLoggingFilter(),
            ResponseLoggingFilter()
        )
    }

    @Test
    fun `user with not all required permissions should not be allowed to consume api`() {
        val role = createRole()
        assignPermissions(role, "permission:create")
        assignUser(role, PREDEFINED_USER)
        setupRestAssured(PREDEFINED_USER)

        When {
            get("/security_test/three")
        } Then {
            statusCode(403)
        }
    }
}

Above everything is fine.

2. The case with the repeating annotations on the impl method.

Now only my method annotations quantity is changed:

    @PermissionsAllowed("permission:view")
    @PermissionsAllowed("permission:create")
    override suspend fun three(): String = auditor.withAudit(BaseAuditEvent.someEvent) {
        "ok"
    }

In this case I've got an exception:

java.lang.IllegalStateException: The current thread cannot be blocked: vert.x-eventloop-thread-2 @coroutine#13
	at io.smallrye.mutiny.operators.uni.UniBlockingAwait.await(UniBlockingAwait.java:30)
	at io.smallrye.mutiny.groups.UniAwait.atMost(UniAwait.java:65)
	at io.smallrye.mutiny.groups.UniAwait.indefinitely(UniAwait.java:46)
	at io.quarkus.security.identity.SecurityIdentity.checkPermissionBlocking(SecurityIdentity.java:126)
	at io.quarkus.security.runtime.interceptor.check.PermissionSecurityCheck$3.checkPermissions(PermissionSecurityCheck.java:194)
	at io.quarkus.security.runtime.interceptor.check.PermissionSecurityCheck$3.checkPermissions(PermissionSecurityCheck.java:168)
	at io.quarkus.security.runtime.interceptor.check.PermissionSecurityCheck.apply(PermissionSecurityCheck.java:50)
	at io.quarkus.security.runtime.interceptor.SecurityConstrainer.check(SecurityConstrainer.java:77)
	at io.quarkus.security.runtime.interceptor.SecurityHandler.handle(SecurityHandler.java:46)
	at io.quarkus.security.runtime.interceptor.PermissionsAllowedInterceptor.intercept(PermissionsAllowedInterceptor.java:26)
	at io.quarkus.security.runtime.interceptor.PermissionsAllowedInterceptor_Bean.intercept(Unknown Source)
	at io.quarkus.arc.impl.InterceptorInvocation.invoke(InterceptorInvocation.java:42)
	at io.quarkus.arc.impl.AroundInvokeInvocationContext.proceed(AroundInvokeInvocationContext.java:70)
	at io.quarkus.arc.impl.AroundInvokeInvocationContext.proceed(AroundInvokeInvocationContext.java:62)
	at io.quarkus.resteasy.reactive.server.runtime.StandardSecurityCheckInterceptor.intercept(StandardSecurityCheckInterceptor.java:44)
	at io.quarkus.resteasy.reactive.server.runtime.StandardSecurityCheckInterceptor_PermissionsAllowedInterceptor_Bean.intercept(Unknown Source)
	at io.quarkus.arc.impl.InterceptorInvocation.invoke(InterceptorInvocation.java:42)
	at io.quarkus.arc.impl.AroundInvokeInvocationContext.perform(AroundInvokeInvocationContext.java:30)
	at io.quarkus.arc.impl.InvocationContexts.performAroundInvoke(InvocationContexts.java:27)
	at tech.inno.lcm.authz.TestResource_Subclass.three(Unknown Source)
	at tech.inno.lcm.authz.TestResourceInterface$quarkuscoroutineinvoker$three_ecf4e964fe2c1e096a50494ac09d978f06fc9357.invokeCoroutine(Unknown Source)
	at org.jboss.resteasy.reactive.server.runtime.kotlin.CoroutineInvocationHandler$handle$job$1.invokeSuspend(CoroutineInvocationHandler.kt:48)
	at kotlin.coroutines.jvm.internal.BaseContinuationImpl.resumeWith(ContinuationImpl.kt:33)
	at kotlinx.coroutines.DispatchedTask.run(DispatchedTask.kt:104)
	at org.jboss.resteasy.reactive.server.runtime.kotlin.VertxDispatcher.dispatch$lambda$0(ApplicationCoroutineScope.kt:45)
	at io.vertx.core.impl.ContextInternal.dispatch(ContextInternal.java:270)
	at io.vertx.core.impl.ContextInternal.dispatch(ContextInternal.java:252)
	at io.vertx.core.impl.ContextInternal.lambda$runOnContext$0(ContextInternal.java:50)
	at io.netty.util.concurrent.AbstractEventExecutor.runTask(AbstractEventExecutor.java:173)
	at io.netty.util.concurrent.AbstractEventExecutor.safeExecute(AbstractEventExecutor.java:166)
	at io.netty.util.concurrent.SingleThreadEventExecutor.runAllTasks(SingleThreadEventExecutor.java:469)
	at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:569)
	at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:994)
	at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
	at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
	at java.base/java.lang.Thread.run(Thread.java:1583)

Seems to be a problem with a blocking call in io.quarkus.security.runtime.interceptor.check.PermissionSecurityCheck#checkPermissions(io.quarkus.security.identity.SecurityIdentity, java.security.Permission[][]), doesn't it:

quarkus/extensions/security/runtime/src/main/java/io/quarkus/security/runtime/interceptor/check/PermissionSecurityCheck.java

Line 194 in a98a3f9

if (identity.checkPermissionBlocking(permission)) {

[michalvavrik]

Thank you for confirming @AlexanderUkhta , and thanks for reporting this.

In this case I've got an exception:

that's this one I think #44068, maybe have a look, I provided there context

[michalvavrik]

We don't want to support security annotations on interfaces, but what you describe here is bad user experience and we can definitely do better. I'll take care of it this or next week.