Is it possilbe to access UriInfo from a HttpSecurityPolicy?

[brice-laurencin]

I would love to be able to access UriInfo.getPathParameters from an HttpSecurityPolicy, but I cannot seem to be able to inject UriInfo properly. I tried adding @ActivateRequestContext to the HttpSecurityPolicy implementation without success.
I have the feeling the authorization happens before the Uri is parsed to a UriInfo.

[quarkus-bot[bot]]

/cc @sberyozkin (security)

[brice-laurencin]

Still empty path params.
I'm starting from the CustomNamedHttpSecPolicy from the doc (not the LTS version, we are using Quarkus 3.15.2 here).

import jakarta.enterprise.context.ApplicationScoped

import io.quarkus.security.identity.SecurityIdentity
import io.quarkus.vertx.http.runtime.security.HttpSecurityPolicy
import io.quarkus.vertx.http.runtime.security.HttpSecurityPolicy.AuthorizationRequestContext
import io.quarkus.vertx.http.runtime.security.HttpSecurityPolicy.CheckResult
import io.smallrye.mutiny.Uni
import io.vertx.ext.web.RoutingContext
import jakarta.enterprise.context.control.ActivateRequestContext
import jakarta.inject.Inject
import jakarta.ws.rs.core.UriInfo

@ApplicationScoped
@ActivateRequestContext
class CustomNamedHttpSecPolicy : HttpSecurityPolicy {
    @Inject
    lateinit var uriInfo: UriInfo

    override fun checkPermission(
        event: RoutingContext,
        identity: Uni<SecurityIdentity>,
        requestContext: AuthorizationRequestContext,
    ): Uni<CheckResult> {
        if (customRequestAuthorization(event)) {
            return Uni.createFrom().item(CheckResult.PERMIT)
        }
        return Uni.createFrom().item(CheckResult.DENY)
    }

    override fun name(): String {
        return "custom"
    }

    fun customRequestAuthorization(event: RoutingContext): Boolean {
        // here comes your own security check
        require(uriInfo.pathParameters.isNotEmpty())
        return !event.request().path().endsWith("denied")
    }
}

quarkus.http.auth.permission.custom1.policy=custom
quarkus.http.auth.permission.custom1.paths=*
quarkus.http.auth.proactive=false

But uriInfo is not accessible because of java.lang.IllegalStateException: No REST request in progress
event.pathParams() is empty.

[sberyozkin]

@brice-laurencin OK, the only other thing I can suggest is try to bind the policy to the endpoint with AuthorizationPolicy, as opposed to configuring paths in configuration, see the example in this section, https://quarkus.io/guides/security-authorize-web-endpoints-reference#custom-http-security-policy, though it is available starting from 3.16...

May be also try to drop ActivateRequestContext, I wonder if it is resetting the current state...

That said, it is probably not going to work, since HttpSecurityPolicy is indeed running before the request can be allowed to go ahead...

You may have to use RequestContext to extract path parameters manually, unfortunately.

Michal, @michalvavrik, what do you think ?

[sberyozkin]

@brice-laurencin Or may be you can implement a custom JAX-RS container request filter instead of HttpSecurityPolicy if you prefer to work with JAX-RS helpers like UriInfo and throw ForbiddenException in case of authorization failures ?

[michalvavrik]

hey @brice-laurencin and @sberyozkin ,

first of all, to expect that ActiveRequestContext will be populated with a UriInfo is wrong, you need a CDI request context prepared by Quarkus, so just forget about it. I tried to document it in past, but we somehow ended up dropping the text I prepared @sberyozkin :-)

@brice-laurencin Or may be you can implement a custom JAX-RS container request filter instead of HttpSecurityPolicy if you prefer to work with JAX-RS helpers like UriInfo and throw ForbiddenException in case of authorization failures ?

-1; our authorization policy should be more efficient and safer unless you are expert on this stuff in Quarkus (so Sergey can follow his own advice :-) )

There has been many improvements in this area and I don't remember in which version what was fixed, so in case my suggestions don't work, please re-check with the latest released version (update: apparently this was fixed in 3.10 #39920, time fly):

1. when quarkus.http.auth.permission.custom1.applies-to=all (which is default), authorization policy is executed before Quarkus REST / RESTEasy starts processing, so you cannot expect UriInfo even to exist
2. when quarkus.http.auth.permission.custom1.applies-to=jaxrs, you can inject UriInfo, I added tests for it (well, for resource info, but you know...) https://github.com/quarkusio/quarkus/blob/main/extensions/resteasy-reactive/rest/deployment/src/test/java/io/quarkus/resteasy/reactive/server/test/security/CustomHttpSecurityPolicy.java#L17 @brice-laurencin please check it out and confirm it works
3. alternatively @AuthorizationPolicy(name = "custom") placed on your endpoint should do the trick as well https://quarkus.io/guides/security-authorize-web-endpoints-reference#custom-http-security-policy, meaning - it is JAXRS policy so you can inject stuff there

Now, that should be enough for you.

For us @sberyozkin:

• let's document ^^^, agreed? I can do that, just want to get ok

[michalvavrik]

@brice-laurencin Can you try to disable the proactive authentication ? See https://quarkus.io/guides/security-proactive-authentication

this is correct advice for the CDI request context issue you got, but it is not necessary for the @AuthorizationPolicy or quarkus.http.auth.permission.custom1.applies-to=jaxrs, both works with proactive authentication enabled

[brice-laurencin]

Thanks a lot to you both!
@michalvavrik your suggestion for applies-to=jaxrs did it.
3.15 does not yet have @AuthorizationPolicy, but we'll switch to this later, and we might provide a meta-annotation to have more control over the actual implementation.

Thanks again.

[sberyozkin]

Great, I forgot about the policy jaxrs binding option, thanks @michalvavrik