Skip to content

Commit

Permalink
Merge pull request quarkusio#43425 from michalvavrik/feature/fix-sec-…
Browse files Browse the repository at this point in the history
…ctx-override-handler

Avoid SecurityContextOverrideHandler NPE when user provided custom JAX-RS security context and Quarkus Security is not present
  • Loading branch information
sberyozkin authored Sep 21, 2024
2 parents d66745c + 5a48e6d commit 1453cd3
Showing 1 changed file with 13 additions and 3 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@
import org.jboss.resteasy.reactive.server.model.ServerResourceMethod;
import org.jboss.resteasy.reactive.server.spi.ServerRestHandler;

import io.quarkus.arc.Arc;
import io.quarkus.resteasy.reactive.server.runtime.ResteasyReactiveSecurityContext;
import io.quarkus.security.credential.Credential;
import io.quarkus.security.identity.CurrentIdentityAssociation;
Expand Down Expand Up @@ -45,11 +46,11 @@ public void handle(ResteasyReactiveRequestContext requestContext) throws Excepti
updateIdentity(requestContext, modified);
}

private void updateIdentity(ResteasyReactiveRequestContext requestContext, SecurityContext modified) {
private static void updateIdentity(ResteasyReactiveRequestContext requestContext, SecurityContext modified) {
requestContext.requireCDIRequestScope();
if (EagerSecurityContext.instance.identityAssociation.isResolvable()) {
final CurrentIdentityAssociation currentIdentityAssociation = getIdentityAssociation();
if (currentIdentityAssociation != null) {
RoutingContext routingContext = requestContext.unwrap(RoutingContext.class);
CurrentIdentityAssociation currentIdentityAssociation = EagerSecurityContext.instance.identityAssociation.get();
Uni<SecurityIdentity> oldIdentity = currentIdentityAssociation.getDeferredIdentity();
currentIdentityAssociation.setIdentity(oldIdentity.map(new Function<SecurityIdentity, SecurityIdentity>() {
@Override
Expand Down Expand Up @@ -119,6 +120,15 @@ public Uni<Boolean> checkPermission(Permission permission) {
}
}

private static CurrentIdentityAssociation getIdentityAssociation() {
if (EagerSecurityContext.instance != null) {
return EagerSecurityContext.instance.identityAssociation.orElse(null);
}
// this should only happen when Quarkus Security extension is not present
// but user implements security themselves, like in their own JAX-RS filter
return Arc.container().instance(CurrentIdentityAssociation.class).orElse(null);
}

public static class Customizer implements HandlerChainCustomizer {
@Override
public List<ServerRestHandler> handlers(Phase phase, ResourceClass resourceClass,
Expand Down

0 comments on commit 1453cd3

Please sign in to comment.