use of io.quarkus.security.ForbiddenException in project quarkus-resteasy-problem by TietoEVRY.
the class ForbiddenExceptionMapperTest method shouldProduceHttp403.
@Test
void shouldProduceHttp403() {
ForbiddenException exception = new ForbiddenException();
Response response = mapper.toResponse(exception);
assertThat(response.getStatus()).isEqualTo(403);
}
use of io.quarkus.security.ForbiddenException in project quarkus by quarkusio.
the class PrincipalNameFromParameterSecurityCheck method doApply.
private void doApply(SecurityIdentity identity, Object[] parameters, String className, String methodName) {
if (index > parameters.length - 1) {
throw genericNotApplicableException(className, methodName);
}
Object parameterValue = parameters[index];
if (!(parameterValue instanceof String)) {
throw genericNotApplicableException(className, methodName);
}
String parameterValueStr = (String) parameterValue;
if (identity.isAnonymous()) {
throw new UnauthorizedException();
}
String name = identity.getPrincipal().getName();
if (checkType == CheckType.EQ) {
if (!name.equals(parameterValueStr)) {
throw new ForbiddenException();
}
} else if (checkType == CheckType.NEQ) {
if (name.equals(parameterValueStr)) {
throw new ForbiddenException();
}
}
}
use of io.quarkus.security.ForbiddenException in project quarkus by quarkusio.
the class UndertowDeploymentRecorder method bootServletContainer.
public DeploymentManager bootServletContainer(RuntimeValue<DeploymentInfo> info, BeanContainer beanContainer, LaunchMode launchMode, ShutdownContext shutdownContext) {
if (info.getValue().getExceptionHandler() == null) {
// if a 500 error page has not been mapped we change the default to our more modern one, with a UID in the
// log. If this is not production we also include the stack trace
boolean alreadyMapped = false;
for (ErrorPage i : info.getValue().getErrorPages()) {
if (i.getErrorCode() != null && i.getErrorCode() == StatusCodes.INTERNAL_SERVER_ERROR) {
alreadyMapped = true;
break;
}
}
if (!alreadyMapped || launchMode.isDevOrTest()) {
info.getValue().setExceptionHandler(new QuarkusExceptionHandler());
info.getValue().addErrorPage(new ErrorPage("/@QuarkusError", StatusCodes.INTERNAL_SERVER_ERROR));
info.getValue().addServlet(new ServletInfo("@QuarkusError", QuarkusErrorServlet.class).addMapping("/@QuarkusError").setAsyncSupported(true).addInitParam(QuarkusErrorServlet.SHOW_STACK, Boolean.toString(launchMode.isDevOrTest())));
}
}
setupRequestScope(info.getValue(), beanContainer);
try {
ClassIntrospecter defaultVal = info.getValue().getClassIntrospecter();
info.getValue().setClassIntrospecter(new ClassIntrospecter() {
@Override
public <T> InstanceFactory<T> createInstanceFactory(Class<T> clazz) throws NoSuchMethodException {
BeanContainer.Factory<T> res = beanContainer.instanceFactory(clazz);
if (res == null) {
return defaultVal.createInstanceFactory(clazz);
}
return new InstanceFactory<T>() {
@Override
public InstanceHandle<T> createInstance() throws InstantiationException {
BeanContainer.Instance<T> ih = res.create();
return new InstanceHandle<T>() {
@Override
public T getInstance() {
return ih.get();
}
@Override
public void release() {
ih.close();
}
};
}
};
}
});
ExceptionHandler existing = info.getValue().getExceptionHandler();
info.getValue().setExceptionHandler(new ExceptionHandler() {
@Override
public boolean handleThrowable(HttpServerExchange exchange, ServletRequest request, ServletResponse response, Throwable throwable) {
if (throwable instanceof AuthenticationFailedException || throwable instanceof UnauthorizedException) {
String location = servletContext.getDeployment().getErrorPages().getErrorLocation(throwable);
// if these have been mapped we use the mapping
if (location == null || location.equals("/@QuarkusError")) {
if (throwable instanceof AuthenticationFailedException || exchange.getSecurityContext().getAuthenticatedAccount() == null) {
if (!exchange.isResponseStarted()) {
exchange.getSecurityContext().setAuthenticationRequired();
if (exchange.getSecurityContext().authenticate()) {
// if we can authenticate then the request is just forbidden
// this can happen with lazy auth
exchange.setStatusCode(StatusCodes.FORBIDDEN);
}
}
} else {
exchange.setStatusCode(StatusCodes.FORBIDDEN);
}
return true;
}
} else if (throwable instanceof ForbiddenException) {
String location = servletContext.getDeployment().getErrorPages().getErrorLocation(throwable);
// if these have been mapped we use the mapping
if (location == null || location.equals("/@QuarkusError")) {
exchange.setStatusCode(StatusCodes.FORBIDDEN);
return true;
}
}
return existing.handleThrowable(exchange, request, response, throwable);
}
});
ServletContainer servletContainer = Servlets.defaultContainer();
DeploymentManager manager = servletContainer.addDeployment(info.getValue());
manager.deploy();
manager.start();
servletContext = manager.getDeployment().getServletContext();
shutdownContext.addShutdownTask(new Runnable() {
@Override
public void run() {
servletContext = null;
}
});
return manager;
} catch (Exception e) {
throw new RuntimeException(e);
}
}
use of io.quarkus.security.ForbiddenException in project quarkus by quarkusio.
the class QuarkusErrorHandler method handle.
@Override
public void handle(RoutingContext event) {
try {
if (event.failure() == null) {
event.response().setStatusCode(event.statusCode());
event.response().end();
return;
}
// this can happen if there is no auth mechanisms
if (event.failure() instanceof UnauthorizedException) {
HttpAuthenticator authenticator = event.get(HttpAuthenticator.class.getName());
if (authenticator != null) {
authenticator.sendChallenge(event).subscribe().with(new Consumer<Boolean>() {
@Override
public void accept(Boolean aBoolean) {
event.response().end();
}
}, new Consumer<Throwable>() {
@Override
public void accept(Throwable throwable) {
event.fail(throwable);
}
});
} else {
event.response().setStatusCode(HttpResponseStatus.UNAUTHORIZED.code()).end();
}
return;
}
if (event.failure() instanceof ForbiddenException) {
event.response().setStatusCode(HttpResponseStatus.FORBIDDEN.code()).end();
return;
}
if (event.failure() instanceof AuthenticationFailedException) {
// generally this should be handled elsewhere
// but if we get to this point bad things have happened
// so it is better to send a response than to hang
event.response().setStatusCode(HttpResponseStatus.UNAUTHORIZED.code()).end();
return;
}
} catch (IllegalStateException e) {
// ignore this if the response is already started
if (!event.response().ended()) {
// could be that just the head is committed
event.response().end();
}
return;
}
if (!event.response().headWritten()) {
event.response().setStatusCode(event.statusCode() > 0 ? event.statusCode() : 500);
}
String uuid = BASE_ID + ERROR_COUNT.incrementAndGet();
String details;
String stack = "";
Throwable exception = event.failure();
String responseContentType = null;
try {
responseContentType = ContentTypes.pickFirstSupportedAndAcceptedContentType(event);
} catch (RuntimeException e) {
// Let's shield ourselves from bugs in this parsing code:
// we're already handling an exception,
// so the priority is to return *something* to the user.
// If we can't pick the appropriate content-type, well, so be it.
exception.addSuppressed(e);
}
if (showStack && exception != null) {
details = generateHeaderMessage(exception, uuid);
stack = generateStackTrace(exception);
} else {
details = generateHeaderMessage(uuid);
}
if (event.failure() instanceof IOException) {
log.debugf(exception, "IOError processing HTTP request to %s failed, the client likely terminated the connection. Error id: %s", event.request().uri(), uuid);
} else {
log.errorf(exception, "HTTP Request to %s failed, error id: %s", event.request().uri(), uuid);
}
// if not we just return
if (event.response().ended()) {
return;
} else if (event.response().headWritten()) {
event.response().end();
return;
}
if (responseContentType == null) {
responseContentType = "";
}
switch(responseContentType) {
case ContentTypes.TEXT_HTML:
case ContentTypes.APPLICATION_XHTML:
case ContentTypes.APPLICATION_XML:
case ContentTypes.TEXT_XML:
htmlResponse(event, details, exception);
break;
case ContentTypes.APPLICATION_JSON:
case ContentTypes.TEXT_JSON:
jsonResponse(event, responseContentType, details, stack);
break;
default:
// We default to JSON representation
switch(contentTypeDefault.orElse(HttpConfiguration.PayloadHint.JSON)) {
case HTML:
htmlResponse(event, details, exception);
break;
case JSON:
default:
jsonResponse(event, ContentTypes.APPLICATION_JSON, details, stack);
break;
}
break;
}
}
Aggregations