quarkus icon indicating copy to clipboard operation
quarkus copied to clipboard

Published 20 hours ago verified publisher icon quarkusio

Fix Smallrye OpenApi CORS when http path is not attached to main router

Open michalvavrik opened this issue 2 years ago • 4 comments

fixes: #26296

When non-application root path is not underneath the HTTP root path, filters (such as authorization, authentication, cors) are not applied. That lead to situation when user had to expose his OpenApi endpoints on application root in order to have (non-default) CORS headers. However current implementation expected CORS filter to be applied when CORS are enabled (please see comment https://github.com/quarkusio/quarkus/blob/main/extensions/smallrye-openapi/runtime/src/main/java/io/quarkus/smallrye/openapi/runtime/OpenApiHandler.java#L78). I don't want to attach SmallRye OpenApi routes to http route router by default is that would defy documented behavior https://quarkus.io/guides/all-config#quarkus-vertx-http_quarkus.http.non-application-root-path.

This PR adds CORS filter to (and only to) SmallRye OpenApi routes when CORS are enabled and path is not attached to main router. autoSecurityFilter is registered as bean in a separate build step in order to avoid cycle.

michalvavrik avatar Sep 16 '22 19:09 michalvavrik

cc @sberyozkin @ebullient

michalvavrik avatar Sep 16 '22 19:09 michalvavrik

:waning_crescent_moon: This workflow status is outdated as a new workflow run has been triggered.

Failing Jobs - Building 733e9fecd460761bd0cb334aa290979248e2141c

Status Name Step Failures Logs Raw logs
Quickstarts Compilation - JDK 17 Compile Quickstarts Failures Logs Raw logs

Failures

:gear: Quickstarts Compilation - JDK 17 #

- Failing: optaplanner-quickstart

:package: optaplanner-quickstart

Failed to execute goal io.quarkus:quarkus-maven-plugin:999-SNAPSHOT:build (default) on project optaplanner-quickstart: Failed to build quarkus application

quarkus-bot[bot] avatar Sep 16 '22 20:09 quarkus-bot[bot]

Failing test is not related (it's Jandex issue, QE also experienced Jandex issues in our tests): Build step io.quarkus.deployment.steps.ApplicationIndexBuildStep#build threw an exception: java.lang.NoSuchMethodError: 'void org.jboss.jandex.Indexer.index(java.io.InputStream)'

michalvavrik avatar Sep 16 '22 20:09 michalvavrik

Let's also get the blessing of @sberyozkin on this :)

geoand avatar Sep 19 '22 06:09 geoand

Oops, apologies, looking now

sberyozkin avatar Sep 22 '22 20:09 sberyozkin

np @sberyozkin :-) you are busy

michalvavrik avatar Sep 22 '22 20:09 michalvavrik

@michalvavrik We all are :-), I just don't get why I get some notifications and why not, it is happening all the time.

In any case, sorry for the delay and thanks for continuing picking up tricky security issues :-) I've only proposed to change the test names as I got confused initially and could not figure out where those properties in the disabledCors test were coming from :-). Please rename if you agree, but not critical, thanks

sberyozkin avatar Sep 22 '22 20:09 sberyozkin

Renamed tests looked better, thank you, done.

michalvavrik avatar Sep 22 '22 20:09 michalvavrik