Merge pull request #43425 from michalvavrik/feature/fix-sec-ctx-overr…

…ide-handler Avoid SecurityContextOverrideHandler NPE when user provided custom JAX-RS security context and Quarkus Security is not present
quarkusio · Sep 21, 2024 · 1453cd3 · 1453cd3
2 parents d66745c + 5a48e6d
commit 1453cd3
Showing 1 changed file with 13 additions and 3 deletions.
diff --git a/.../io/quarkus/resteasy/reactive/server/runtime/security/SecurityContextOverrideHandler.java b/.../io/quarkus/resteasy/reactive/server/runtime/security/SecurityContextOverrideHandler.java
@@ -16,6 +16,7 @@
 import org.jboss.resteasy.reactive.server.model.ServerResourceMethod;
 import org.jboss.resteasy.reactive.server.spi.ServerRestHandler;
 
+import io.quarkus.arc.Arc;
 import io.quarkus.resteasy.reactive.server.runtime.ResteasyReactiveSecurityContext;
 import io.quarkus.security.credential.Credential;
 import io.quarkus.security.identity.CurrentIdentityAssociation;
@@ -45,11 +46,11 @@ public void handle(ResteasyReactiveRequestContext requestContext) throws Excepti
         updateIdentity(requestContext, modified);
     }
 
-    private void updateIdentity(ResteasyReactiveRequestContext requestContext, SecurityContext modified) {
+    private static void updateIdentity(ResteasyReactiveRequestContext requestContext, SecurityContext modified) {
         requestContext.requireCDIRequestScope();
-        if (EagerSecurityContext.instance.identityAssociation.isResolvable()) {
+        final CurrentIdentityAssociation currentIdentityAssociation = getIdentityAssociation();
+        if (currentIdentityAssociation != null) {
             RoutingContext routingContext = requestContext.unwrap(RoutingContext.class);
-            CurrentIdentityAssociation currentIdentityAssociation = EagerSecurityContext.instance.identityAssociation.get();
             Uni<SecurityIdentity> oldIdentity = currentIdentityAssociation.getDeferredIdentity();
             currentIdentityAssociation.setIdentity(oldIdentity.map(new Function<SecurityIdentity, SecurityIdentity>() {
                 @Override
@@ -119,6 +120,15 @@ public Uni<Boolean> checkPermission(Permission permission) {
         }
     }
 
+    private static CurrentIdentityAssociation getIdentityAssociation() {
+        if (EagerSecurityContext.instance != null) {
+            return EagerSecurityContext.instance.identityAssociation.orElse(null);
+        }
+        // this should only happen when Quarkus Security extension is not present
+        // but user implements security themselves, like in their own JAX-RS filter
+        return Arc.container().instance(CurrentIdentityAssociation.class).orElse(null);
+    }
+
     public static class Customizer implements HandlerChainCustomizer {
         @Override
         public List<ServerRestHandler> handlers(Phase phase, ResourceClass resourceClass,