-
Notifications
You must be signed in to change notification settings - Fork 2.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
JaxRS Security wrong content-type #5998
Comments
@sberyozkin @stuartwdouglas I assume this is a bug right? I am not sure what the proper behavior should be in this case. |
Thanks for checking @sberyozkin ! |
@sberyozkin Yes the body returned is "Forbidden", which don't match the @Test
public void testForbiddenEndpoint() {
given()
.when()
.header("Authorization", "Basic " + Base64.getEncoder().encodeToString("user:passwd".getBytes()))
.get("/hello/forbidden")
.then()
.statusCode(403)
.header("Content-Type", "text/plain")
.body(is("Forbidden"));
} |
@SlyngDK Thanks... |
I'm nearly 100% sure that the Content-Type was about the content negotiation on the normal, non-exceptional path, example, the client sets |
Alternatively. @SlyngDK, you may be able to intercept it with |
That said it looks like all you are suggesting is that Content-Type is set to |
I created this issue because behavior have changed, to something wrong. |
@SlyngDK I agree that because it is already the way it works, i.e, some extra text is returned in the body, this issue is relevant, thank you. (I'd fix it by not returning anything at all :-) but I realize not everyone may like this solution :-) ) Thanks |
I think we could vary this based on the accept header. If the client is expecting a HTML page then we can return 'Forbidden', otherwise we should leave it blank, and ideally provide some way for the user to customise it. |
In most cases the client is not a browser. Fixes quarkusio#5998
In most cases the client is not a browser. Fixes quarkusio#5998
In most cases the client is not a browser. Fixes quarkusio#5998
Describe the bug
When security is enabled, and you are calling a JaxRS endpoint, without any matching roles.
The "Forbidden" is return as plain text, but content-type is "application/json".
Expected behavior
Returned with content-type matching content.
Actual behavior
The "Forbidden" is return as plain text, but content-type is "application/json".
To Reproduce
Reproducer can be found in this repo: https://github.com/SlyngDK/quarkus-jaxrs-security-wrong-content-type
Configuration
Environment (please complete the following information):
java -version
: openjdk version "1.8.0_232"Additional context
This there changed some thing about default returned Content-Type???
Maybe this is also affecting other areas.
I have seen same problem with a ContainerRequestFilter calling requestContext.abortWith(), which not setting the MediaType on the response, changed with the new versions.
The text was updated successfully, but these errors were encountered: