Enabling Basic Authentication for Management Interface results in CDI error

[grigala]

Hello,

I'm following this guide and trying to expose an endpoint on a management interface that is secured using Basic auth. However, as soon as I enable quarkus.management.auth.basic=true I get a dependency injection error for ManagementPathMatchingHttpSecurityPolicy.

Caused by: jakarta.enterprise.inject.UnsatisfiedResolutionException: 
Unsatisfied dependency for type io.quarkus.vertx.http.runtime.security.ManagementPathMatchingHttpSecurityPolicy and qualifiers [@Default]
	- java member: io.quarkus.vertx.http.runtime.security.ManagementInterfaceHttpAuthorizer():installedPolicy
	- declared on CLASS bean [
	    types=[io.quarkus.vertx.http.runtime.security.ManagementInterfaceHttpAuthorizer, io.quarkus.vertx.http.runtime.security.AbstractHttpAuthorizer, java.lang.Object], 
	    qualifiers=[@Default, @Any], 
            target=io.quarkus.vertx.http.runtime.security.ManagementInterfaceHttpAuthorizer
         ]

Am I missing a dependency or something? Or do I have to register a provider for this bean? https://github.com/quarkusio/quarkus/blob/7f5029944a47906715a32addac682435147c7f5e/extensions/vertx-http/runtime/src/main/java/io/quarkus/vertx/http/runtime/security/ManagementInterfaceHttpAuthorizer.java#L22C78-L22C78

Using Quarkus 3.2.6.Final-redhat-00002

[quarkus-bot[bot]]

/cc @Ladicek (arc), @manovotn (arc), @mkouba (arc)

[sberyozkin]

Hi @grigala, can you check the tests please, https://github.com/quarkusio/quarkus/tree/main/integration-tests/management-interface-auth, may be some dependency is missing ?

[grigala]

Hi @sberyozkin, thanks for the reply. Can you point out which dependency is actually relevant/provides that bean?

From non-test dependencies I'm missing these three but question is are they relevant and if so which one?

        <dependency>
            <groupId>io.quarkus</groupId>
            <artifactId>quarkus-resteasy-reactive-jackson</artifactId>
        </dependency>
        <dependency>
            <groupId>io.quarkus</groupId>
            <artifactId>quarkus-elytron-security-properties-file</artifactId>
        </dependency>
        <dependency>
            <groupId>io.quarkus</groupId>
            <artifactId>quarkus-smallrye-jwt</artifactId>
        </dependency>

I will try out pulling all three of them and see if it helps. Though for *-jackson I have to pull the legacy version quarkus-reseasy-jackson as we are still using those.

[manovotn]

The bean you're missing (ManagementPathMatchingHttpSecurityPolicy) seems to be coming from quarkus-vertx-http-deployment.
Here is the source for it - https://github.com/quarkusio/quarkus/blob/main/extensions/vertx-http/runtime/src/main/java/io/quarkus/vertx/http/runtime/security/ManagementPathMatchingHttpSecurityPolicy.java
And it is conditionally registered as unremovable bean via this processor.

[sberyozkin]

3.2.6.Final upstream tag: https://github.com/quarkusio/quarkus/tree/3.2.6.Final/integration-tests/management-interface-auth

[grigala]

@sberyozkin small example project with the same dependencies as in the test: https://github.com/grigala/quarkus-management-interface-demo

application.properties

quarkus.management.enabled=true
quarkus.management.auth.basic=true

Registering management endpoint as shown on https://quarkus.io/guides/management-interface-reference#management-endpoint-application:

  public void registerManagementRoutes(@Observes ManagementInterface mi) {
    mi.router().get("/test").handler(ctx -> {
      if (ctx.user() != null) {
        ctx.response().setStatusCode(200).end("Ok");
      } else {
        ctx.response().setStatusCode(401).end("Unauthorized");
      }
    });
  }

Running quarkus:dev, results in:

[grigala]

Ok I think I found the issue. The users have to be defined in the properties files otherwise the bean is not injected.

quarkus.security.users.embedded.plain-text=true
quarkus.security.users.embedded.users.alice=alice 

[sberyozkin]

@grigala Right, I'll get the docs fixed and we also need to make sure in the docs that this is only an example, and that either security jpa or LDAP should be used to manage the users/secrets, thanks