Accessing SecurityIdentity::isAnonymous without triggering HttpAuthenticationMechanism::authenticate

[Eng-Fouad]

Is it possible to access SecurityIdentity or JsonWebToken without triggering HttpAuthenticationMechanism::authenticate for endpoints annotated with @PermitAll? I would like to inquiry at service-level for SecurityIdentity::isAnonymous to check if the current request is authenticated or not.

Also, I disabled proactive authentication: quarkus.http.auth.proactive=false

[quarkus-bot[bot]]

/cc @sberyozkin (security)

[sberyozkin]

@Eng-Fouad Can you clarify please what is happening with @PermitAll and quarkus.http.auth.proactive=false, is some authentication mechanism causing side-effects for anonymous requests ?

Perhaps you should keep the proactive authentication and make the resource totally public if you'd like it to be semi-secured, with the proactive authentication staying enabled.

[Eng-Fouad]

@sberyozkin I have custom HttpAuthenticationMechanism that checks if Authorizarton header does not exist, it emits failure event with an exception which is translated to custom HTTP response inside an exception mapper. I am doing this only to customize HTTP 401 response.

[sberyozkin]

@Eng-Fouad So your custom HttpAuthenticationMechanism blocks anonymous requests, right ? I believe that if you'd like to check it at the application level code, then don't block it, return Uni.createFrom().voiditem()

[Eng-Fouad]

This is my custom HttpAuthenticationMechanism:

@Inject OidcAuthenticationMechanism delegate;

@Override
public Uni<SecurityIdentity> authenticate(RoutingContext context, IdentityProviderManager identityProviderManager) {
    // get "Authorization" header form the HTTP request
    String authorizationHeader = context.request().getHeader(HttpHeaders.AUTHORIZATION);
    
    // fail if "Authorization" header is missing
    if(authorizationHeader == null || authorizationHeader.isBlank()) {
        return Uni.createFrom().failure(new AuthenticationFailedException(new MyCustomException()));
    }
    
    return delegate.authenticate(context, identityProviderManager);
}

@Provider
@Priority(Priorities.AUTHENTICATION)
public class AuthenticationFailedExceptionMapper implements ExceptionMapper<AuthenticationFailedException> {
    @Override
    public Response toResponse(AuthenticationFailedException e) {
        if (e.getCause() instanceof MyCustomException ce) {
            // return custom response
        }
    }
}

I don't want it to be triggered for anonymous requests.

[sberyozkin]

@Eng-Fouad Right, in that case, avoid blocking anonymous requests from it and throw your custom exception from the application code where you'd like to check if the identity is anonymous.

Mechanisms throw AuthenticationFailedException when the credentials can not be verified for the security runtime to request this mechanism to create a challenge. Mechanisms should return an empty or void Uni if no credentials are present - because other other authentication mechanism may be able to find the credentials.