Review fixes

Author: kabir

reference/common/src/main/java/org/a2aproject/sdk/server/common/quarkus/VertxSecurityHelper.java

@@ -7,7 +7,9 @@
 import io.quarkus.arc.Arc;
 import io.quarkus.arc.ManagedContext;
 import io.quarkus.security.identity.CurrentIdentityAssociation;
+import io.quarkus.vertx.http.runtime.security.ChallengeData;
 import io.quarkus.vertx.http.runtime.security.HttpAuthenticator;
+import io.vertx.core.Context;
 import io.vertx.ext.web.RoutingContext;
 
 /**
@@ -48,7 +50,7 @@
  *                     myAuthenticatedMethod(); // Has @Authenticated annotation
  *                 });
  *             } catch (UnauthorizedException | ForbiddenException e) {
- *                 VertxSecurityHelper.handleAuthError(ctx, e);
+ *                 securityHelper.handleAuthError(ctx, e);
  *             } catch (Exception e) {
  *                 VertxSecurityHelper.handleGenericError(ctx);
  *             }
@@ -68,9 +70,8 @@ public final class VertxSecurityHelper {
     @Inject
     Instance<CurrentIdentityAssociation> currentIdentityAssociation;
 
-
     public VertxSecurityHelper() {
-        // Utility class - no instantiation
+        // CDI-managed constructor
     }
 
     /**
@@ -98,6 +99,10 @@ public VertxSecurityHelper() {
      * @throws RuntimeException if the task throws an exception
      */
     public void runInRequestContext(RoutingContext ctx, Runnable task) {
+        if (Context.isOnEventLoopThread()) {
+            throw new IllegalStateException(
+                    "Cannot perform blocking authentication on event loop thread. Use blockingHandler().");
+        }
         ManagedContext requestContext = Arc.container().requestContext();
         boolean wasActive = requestContext.isActive();
         if (!wasActive) {
@@ -124,22 +129,31 @@ public void runInRequestContext(RoutingContext ctx, Runnable task) {
      *
      * <ul>
      *   <li>{@code ForbiddenException} → HTTP 403 Forbidden</li>
-     *   <li>All other auth errors → HTTP 401 Unauthorized with {@code WWW-Authenticate: Basic} header</li>
+     *   <li>All other auth errors → delegates to {@link HttpAuthenticator#getChallenge} to obtain
+     *       the correct {@code WWW-Authenticate} header for the configured auth mechanism
+     *       (Basic, Bearer, etc.) and sends HTTP 401 with the challenge header</li>
      * </ul>
      *
      * @param ctx the routing context
      * @param e the authentication or authorization exception
      */
-    public static void handleAuthError(RoutingContext ctx, Exception e) {
+    public void handleAuthError(RoutingContext ctx, Exception e) {
         if (!ctx.response().ended()) {
             if (e instanceof io.quarkus.security.ForbiddenException) {
                 ctx.response()
                     .setStatusCode(403)
                     .end();
             } else {
+                int status = 401;
+                if (!httpAuthenticator.isUnsatisfied()) {
+                    ChallengeData challenge = httpAuthenticator.get().getChallenge(ctx).await().indefinitely();
+                    if (challenge != null) {
+                        status = challenge.status;
+                        ctx.response().putHeader(challenge.headerName, challenge.headerContent);
+                    }
+                }
                 ctx.response()
-                    .setStatusCode(401)
-                    .putHeader("WWW-Authenticate", "Basic realm=\"Quarkus\"")
+                    .setStatusCode(status)
                     .end();
             }
         }

reference/grpc/pom.xml

@@ -105,11 +105,6 @@
             <artifactId>quarkus-elytron-security-properties-file</artifactId>
             <scope>test</scope>
         </dependency>
-        <dependency>
-            <groupId>io.quarkus</groupId>
-            <artifactId>quarkus-test-security</artifactId>
-            <scope>test</scope>
-        </dependency>
     </dependencies>
 
-</project> 
+</project>

reference/grpc/src/test/java/org/a2aproject/sdk/server/grpc/quarkus/AuthTestProfile.java

@@ -8,6 +8,7 @@
 import org.a2aproject.sdk.client.transport.spi.interceptors.auth.AuthInterceptor;
 import org.a2aproject.sdk.server.PublicAgentCard;
 import org.a2aproject.sdk.server.apps.common.AbstractA2AServerWithAuthTest;
+import org.a2aproject.sdk.server.apps.common.AuthTestProfile;
 import org.a2aproject.sdk.spec.AgentCard;
 import org.a2aproject.sdk.spec.TransportProtocol;
 import io.grpc.ManagedChannel;

reference/grpc/src/test/java/org/a2aproject/sdk/server/grpc/quarkus/QuarkusA2AGrpcWithAuthTest.java

@@ -110,10 +110,5 @@
             <artifactId>quarkus-elytron-security-properties-file</artifactId>
             <scope>test</scope>
         </dependency>
-        <dependency>
-            <groupId>io.quarkus</groupId>
-            <artifactId>quarkus-test-security</artifactId>
-            <scope>test</scope>
-        </dependency>
     </dependencies>
 </project>

reference/jsonrpc/pom.xml

@@ -216,7 +216,7 @@ void setupRoutes(@Observes Router router) {
                         invokeJSONRPCHandler(ctx.body().asString(), ctx);
                     });
                 } catch (UnauthorizedException | ForbiddenException e) {
-                    VertxSecurityHelper.handleAuthError(ctx, e);
+                    vertxSecurityHelper.handleAuthError(ctx, e);
                 } catch (Exception e) {
                     VertxSecurityHelper.handleGenericError(ctx);
                 }

reference/jsonrpc/src/main/java/org/a2aproject/sdk/server/apps/quarkus/A2AServerRoutes.java

@@ -7,6 +7,7 @@
 import org.a2aproject.sdk.client.transport.jsonrpc.JSONRPCTransportConfigBuilder;
 import org.a2aproject.sdk.client.transport.spi.interceptors.auth.AuthInterceptor;
 import org.a2aproject.sdk.server.apps.common.AbstractA2AServerWithAuthTest;
+import org.a2aproject.sdk.server.apps.common.AuthTestProfile;
 import org.a2aproject.sdk.spec.TransportProtocol;
 import io.quarkus.test.junit.QuarkusTest;
 import io.quarkus.test.junit.TestProfile;

reference/jsonrpc/src/test/java/org/a2aproject/sdk/server/apps/quarkus/QuarkusA2AJSONRPCWithAuthJdkTest.java

@@ -7,6 +7,7 @@
 import org.a2aproject.sdk.client.transport.jsonrpc.JSONRPCTransportConfigBuilder;
 import org.a2aproject.sdk.client.transport.spi.interceptors.auth.AuthInterceptor;
 import org.a2aproject.sdk.server.apps.common.AbstractA2AServerWithAuthTest;
+import org.a2aproject.sdk.server.apps.common.AuthTestProfile;
 import org.a2aproject.sdk.spec.TransportProtocol;
 import io.quarkus.test.junit.QuarkusTest;
 import io.quarkus.test.junit.TestProfile;

reference/jsonrpc/src/test/java/org/a2aproject/sdk/server/apps/quarkus/QuarkusA2AJSONRPCWithAuthVertxTest.java

@@ -4,10 +4,3 @@ quarkus.arc.selected-alternatives=org.a2aproject.sdk.server.apps.common.TestHttp
 quarkus.log.category."org.a2aproject.sdk.server.events".level=DEBUG
 quarkus.log.category."org.a2aproject.sdk.server.requesthandlers".level=DEBUG
 quarkus.log.category."org.a2aproject.sdk.server.tasks".level=DEBUG
-
-# Security configuration for regular tests
-# Provide a test identity provider that always authenticates
-# AuthTestProfile overrides this to require real HTTP Basic Auth
-%test.quarkus.test-security.test-enabled=true
-%test.quarkus.test-security.user=testuser
-%test.quarkus.test-security.roles=user

reference/jsonrpc/src/test/resources/application.properties

@@ -114,11 +114,6 @@
             <artifactId>quarkus-elytron-security-properties-file</artifactId>
             <scope>test</scope>
         </dependency>
-        <dependency>
-            <groupId>io.quarkus</groupId>
-            <artifactId>quarkus-test-security</artifactId>
-            <scope>test</scope>
-        </dependency>
     </dependencies>
 
     <build>