GuardAPI Logo
GuardAPI

Fix Broken User Authentication in Quarkus

Broken authentication in Quarkus typically stems from developers bypassing the built-in Elytron security architecture in favor of 'quick-and-dirty' custom JAX-RS filters. These manual implementations often lack constant-time comparisons, fail to handle token expiration correctly, and are susceptible to credential stuffing when backed by weak hashing. To secure a Quarkus microservice, you must shift from manual header checks to declarative security using standard OIDC or JWT extensions.

The Vulnerable Pattern

@Provider
public class WeakAuthFilter implements ContainerRequestFilter {
    @Override
    public void filter(ContainerRequestContext requestContext) {
        String authHeader = requestContext.getHeaderString("X-Custom-Auth");
        // VULNERABILITY: Hardcoded token, no constant-time comparison, bypasses Quarkus Security context
        if (authHeader == null || !authHeader.equals("admin-secret-key")) {
            requestContext.abortWith(Response.status(Response.Status.UNAUTHORIZED).build());
        }
    }
}

The Secure Implementation

The vulnerable code uses a custom ContainerRequestFilter that performs a naive string comparison. This is vulnerable to timing attacks and lacks integration with the Quarkus Security Identity. The secure implementation utilizes the 'quarkus-oidc' extension, delegating authentication to a hardened Identity Provider (IdP). It uses '@RolesAllowed' for Role-Based Access Control (RBAC) and ensures that security is handled at the framework level, providing automatic token validation, expiration checks, and cryptographic signature verification.

// application.properties
quarkus.oidc.auth-server-url=https://keycloak.example.com/realms/main
quarkus.oidc.client-id=my-quarkus-app
quarkus.http.auth.permission.authenticated.paths=/*
quarkus.http.auth.permission.authenticated.policy=authenticated

// Secure Resource Implementation
@Path(“/api/secure”)
@ApplicationScoped
public class SecureResource {
@GET
@RolesAllowed(“admin”)
@NoCache
public String getSensitiveData() {
return “Hardened Content”;
}
}

System Alert • ID: 3133
Target: Quarkus API
Potential Vulnerability

Your Quarkus API might be exposed to Broken User Authentication

74% of Quarkus apps fail this check. Hackers use automated scanners to find this specific flaw. Check your codebase before they do.

RUN FREE SECURITY DIAGNOSTIC
GuardLabs Engine: ONLINE

Free Tier • No Credit Card • Instant Report

Verified by Ghost Labs Security Team

This content is continuously validated by our automated security engine and reviewed by our research team. Ghost Labs analyzes over 500+ vulnerability patterns across 40+ frameworks to provide up-to-date remediation strategies.

About GuardLabs → Follow us on X