GuardAPI Logo
GuardAPI

Fix Shadow API Exposure in Quarkus

Shadow APIs are the silent killers in Quarkus microservices—undocumented, unmonitored endpoints leaking sensitive data or providing unauthorized administrative access. In a rapid deployment cycle, if a JAX-RS resource is mapped, it is an attack vector. To kill shadow exposure, you must enforce a strict deny-by-default policy, eliminate unauthorized discovery, and audit your resource tree with surgical precision.

The Vulnerable Pattern

@Path("/api/internal")
public class InternalResource {
    @GET
    @Path("/system-info")
    @Produces(MediaType.APPLICATION_JSON)
    public Response getSystemInfo() {
        // Shadow API: No security constraints, undocumented in OpenAPI,
        // and accessible to anyone who guesses the path.
        return Response.ok(System.getenv()).build();
    }
}

The Secure Implementation

Shadow APIs thrive on implicit trust and developer oversight. The fix is a three-pronged offensive: 1. Deny-by-Default: Set 'quarkus.security.jaxrs.deny-unannotated-endpoints=true' to ensure any endpoint without an explicit security annotation (@RolesAllowed, @PermitAll) returns a 403. 2. Path Hardening: Use 'quarkus.http.auth' policies in your application.properties to wrap the entire URL space in a mandatory authentication layer. 3. Visibility Control: Ensure internal resources are excluded from public Swagger/OpenAPI contracts using '@Schema(hidden = true)' to prevent automated discovery by scanners.

@Path("/api/internal")
@RolesAllowed("SYSTEM_ADMIN")
public class InternalResource {
    @GET
    @Path("/system-info")
    @Produces(MediaType.APPLICATION_JSON)
    public Response getSystemInfo() {
        // Secure: Explicit RBAC and mapped in security policy
        return Response.ok(Map.of("status", "protected")).build();
    }
}

// application.properties
// Enforce global lockdown on all endpoints
quarkus.security.jaxrs.deny-unannotated-endpoints=true
quarkus.http.auth.permission.authenticated.paths=/*
quarkus.http.auth.permission.authenticated.policy=authenticated

System Alert • ID: 1518
Target: Quarkus API
Potential Vulnerability

Your Quarkus API might be exposed to Shadow API Exposure

74% of Quarkus apps fail this check. Hackers use automated scanners to find this specific flaw. Check your codebase before they do.

RUN FREE SECURITY DIAGNOSTIC
GuardLabs Engine: ONLINE

Free Tier • No Credit Card • Instant Report

Verified by Ghost Labs Security Team

This content is continuously validated by our automated security engine and reviewed by our research team. Ghost Labs analyzes over 500+ vulnerability patterns across 40+ frameworks to provide up-to-date remediation strategies.

About GuardLabs → Follow us on X