Merge pull request #51374 from michalvavrik/feature/document-csrf-needs-security-ext

geoand · web-flow · commit 649767d20512 · 2025-12-03T20:30:56.000+02:00
Document and validate Quarkus Security extension must be present for CSRF programmatic set up
diff --git a/docs/src/main/asciidoc/security-csrf-prevention.adoc b/docs/src/main/asciidoc/security-csrf-prevention.adoc
@@ -329,7 +329,7 @@ include::{generated-dir}/config/quarkus-rest-csrf.adoc[leveloffset=+1, opts=opti
 [[csrf-prevention-programmatic-set-up]]
 == Configuring the CSRF prevention programmatically
 
-When the `quarkus-rest-csrf` extension is used, the `io.quarkus.vertx.http.security.HttpSecurity` CDI event allows you to customize the CSRF prevention programmatically:
+When the `quarkus-rest-csrf` extension is used together with the `quarkus-security` extension, the `io.quarkus.vertx.http.security.HttpSecurity` CDI event allows you to customize the CSRF prevention programmatically:
 
 [source,java]
 ----
diff --git a/extensions/resteasy-reactive/rest-csrf/deployment/src/test/java/io/quarkus/csrf/reactive/ProgrammaticCsrfValidationFailureTest.java b/extensions/resteasy-reactive/rest-csrf/deployment/src/test/java/io/quarkus/csrf/reactive/ProgrammaticCsrfValidationFailureTest.java
@@ -0,0 +1,23 @@
+package io.quarkus.csrf.reactive;
+
+import static org.junit.jupiter.api.Assertions.assertThrows;
+import static org.junit.jupiter.api.Assertions.assertTrue;
+
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.RegisterExtension;
+
+import io.quarkus.test.QuarkusUnitTest;
+import io.quarkus.vertx.http.security.CSRF;
+
+public class ProgrammaticCsrfValidationFailureTest {
+
+    @RegisterExtension
+    static final QuarkusUnitTest config = new QuarkusUnitTest().withEmptyApplication();
+
+    @Test
+    public void testQuarkusSecurityExtensionRequired() {
+        var exception = assertThrows(IllegalStateException.class, CSRF::builder);
+        assertTrue(exception.getMessage().contains("Please add the `quarkus-security` extension"));
+    }
+
+}
diff --git a/extensions/vertx-http/deployment/src/main/java/io/quarkus/vertx/http/deployment/HttpSecurityProcessor.java b/extensions/vertx-http/deployment/src/main/java/io/quarkus/vertx/http/deployment/HttpSecurityProcessor.java
@@ -303,21 +303,29 @@ void createHttpAuthenticationHandler(HttpSecurityRecorder recorder, Capabilities
     @BuildStep
     void prepareCsrfConfigBuilder(Capabilities capabilities, Optional<CsrfBuilderClassBuildItem> csrfBuilderClassBuildItem,
             BuildProducer<BytecodeTransformerBuildItem> bytecodeTransformerProducer) {
-        if (capabilities.isPresent(Capability.SECURITY) && csrfBuilderClassBuildItem.isPresent()) {
+        if (csrfBuilderClassBuildItem.isPresent()) {
             final Class<? extends CSRF.Builder> csrfBuilderClass = csrfBuilderClassBuildItem.get().csrfBuilderClass;
-            // static Builder builder() {
-            //     return new io.quarkus.something.CsfrBuilder();
-            // }
-            bytecodeTransformerProducer.produce(new BytecodeTransformerBuildItem(CSRF.class.getName(), (cls, classVisitor) -> {
-                var classTransformer = new ClassTransformer(cls);
-                classTransformer.removeMethod("builder", CSRF.Builder.class);
-                try (var mc = classTransformer.addMethod("builder", CSRF.Builder.class)) {
-                    mc.setModifiers(ACC_PUBLIC | ACC_STATIC);
-                    var builderInstance = mc.newInstance(MethodDescriptor.ofConstructor(csrfBuilderClass));
-                    mc.returnValue(mc.checkCast(builderInstance, CSRF.Builder.class));
-                }
-                return classTransformer.applyTo(classVisitor);
-            }));
+            bytecodeTransformerProducer
+                    .produce(new BytecodeTransformerBuildItem(CSRF.class.getName(), (cls, classVisitor) -> {
+                        var classTransformer = new ClassTransformer(cls);
+                        classTransformer.removeMethod("builder", CSRF.Builder.class);
+                        try (var mc = classTransformer.addMethod("builder", CSRF.Builder.class)) {
+                            mc.setModifiers(ACC_PUBLIC | ACC_STATIC);
+                            if (capabilities.isPresent(Capability.SECURITY)) {
+                                // static Builder builder() {
+                                //     return new io.quarkus.something.CsfrBuilder();
+                                // }
+                                var builderInstance = mc.newInstance(MethodDescriptor.ofConstructor(csrfBuilderClass));
+                                mc.returnValue(mc.checkCast(builderInstance, CSRF.Builder.class));
+                            } else {
+                                // static Builder builder() {
+                                //     throw new IllegalStateException("Please add the `quarkus-security` extension");
+                                // }
+                                mc.throwException(IllegalStateException.class, "Please add the `quarkus-security` extension");
+                            }
+                        }
+                        return classTransformer.applyTo(classVisitor);
+                    }));
         }
     }
 
