quarkusio · gsmet · Mar 4, 2019 · Mar 3, 2019 · Mar 4, 2019
diff --git a/...ns/security/deployment/src/main/java/io/quarkus/security/SecurityDeploymentProcessor.java b/...ns/security/deployment/src/main/java/io/quarkus/security/SecurityDeploymentProcessor.java
@@ -65,7 +65,7 @@ class SecurityDeploymentProcessor {
 
     /**
      * Register this extension as a MP-JWT feature
-     * 
+     *
      * @return
      */
     @BuildStep
@@ -75,7 +75,7 @@ FeatureBuildItem feature() {
 
     /**
      * Register the Elytron-provided password factory SPI implementation
-     * 
+     *
      * @param classes producer factory for ReflectiveClassBuildItems
      */
     @BuildStep
@@ -90,7 +90,7 @@ void services(BuildProducer<ReflectiveClassBuildItem> classes) {
      * runtime value to process the user/roles properties files. This also registers the names of the user/roles properties
      * files
      * to include the build artifact.
-     * 
+     *
      * @param template - runtime security template
      * @param resources - SubstrateResourceBuildItem used to register the realm user/roles properties files names.
      * @param securityRealm - the producer factory for the SecurityRealmBuildItem
@@ -205,7 +205,7 @@ SecurityDomainBuildItem build(SecurityTemplate template, BuildProducer<ServletEx
     /**
      * If a password based realm was created, install the security extension
      * {@linkplain io.quarkus.security.runtime.ElytronIdentityManager}
-     * 
+     *
      * @param template - runtime template
      * @param securityDomain - configured SecurityDomain
      * @param identityManagerProducer - producer factory for IdentityManagerBuildItem
@@ -235,19 +235,23 @@ void configureIdentityManager(SecurityTemplate template, SecurityDomainBuildItem
     void addIdentityManager(SecurityTemplate template, BuildProducer<ServletExtensionBuildItem> extension,
             SecurityDomainBuildItem securityDomain, List<IdentityManagerBuildItem> identityManagers,
             List<AuthConfigBuildItem> authConfigs) {
+        // Validate the at most one IdentityManagerBuildItem was created
         if (identityManagers.size() > 1) {
             throw new IllegalStateException("Multiple IdentityManagerBuildItem seen: " + identityManagers);
         }
-        IdentityManagerBuildItem identityManager = identityManagers.get(0);
-        // Collect all of the authentication mechanisms and create a ServletExtension to register the Undertow identity manager
-        ArrayList<AuthConfig> allAuthConfigs = new ArrayList<>();
-        for (AuthConfigBuildItem authConfigExt : authConfigs) {
-            AuthConfig ac = authConfigExt.getAuthConfig();
-            allAuthConfigs.add(ac);
+        // Only create an identityManager if one was configured
+        if (identityManagers.size() > 0) {
+            IdentityManagerBuildItem identityManager = identityManagers.get(0);
+            // Collect all of the authentication mechanisms and create a ServletExtension to register the Undertow identity manager
+            ArrayList<AuthConfig> allAuthConfigs = new ArrayList<>();
+            for (AuthConfigBuildItem authConfigExt : authConfigs) {
+                AuthConfig ac = authConfigExt.getAuthConfig();
+                allAuthConfigs.add(ac);
+            }
+            ServletExtension idmExt = template.configureUndertowIdentityManager(securityDomain.getSecurityDomain(),
+                    identityManager.getIdentityManager(), allAuthConfigs);
+            extension.produce(new ServletExtensionBuildItem(idmExt));
         }
-        ServletExtension idmExt = template.configureUndertowIdentityManager(securityDomain.getSecurityDomain(),
-                identityManager.getIdentityManager(), allAuthConfigs);
-        extension.produce(new ServletExtensionBuildItem(idmExt));
     }
 
     /**

diff --git a/...ecurity/deployment/src/test/java/io/quarkus/security/test/NoConfiguredRealmsTestCase.java b/...ecurity/deployment/src/test/java/io/quarkus/security/test/NoConfiguredRealmsTestCase.java
@@ -0,0 +1,34 @@
+package io.quarkus.security.test;
+
+import org.jboss.shrinkwrap.api.ShrinkWrap;
+import org.jboss.shrinkwrap.api.asset.StringAsset;
+import org.jboss.shrinkwrap.api.spec.JavaArchive;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.RegisterExtension;
+
+import io.quarkus.test.QuarkusUnitTest;
+import io.restassured.RestAssured;
+
+/**
+ * Validate that a deployment with the security extension but no configured realms does not blow up
+ */
+public class NoConfiguredRealmsTestCase {
+    static Class[] testClasses = {
+            TestSecureServlet.class
+    };
+    @RegisterExtension
+    static final QuarkusUnitTest config = new QuarkusUnitTest()
+            .setArchiveProducer(() -> ShrinkWrap.create(JavaArchive.class)
+                    .addClasses(testClasses)
+                    .addAsManifestResource(new StringAsset("quarkus.security.file.enabled=false"),
+                            "microprofile-config.properties"));
+
+    /**
+     * Should fail with 403 rather than 401 as there is no authentication enabled, but the servlet requires roles
+     */
+    @Test()
+    public void testSecureAccessFailure() {
+        RestAssured.when().get("/secure-test").then()
+                .statusCode(403);
+    }
+}