Error in secured post-multipart interface with large files

[h3nn1n9]

Describe the bug

An error occurs in a Quarkus with a secured post-multipart interface. If a larger file (about 150MB) is uploaded, the system is stuck in an endless loop without ever reaching the first line in the 'uploadFile' method. If security is switched off or a small file is uploaded, the error does not occur.
The security dependecy is io.quarkus:quarkus-elytron-security-properties-file.

The following properties are set in application.properties:

quarkus.http.auth.basic=true
quarkus.security.users.file.enabled=true
quarkus.security.users.file.users=users.properties
quarkus.security.users.file.roles=roles.properties
quarkus.security.users.file.plain-text=true
quarkus.http.limits.max-form-attribute-size=2000M
quarkus.http.limits.max-body-size=2000M

Expected behavior

The file should be uploaded and a string with the file name should be returned.

Actual behavior

If a larger file (about 150MB) is uploaded, the system is stuck in an endless loop without ever reaching the first line in the uploadFile method. If security is switched off or a small file is uploaded, the error does not occur.

How to Reproduce?

multipart-example.zip

To reproduce, a file with the name bigFile.zip must be placed in the src/main/resources/ folder. The file is too large to upload to GitHub.

Output of uname -a or ver

No response

Output of java -version

Temurin-21.0.5

Quarkus version or git rev

3.16.3

Build tool (ie. output of mvnw --version or gradlew --version)

apache-maven-3.9.9

Additional information

No response

[quarkus-bot]

/cc @pedroigor (bearer-token), @sberyozkin (bearer-token,jwt,security)

[geoand]

Have you perhaps tried if the same occurs in using Quarkus REST?

[h3nn1n9]

Yes, I tested it with the small reproducer and the same error occurs using Quarkus REST.

[geoand]

Thanks. Can you upload that reproducer as well?

[h3nn1n9]

Here is a version of the reproducer with Quarkus REST.
multipart-example-resteasy.zip

[geoand]

🙏

[michalvavrik]

If anyone starts looking into it please give a hint in the comments/assignment, otherwise I'll check the reproducer in the evening. I am curious how security can cause this.

[geoand]

If you want to check it today, go ahead. I was planning on having a look tomorrow

[michalvavrik]

If you want to check it today, go ahead. I was planning on having a look tomorrow

Well, I'll check it this evening and if I can't tell, it will be waiting for you. I'll definitely update you in this issue with whatever I saw....

[geoand]

🙏🏽

[michalvavrik]

This issue is not specific for Quarkus Security or Quarkus REST or Quarkus RESTEasy. At any rate, I don't know how to fix it, but I'll provide context in an email and include you there @geoand . Thanks a million time @h3nn1n9 for reporting this. I suppose more info will follow by whoever will take care of this.

[michalvavrik]

Actually I found a fix, but I'll need to confirm it is the correct way to handle this. I'll send the email anyway.