You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomee.apache.org by Jonathan Gallimore <jo...@gmail.com> on 2018/11/02 09:42:15 UTC
Re: MicroProfile JWT 1.1
Thanks for the reply. I am still sure there is some sort of issue. Putting
TomEE to one side for the moment, I am able to reproduce this in the
Geronimo JWT auth library as well. This PR includes a test to show what I
mean: https://github.com/apache/geronimo-jwt-auth/pull/3.
I can confirm that this change:
https://github.com/apache/openwebbeans/pull/12 enables that new test to
pass.
In short, if you @Inject JsonWebToken, or individual claims, or
use @RolesAllowed, I think you're ok, but if you @Inject Principal, you
will most likely get the wrong principal because the instance is cache in a
field in the org.apache.webbeans.portable.ProviderBasedProducer class, and
that looks like a security issue.
Jon
On Tue, Oct 30, 2018 at 5:56 AM Romain Manni-Bucau <rm...@gmail.com>
wrote:
> Hi Jon,
>
> yes and no, idea is to be fast and for all producers it works except the
> principal which is broken anyway in CDI 1.x so guess this was not fixed
>
> in CDI 2 (tomee 8) we can impl it this way:
>
> https://github.com/apache/geronimo-jwt-auth/blob/master/src/test/java/org/apache/geronimo/microprofile/impl/jwtauth/tck/TckSecurityService.java
>
> Romain Manni-Bucau
> @rmannibucau <https://twitter.com/rmannibucau> | Blog
> <https://rmannibucau.metawerx.net/> | Old Blog
> <http://rmannibucau.wordpress.com> | Github <
> https://github.com/rmannibucau> |
> LinkedIn <https://www.linkedin.com/in/rmannibucau> | Book
> <
> https://www.packtpub.com/application-development/java-ee-8-high-performance
> >
>
>
> Le mar. 30 oct. 2018 à 00:58, Jonathan Gallimore <
> jonathan.gallimore@gmail.com> a écrit :
>
> > Here's a question, probably for Mark or Romain. If I turn the proxy *off*
> > in org.apache.webbeans.component.PrincipalBean, I'm finding that I get
> the
> > wrong principal injected sometimes. Specifically, I get the whatever is
> on
> > the proxyInstance field here:
> >
> >
> https://github.com/apache/openwebbeans/blob/trunk/webbeans-impl/src/main/java/org/apache/webbeans/portable/ProviderBasedProducer.java#L51
> >
> > Should this line (line 66)
> >
> >
> https://github.com/apache/openwebbeans/blob/trunk/webbeans-impl/src/main/java/org/apache/webbeans/portable/ProviderBasedProducer.java#L66
> > ,
> > not simply be:
> >
> > return provider.get();
> >
> > as opposed to
> >
> > proxyInstance = provider.get(); ?
> >
> > That way, the proxyInstance field would never get set if proxy mode is
> set
> > to false. When proxy is true, this seems to work correctly (although I
> have
> > other unrelated issues in TomEE).
> >
> > I can probably work around this some other way, but it seems to me like
> > that behaviour isn't quite right.
> >
> > Trying to think of a way to test it - I can probably come up with
> > something, but I'd appreciate some pointers. Happy to shift this to
> > openwebbeans-dev, and submit a PR. Replying here initially as I ran into
> > this while hacking on the JWT code.
> >
> > Jon
> >
> > On Wed, Oct 17, 2018 at 12:41 AM Roberto Cortez
> > <ra...@yahoo.com.invalid>
> > wrote:
> >
> > > Please, go ahead. Let me know if need anything. Thanks!
> > >
> > > > On 16 Oct 2018, at 21:53, Jonathan Gallimore <
> > > jonathan.gallimore@gmail.com> wrote:
> > > >
> > > > Any objection if I pick this up and have a go at the last tests, or
> is
> > > > someone already working on this?
> > > >
> > > > On Thu, Sep 27, 2018 at 5:44 PM Romain Manni-Bucau <
> > > rmannibucau@gmail.com>
> > > > wrote:
> > > >
> > > >> Yep this feature. Then it must works since we support user principal
> > if
> > > the
> > > >> jwt filter is corretly placed in the filter chain and we must
> inherit
> > > from
> > > >> the request principal.
> > > >>
> > > >> Le jeu. 27 sept. 2018 18:37, Roberto Cortez
> > <radcortez@yahoo.com.invalid
> > > >
> > > >> a
> > > >> écrit :
> > > >>
> > > >>> I guess you are referring to this, to remove the proxy?
> > > >>>
> > > >>>
> > > >>
> > >
> >
> https://github.com/apache/openwebbeans/commit/a21a949fb19247dcc39ee89292a1554b2cf1388e
> > > >>> <
> > > >>>
> > > >>
> > >
> >
> https://github.com/apache/openwebbeans/commit/a21a949fb19247dcc39ee89292a1554b2cf1388e
> > > >>>>
> > > >>>
> > > >>> Yes, this one step.
> > > >>>
> > > >>> By default, we do inject the generic Principal of Tomcat. We
> probably
> > > >> need
> > > >>> to check first about the existence of a JWT Principal and then
> > fallback
> > > >> to
> > > >>> the Tomcat one. I think I know how to do it, I was just trying to
> > > broaden
> > > >>> up the conversation about general integration with EE security.
> > > >>>
> > > >>> Cheers,
> > > >>> Roberto
> > > >>>
> > > >>>> On 26 Sep 2018, at 07:21, Romain Manni-Bucau <
> rmannibucau@gmail.com
> > >
> > > >>> wrote:
> > > >>>>
> > > >>>> OWB enable to do it - we did it in geronimo impl to pass tck of
> jwt
> > > >> auth
> > > >>>> spec.
> > > >>>>
> > > >>>> Le mer. 26 sept. 2018 03:28, Roberto Cortez
> > > >> <ra...@yahoo.com.invalid>
> > > >>> a
> > > >>>> écrit :
> > > >>>>
> > > >>>>> Hi,
> > > >>>>>
> > > >>>>> I’ve done some work to push our MP JWT implementation from 1.0 to
> > > 1.1.
> > > >>>>>
> > > >>>>> You can check it here:
> > > >>>>> https://github.com/apache/tomee/pull/173 <
> > > >>>>> https://github.com/apache/tomee/pull/173>
> > > >>>>>
> > > >>>>> There are still a couple of tests in the TCK that I have to fix
> > and a
> > > >>> few
> > > >>>>> things that I would like to improve, but I think the majority of
> > the
> > > >>> work
> > > >>>>> is done.
> > > >>>>>
> > > >>>>> Some time ago, there was a discussion in the list about how to
> > > >> integrate
> > > >>>>> MP JWT with EE security:
> > > >>>>>
> > > >>>>>
> > > >>>
> > > >>
> > >
> >
> http://tomee-openejb.979440.n4.nabble.com/Implementing-Microprofile-JWT-td4683212i40.html
> > > >>>>> <
> > > >>>>>
> > > >>>
> > > >>
> > >
> >
> http://tomee-openejb.979440.n4.nabble.com/Implementing-Microprofile-JWT-td4683212i40.html
> > > >>>>>>
> > > >>>>>
> > > >>>>> I believe we need to revisit that conversation and figure out how
> > to
> > > >>> move
> > > >>>>> forward.
> > > >>>>>
> > > >>>>> Right now for instance, we don’t support injecting a JWT
> Principal
> > > >> since
> > > >>>>> it clashes with the predefined by CDI. Most likely, we would need
> > to
> > > >>> plugin
> > > >>>>> the JWT Principal lookup in TomcatSecurityService. I’m not sure
> if
> > we
> > > >>> want
> > > >>>>> to do it in that way, or if we want to think in something else.
> > > >>>>>
> > > >>>>> Cheers,
> > > >>>>> Roberto
> > > >>>
> > > >>>
> > > >>
> > >
> > >
> >
>
Re: MicroProfile JWT 1.1
Posted by Roberto Cortez <ra...@yahoo.com.INVALID>.
Hi,
Just rebased this PR with the MP 2.0 merge, so this one should be good to go too.
Cheers,
Roberto
> On 4 Dec 2018, at 19:18, Roberto Cortez <ra...@yahoo.com.INVALID> wrote:
>
> Hey,
>
> I think we are mostly done with the JWT 1.1 work. At least the TCK is passing except for two tests with the issue described here: https://github.com/eclipse/microprofile-jwt-auth/issues/118 <https://github.com/eclipse/microprofile-jwt-auth/issues/118>. I did copy the test code and added a second arquillian deployment to deploy the key endpoint for test in a separate app. In this case, the test works as expected. I’ll also try to submit a PR with this work to the JWT TCK project.
>
> The entire work can be seen here:
> https://github.com/apache/tomee/pull/173 <https://github.com/apache/tomee/pull/173>
>
> MP JWT 1.1 mostly adds support for:
> - Loading keys using MP Config from multiple sources (inline, classpath, file, url).
> - JWK and JWKS support.
> - JWT as Principal injection.
>
> Thank you Jon for helping out with the implementation.
>
> Cheers,
> Roberto
>
>> On 3 Dec 2018, at 18:00, Roberto Cortez <ra...@yahoo.com> wrote:
>>
>> Sure. If you don’t mind, I’ll merge your branch with mine and then submit a PR with everything.
>>
>>> On 3 Dec 2018, at 17:12, Jonathan Gallimore <jo...@gmail.com> wrote:
>>>
>>> If you have the cycles, it would be great if you could do it.
>>>
>>> Cheers!
>>>
>>> Jon
>>>
>>> On Mon, Dec 3, 2018 at 5:06 PM Roberto Cortez <ra...@yahoo.com.invalid>
>>> wrote:
>>>
>>>> Yes, I would be in favor on commenting these tests, but implement on our
>>>> tests that set up an endpoint and try to deploy and app to load the key
>>>> from the endpoint. At least we make sure that the feature is working as
>>>> supposed.
>>>>
>>>> Do you want to do it, or should I do it?
>>>>
>>>>> On 3 Dec 2018, at 16:49, Jonathan Gallimore <
>>>> jonathan.gallimore@gmail.com> wrote:
>>>>>
>>>>> Interesting. I'd be in favor of commenting those tests out and merging
>>>> the
>>>>> PR, if you think the rest of it is in shape. If the spec says there
>>>> should
>>>>> be a deployment exception, then that makes sense. The TCK should probably
>>>>> start its own little embedded http server to supply these keys instead.
>>>> We
>>>>> could contribute a PR there for consideration there.
>>>>>
>>>>> Jon
>>>>>
>>>>> On Mon, Dec 3, 2018 at 4:39 PM Roberto Cortez
>>>> <ra...@yahoo.com.invalid>
>>>>> wrote:
>>>>>
>>>>>> Yes,
>>>>>>
>>>>>> I think that the current state of the TCK is actually wrong. Look here:
>>>>>> https://github.com/eclipse/microprofile-jwt-auth/issues/118 <
>>>>>> https://github.com/eclipse/microprofile-jwt-auth/issues/118>
>>>>>>
>>>>>> And also from the spec:
>>>>>> MicroProfile JWT implementations are required to throw a
>>>>>> `DeploymentException` when given
>>>>>> a public key that cannot be parsed using either the standardly
>>>> supported or
>>>>>> vendor-specific key formats.
>>>>>>
>>>>>> My understanding of this is that the load / parsing of the key is part
>>>> of
>>>>>> the application deployment, so if you fail to load the key you should
>>>> fail
>>>>>> with DeploymentException. It doesn’t make sense to defer the loading of
>>>> the
>>>>>> key when you need it and then fail with the DeploymentException, when
>>>> the
>>>>>> application is already deployed.
>>>>>>
>>>>>> Now, the issue is a chicken / egg. The TCK test exposes the key to load
>>>>>> from an endpoint in the actual test app that we are testing. I believe
>>>> the
>>>>>> correct behaviour should be to have a separate test app that exposes the
>>>>>> test keys and then have a separate app to test the behaviour.
>>>>>>
>>>>>> I think we can implement our own tests like these and then contribute
>>>> them
>>>>>> back / fix the TCK.
>>>>>>
>>>>>> Cheers,
>>>>>> Roberto
>>>>>>
>>>>>>> On 3 Dec 2018, at 16:24, Jonathan Gallimore <
>>>>>> jonathan.gallimore@gmail.com> wrote:
>>>>>>>
>>>>>>> Thanks for asking. There are 3 tests I can't get passing. These are the
>>>>>>> ones where the key is referred to by a HTTP url, which isn't available
>>>> at
>>>>>>> deployment time where the keys are actually read. I spent quite a lot
>>>> of
>>>>>>> time trying to make this happen later in lifecycle (like on first load,
>>>>>> or
>>>>>>> something like that). I ended up getting lost in a complete maze of
>>>>>>> lambdas. I am stuck and in need of help. I think this class is the
>>>> issue:
>>>>>>>
>>>>>>
>>>> https://github.com/jgallimore/tomee/blob/jwt-1.1/mp-jwt/src/main/java/org/apache/tomee/microprofile/jwt/config/ConfigurableJWTAuthContextInfo.java
>>>>>> ,
>>>>>>> and this piece of functionality will probably need some design
>>>> discussion
>>>>>>> to enable these tests to pass.
>>>>>>>
>>>>>>> I had tried flip the storage to Map<String,Supplier> with a supplier
>>>> that
>>>>>>> does a lazy lookup and caches the value. The issue there is the JWKS
>>>>>> keys,
>>>>>>> where you appear to get multiple keys in one file. Wrapping the whole
>>>>>> thing
>>>>>>> a supplier might work too - you'd effectively then have run that logic
>>>> on
>>>>>>> first login, or find something else that can trigger it.
>>>>>>>
>>>>>>> Do you have any thoughts?
>>>>>>>
>>>>>>> Jon
>>>>>>>
>>>>>>> On Mon, Dec 3, 2018 at 3:27 PM Roberto Cortez
>>>>>> <ra...@yahoo.com.invalid>
>>>>>>> wrote:
>>>>>>>
>>>>>>>> Hi Jon,
>>>>>>>>
>>>>>>>> I’ve seen you made some changes in your branch. What is the current
>>>>>>>> status? I would like to start pushing for MP 2.0 specs.
>>>>>>>>
>>>>>>>> Cheers,
>>>>>>>> Roberto
>>>>>>>>
>>>>>>>>> On 21 Nov 2018, at 17:57, Jonathan Gallimore <
>>>>>>>> jonathan.gallimore@gmail.com> wrote:
>>>>>>>>>
>>>>>>>>> Was going to have another look at those tests over the next couple of
>>>>>>>> days.
>>>>>>>>>
>>>>>>>>> Jon
>>>>>>>>>
>>>>>>>>> On Wed, 21 Nov 2018, 17:53 Roberto Cortez
>>>> <radcortez@yahoo.com.invalid
>>>>>>>>> wrote:
>>>>>>>>>
>>>>>>>>>> Hi Jon,
>>>>>>>>>>
>>>>>>>>>> What it the status of this?
>>>>>>>>>>
>>>>>>>>>> For the remaining failing tests, the issues are related with this:
>>>>>>>>>> https://github.com/eclipse/microprofile-jwt-auth/issues/118 <
>>>>>>>>>> https://github.com/eclipse/microprofile-jwt-auth/issues/118>
>>>>>>>>>>
>>>>>>>>>> I don’t think there is a way to fix it on our side, so se could just
>>>>>>>>>> ignore those specific methods and build a specific test for this
>>>> with
>>>>>> 2
>>>>>>>>>> apps deployment so we can reach out then public key endpoint from
>>>> the
>>>>>>>> test.
>>>>>>>>>> Then we should be good to go with this!
>>>>>>>>>>
>>>>>>>>>> Cheers,
>>>>>>>>>> Roberto
>>>>>>>>>>
>>>>>>>>>>> On 20 Nov 2018, at 15:28, Jean-Louis Monteiro <
>>>>>>>> jlmonteiro@tomitribe.com>
>>>>>>>>>> wrote:
>>>>>>>>>>>
>>>>>>>>>>> Ok, yes I see it.
>>>>>>>>>>> --
>>>>>>>>>>> Jean-Louis Monteiro
>>>>>>>>>>> http://twitter.com/jlouismonteiro
>>>>>>>>>>> http://www.tomitribe.com
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> On Tue, Nov 20, 2018 at 4:11 PM Jonathan Gallimore <
>>>>>>>>>>> jonathan.gallimore@gmail.com> wrote:
>>>>>>>>>>>
>>>>>>>>>>>> The commits are showing for me (at the bottom). Here's the latest
>>>>>> one:
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>
>>>>>>
>>>> https://github.com/apache/tomee/commit/7ce1f8033e239331cfa7843e4e5565ed0aa83345
>>>>>>>>>>>>
>>>>>>>>>>>> On Tue, Nov 20, 2018 at 2:44 PM Jean-Louis Monteiro <
>>>>>>>>>>>> jlmonteiro@tomitribe.com> wrote:
>>>>>>>>>>>>
>>>>>>>>>>>>> Hey Jon,
>>>>>>>>>>>>>
>>>>>>>>>>>>> I clicked on the link and the diff tab does not show any
>>>>>> difference.
>>>>>>>>>>>>> Did you push?
>>>>>>>>>>>>> --
>>>>>>>>>>>>> Jean-Louis Monteiro
>>>>>>>>>>>>> http://twitter.com/jlouismonteiro
>>>>>>>>>>>>> http://www.tomitribe.com
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> On Mon, Nov 19, 2018 at 12:36 PM Jonathan Gallimore <
>>>>>>>>>>>>> jonathan.gallimore@gmail.com> wrote:
>>>>>>>>>>>>>
>>>>>>>>>>>>>> I now have the principal injection part of this working - thanks
>>>>>>>>>> Romain
>>>>>>>>>>>>> for
>>>>>>>>>>>>>> your help and explanations. Progress is in my fork here:
>>>>>>>>>>>>>> https://github.com/jgallimore/tomee/tree/jwt-1.1 (changes here:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>
>>>>>>
>>>> https://github.com/apache/tomee/compare/master...jgallimore:jwt-1.1?expand=1
>>>>>>>>>>>>>> ).
>>>>>>>>>>>>>> There are still a couple of TODOs to clean up, and 3 tests to
>>>> get
>>>>>>>>>>>>> passing.
>>>>>>>>>>>>>> Any feedback is appreciated.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Jon
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> On Sat, Nov 3, 2018 at 9:10 AM Jonathan Gallimore <
>>>>>>>>>>>>>> jonathan.gallimore@gmail.com> wrote:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Yep, got it. Thanks for the feedback - makes sense now.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Cheers
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Jon
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> On Fri, 2 Nov 2018, 16:46 Romain Manni-Bucau <
>>>>>>>> rmannibucau@gmail.com
>>>>>>>>>>>>>> wrote:
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Answered hopefully "long enough" on dev@geronimo so will just
>>>>>> do
>>>>>>>> a
>>>>>>>>>>>>>> short
>>>>>>>>>>>>>>>> one here and shout if not enough: ManagedSecurityService in
>>>> cdi
>>>>>>>>>>>>> package
>>>>>>>>>>>>>> of
>>>>>>>>>>>>>>>> openejb-core must make the getCurrentPrincipal contextual so
>>>>>>>> hidden
>>>>>>>>>>>>>> behind
>>>>>>>>>>>>>>>> a proxy. The proxied API must be Principal and JsonWebToken
>>>> when
>>>>>>>>>>>>>> available
>>>>>>>>>>>>>>>> (try { add if can load } catch { ignore } works as pattern).
>>>> The
>>>>>>>>>>>> proxy
>>>>>>>>>>>>>>>> instance can be created once for all app using the container
>>>>>>>> loader
>>>>>>>>>>>> or
>>>>>>>>>>>>>> per
>>>>>>>>>>>>>>>> app using the app loader and avoiding to leak between apps
>>>> since
>>>>>>>> the
>>>>>>>>>>>>> API
>>>>>>>>>>>>>>>> can use different loaders.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Le ven. 2 nov. 2018 14:44, Jonathan Gallimore <
>>>>>>>>>>>>>>>> jonathan.gallimore@gmail.com>
>>>>>>>>>>>>>>>> a écrit :
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Thanks for the reply, but I am confused by your response. The
>>>>>> PR
>>>>>>>> I
>>>>>>>>>>>>>>>>> referenced adds a single test to the geronimo-jwt-auth
>>>> project
>>>>>> (
>>>>>>>>>>>>>>>>> https://github.com/apache/geronimo-jwt-auth/pull/3), based
>>>> on
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>
>>>>>> org.eclipse.microprofile.jwt.tck.container.jaxrs.PrincipalInjectionTest
>>>>>>>>>>>>>>>>> from the TCK. It fails at present (hopefully we agree on
>>>> that -
>>>>>>>> my
>>>>>>>>>>>>>>>> results
>>>>>>>>>>>>>>>>> attached). The geronimo-jwt-auth project doesn't touch TomEE
>>>> at
>>>>>>>>>>>> all
>>>>>>>>>>>>> -
>>>>>>>>>>>>>> it
>>>>>>>>>>>>>>>>> uses OWB/Meecrowave to run the MicroProfile JWT TCK. I have
>>>> not
>>>>>>>>>>>>>> modified
>>>>>>>>>>>>>>>>> the project config at all, so it is using the SecurityService
>>>>>>>> code
>>>>>>>>>>>>> you
>>>>>>>>>>>>>>>>> previously posted. If this additional test were part of the
>>>>>>>>>>>>>> MicroProfile
>>>>>>>>>>>>>>>>> JWT TCK (and I'm going to propose it), the Geronimo JWT Auth
>>>>>>>>>>>>>>>> implementation
>>>>>>>>>>>>>>>>> would *not* pass the TCK.
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> I posted this here as I originally found the issue when
>>>>>>>> continuing
>>>>>>>>>>>>>>>>> Roberto's efforts, but this has probably contributed to some
>>>>>>>>>>>>>> confusion.
>>>>>>>>>>>>>>>> I
>>>>>>>>>>>>>>>>> would suggest we continue this over on the Geronimo and OWB
>>>>>> lists
>>>>>>>>>>>> to
>>>>>>>>>>>>>>>> avoid
>>>>>>>>>>>>>>>>> further confusion.
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Jon
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> On Fri, Nov 2, 2018 at 12:46 PM Romain Manni-Bucau <
>>>>>>>>>>>>>>>> rmannibucau@gmail.com>
>>>>>>>>>>>>>>>>> wrote:
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> Hi
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> Yes this is an owb misconfiguration/integration
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> Geronimo is fine here so likely tomee owb spi to update as
>>>> in
>>>>>>>>>>>>>> geronimo
>>>>>>>>>>>>>>>> tck
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> Le ven. 2 nov. 2018 10:42, Jonathan Gallimore <
>>>>>>>>>>>>>>>>>> jonathan.gallimore@gmail.com>
>>>>>>>>>>>>>>>>>> a écrit :
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> Thanks for the reply. I am still sure there is some sort of
>>>>>>>>>>>>> issue.
>>>>>>>>>>>>>>>>>> Putting
>>>>>>>>>>>>>>>>>>> TomEE to one side for the moment, I am able to reproduce
>>>> this
>>>>>>>>>>>> in
>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>>>>>> Geronimo JWT auth library as well. This PR includes a test
>>>> to
>>>>>>>>>>>>> show
>>>>>>>>>>>>>>>> what
>>>>>>>>>>>>>>>>>> I
>>>>>>>>>>>>>>>>>>> mean: https://github.com/apache/geronimo-jwt-auth/pull/3.
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> I can confirm that this change:
>>>>>>>>>>>>>>>>>>> https://github.com/apache/openwebbeans/pull/12 enables
>>>> that
>>>>>>>>>>>> new
>>>>>>>>>>>>>>>> test to
>>>>>>>>>>>>>>>>>>> pass.
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> In short, if you @Inject JsonWebToken, or individual
>>>> claims,
>>>>>> or
>>>>>>>>>>>>>>>>>>> use @RolesAllowed, I think you're ok, but if you @Inject
>>>>>>>>>>>>> Principal,
>>>>>>>>>>>>>>>> you
>>>>>>>>>>>>>>>>>>> will most likely get the wrong principal because the
>>>> instance
>>>>>>>>>>>> is
>>>>>>>>>>>>>>>> cache
>>>>>>>>>>>>>>>>>> in a
>>>>>>>>>>>>>>>>>>> field in the
>>>>>> org.apache.webbeans.portable.ProviderBasedProducer
>>>>>>>>>>>>>>>> class,
>>>>>>>>>>>>>>>>>> and
>>>>>>>>>>>>>>>>>>> that looks like a security issue.
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> Jon
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> On Tue, Oct 30, 2018 at 5:56 AM Romain Manni-Bucau <
>>>>>>>>>>>>>>>>>> rmannibucau@gmail.com>
>>>>>>>>>>>>>>>>>>> wrote:
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> Hi Jon,
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> yes and no, idea is to be fast and for all producers it
>>>>>> works
>>>>>>>>>>>>>>>> except
>>>>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>>>>>>> principal which is broken anyway in CDI 1.x so guess this
>>>>>> was
>>>>>>>>>>>>> not
>>>>>>>>>>>>>>>>>> fixed
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> in CDI 2 (tomee 8) we can impl it this way:
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>
>>>>>>
>>>> https://github.com/apache/geronimo-jwt-auth/blob/master/src/test/java/org/apache/geronimo/microprofile/impl/jwtauth/tck/TckSecurityService.java
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> Romain Manni-Bucau
>>>>>>>>>>>>>>>>>>>> @rmannibucau <https://twitter.com/rmannibucau> | Blog
>>>>>>>>>>>>>>>>>>>> <https://rmannibucau.metawerx.net/> | Old Blog
>>>>>>>>>>>>>>>>>>>> <http://rmannibucau.wordpress.com> | Github <
>>>>>>>>>>>>>>>>>>>> https://github.com/rmannibucau> |
>>>>>>>>>>>>>>>>>>>> LinkedIn <https://www.linkedin.com/in/rmannibucau> | Book
>>>>>>>>>>>>>>>>>>>> <
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>
>>>>>>
>>>> https://www.packtpub.com/application-development/java-ee-8-high-performance
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> Le mar. 30 oct. 2018 à 00:58, Jonathan Gallimore <
>>>>>>>>>>>>>>>>>>>> jonathan.gallimore@gmail.com> a écrit :
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> Here's a question, probably for Mark or Romain. If I turn
>>>>>>>>>>>> the
>>>>>>>>>>>>>>>> proxy
>>>>>>>>>>>>>>>>>>> *off*
>>>>>>>>>>>>>>>>>>>>> in org.apache.webbeans.component.PrincipalBean, I'm
>>>> finding
>>>>>>>>>>>>>> that
>>>>>>>>>>>>>>>> I
>>>>>>>>>>>>>>>>>> get
>>>>>>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>>>>>>>> wrong principal injected sometimes. Specifically, I get
>>>> the
>>>>>>>>>>>>>>>>>> whatever is
>>>>>>>>>>>>>>>>>>>> on
>>>>>>>>>>>>>>>>>>>>> the proxyInstance field here:
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>
>>>>>>
>>>> https://github.com/apache/openwebbeans/blob/trunk/webbeans-impl/src/main/java/org/apache/webbeans/portable/ProviderBasedProducer.java#L51
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> Should this line (line 66)
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>
>>>>>>
>>>> https://github.com/apache/openwebbeans/blob/trunk/webbeans-impl/src/main/java/org/apache/webbeans/portable/ProviderBasedProducer.java#L66
>>>>>>>>>>>>>>>>>>>>> ,
>>>>>>>>>>>>>>>>>>>>> not simply be:
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> return provider.get();
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> as opposed to
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> proxyInstance = provider.get(); ?
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> That way, the proxyInstance field would never get set if
>>>>>>>>>>>>> proxy
>>>>>>>>>>>>>>>> mode
>>>>>>>>>>>>>>>>>> is
>>>>>>>>>>>>>>>>>>>> set
>>>>>>>>>>>>>>>>>>>>> to false. When proxy is true, this seems to work
>>>> correctly
>>>>>>>>>>>>>>>>>> (although I
>>>>>>>>>>>>>>>>>>>> have
>>>>>>>>>>>>>>>>>>>>> other unrelated issues in TomEE).
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> I can probably work around this some other way, but it
>>>>>>>>>>>> seems
>>>>>>>>>>>>> to
>>>>>>>>>>>>>>>> me
>>>>>>>>>>>>>>>>>> like
>>>>>>>>>>>>>>>>>>>>> that behaviour isn't quite right.
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> Trying to think of a way to test it - I can probably come
>>>>>>>>>>>> up
>>>>>>>>>>>>>> with
>>>>>>>>>>>>>>>>>>>>> something, but I'd appreciate some pointers. Happy to
>>>> shift
>>>>>>>>>>>>>> this
>>>>>>>>>>>>>>>> to
>>>>>>>>>>>>>>>>>>>>> openwebbeans-dev, and submit a PR. Replying here
>>>> initially
>>>>>>>>>>>>> as I
>>>>>>>>>>>>>>>> ran
>>>>>>>>>>>>>>>>>>> into
>>>>>>>>>>>>>>>>>>>>> this while hacking on the JWT code.
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> Jon
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> On Wed, Oct 17, 2018 at 12:41 AM Roberto Cortez
>>>>>>>>>>>>>>>>>>>>> <ra...@yahoo.com.invalid>
>>>>>>>>>>>>>>>>>>>>> wrote:
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> Please, go ahead. Let me know if need anything. Thanks!
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> On 16 Oct 2018, at 21:53, Jonathan Gallimore <
>>>>>>>>>>>>>>>>>>>>>> jonathan.gallimore@gmail.com> wrote:
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> Any objection if I pick this up and have a go at the
>>>>>>>>>>>> last
>>>>>>>>>>>>>>>>>> tests, or
>>>>>>>>>>>>>>>>>>>> is
>>>>>>>>>>>>>>>>>>>>>>> someone already working on this?
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> On Thu, Sep 27, 2018 at 5:44 PM Romain Manni-Bucau <
>>>>>>>>>>>>>>>>>>>>>> rmannibucau@gmail.com>
>>>>>>>>>>>>>>>>>>>>>>> wrote:
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> Yep this feature. Then it must works since we support
>>>>>>>>>>>>> user
>>>>>>>>>>>>>>>>>>> principal
>>>>>>>>>>>>>>>>>>>>> if
>>>>>>>>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>>>>>>>>>>> jwt filter is corretly placed in the filter chain and
>>>>>>>>>>>> we
>>>>>>>>>>>>>>>> must
>>>>>>>>>>>>>>>>>>>> inherit
>>>>>>>>>>>>>>>>>>>>>> from
>>>>>>>>>>>>>>>>>>>>>>>> the request principal.
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> Le jeu. 27 sept. 2018 18:37, Roberto Cortez
>>>>>>>>>>>>>>>>>>>>> <radcortez@yahoo.com.invalid
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> a
>>>>>>>>>>>>>>>>>>>>>>>> écrit :
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>> I guess you are referring to this, to remove the
>>>>>>>>>>>> proxy?
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>
>>>>>>
>>>> https://github.com/apache/openwebbeans/commit/a21a949fb19247dcc39ee89292a1554b2cf1388e
>>>>>>>>>>>>>>>>>>>>>>>>> <
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>
>>>>>>
>>>> https://github.com/apache/openwebbeans/commit/a21a949fb19247dcc39ee89292a1554b2cf1388e
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>> Yes, this one step.
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>> By default, we do inject the generic Principal of
>>>>>>>>>>>>> Tomcat.
>>>>>>>>>>>>>>>> We
>>>>>>>>>>>>>>>>>>>> probably
>>>>>>>>>>>>>>>>>>>>>>>> need
>>>>>>>>>>>>>>>>>>>>>>>>> to check first about the existence of a JWT Principal
>>>>>>>>>>>>> and
>>>>>>>>>>>>>>>> then
>>>>>>>>>>>>>>>>>>>>> fallback
>>>>>>>>>>>>>>>>>>>>>>>> to
>>>>>>>>>>>>>>>>>>>>>>>>> the Tomcat one. I think I know how to do it, I was
>>>>>>>>>>>> just
>>>>>>>>>>>>>>>>>> trying to
>>>>>>>>>>>>>>>>>>>>>> broaden
>>>>>>>>>>>>>>>>>>>>>>>>> up the conversation about general integration with EE
>>>>>>>>>>>>>>>>>> security.
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>> Cheers,
>>>>>>>>>>>>>>>>>>>>>>>>> Roberto
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>> On 26 Sep 2018, at 07:21, Romain Manni-Bucau <
>>>>>>>>>>>>>>>>>>>> rmannibucau@gmail.com
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>> wrote:
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>> OWB enable to do it - we did it in geronimo impl to
>>>>>>>>>>>>> pass
>>>>>>>>>>>>>>>> tck
>>>>>>>>>>>>>>>>>> of
>>>>>>>>>>>>>>>>>>>> jwt
>>>>>>>>>>>>>>>>>>>>>>>> auth
>>>>>>>>>>>>>>>>>>>>>>>>>> spec.
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>> Le mer. 26 sept. 2018 03:28, Roberto Cortez
>>>>>>>>>>>>>>>>>>>>>>>> <ra...@yahoo.com.invalid>
>>>>>>>>>>>>>>>>>>>>>>>>> a
>>>>>>>>>>>>>>>>>>>>>>>>>> écrit :
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>> Hi,
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>> I’ve done some work to push our MP JWT
>>>>>>>>>>>> implementation
>>>>>>>>>>>>>>>> from
>>>>>>>>>>>>>>>>>> 1.0
>>>>>>>>>>>>>>>>>>> to
>>>>>>>>>>>>>>>>>>>>>> 1.1.
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>> You can check it here:
>>>>>>>>>>>>>>>>>>>>>>>>>>> https://github.com/apache/tomee/pull/173 <
>>>>>>>>>>>>>>>>>>>>>>>>>>> https://github.com/apache/tomee/pull/173>
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>> There are still a couple of tests in the TCK that I
>>>>>>>>>>>>>> have
>>>>>>>>>>>>>>>> to
>>>>>>>>>>>>>>>>>> fix
>>>>>>>>>>>>>>>>>>>>> and a
>>>>>>>>>>>>>>>>>>>>>>>>> few
>>>>>>>>>>>>>>>>>>>>>>>>>>> things that I would like to improve, but I think
>>>>>>>>>>>> the
>>>>>>>>>>>>>>>>>> majority
>>>>>>>>>>>>>>>>>>> of
>>>>>>>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>>>>>>>>>>>> work
>>>>>>>>>>>>>>>>>>>>>>>>>>> is done.
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>> Some time ago, there was a discussion in the list
>>>>>>>>>>>>> about
>>>>>>>>>>>>>>>> how
>>>>>>>>>>>>>>>>>> to
>>>>>>>>>>>>>>>>>>>>>>>> integrate
>>>>>>>>>>>>>>>>>>>>>>>>>>> MP JWT with EE security:
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>
>>>>>>
>>>> http://tomee-openejb.979440.n4.nabble.com/Implementing-Microprofile-JWT-td4683212i40.html
>>>>>>>>>>>>>>>>>>>>>>>>>>> <
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>
>>>>>>
>>>> http://tomee-openejb.979440.n4.nabble.com/Implementing-Microprofile-JWT-td4683212i40.html
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>> I believe we need to revisit that conversation and
>>>>>>>>>>>>>> figure
>>>>>>>>>>>>>>>>>> out
>>>>>>>>>>>>>>>>>>> how
>>>>>>>>>>>>>>>>>>>>> to
>>>>>>>>>>>>>>>>>>>>>>>>> move
>>>>>>>>>>>>>>>>>>>>>>>>>>> forward.
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>> Right now for instance, we don’t support injecting
>>>>>>>>>>>> a
>>>>>>>>>>>>>> JWT
>>>>>>>>>>>>>>>>>>>> Principal
>>>>>>>>>>>>>>>>>>>>>>>> since
>>>>>>>>>>>>>>>>>>>>>>>>>>> it clashes with the predefined by CDI. Most likely,
>>>>>>>>>>>>> we
>>>>>>>>>>>>>>>> would
>>>>>>>>>>>>>>>>>>> need
>>>>>>>>>>>>>>>>>>>>> to
>>>>>>>>>>>>>>>>>>>>>>>>> plugin
>>>>>>>>>>>>>>>>>>>>>>>>>>> the JWT Principal lookup in TomcatSecurityService.
>>>>>>>>>>>>> I’m
>>>>>>>>>>>>>>>> not
>>>>>>>>>>>>>>>>>> sure
>>>>>>>>>>>>>>>>>>>> if
>>>>>>>>>>>>>>>>>>>>> we
>>>>>>>>>>>>>>>>>>>>>>>>> want
>>>>>>>>>>>>>>>>>>>>>>>>>>> to do it in that way, or if we want to think in
>>>>>>>>>>>>>> something
>>>>>>>>>>>>>>>>>> else.
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>> Cheers,
>>>>>>>>>>>>>>>>>>>>>>>>>>> Roberto
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>
>>>>>>
>>>>
>>>>
>>
>
Re: MicroProfile JWT 1.1
Posted by Roberto Cortez <ra...@yahoo.com.INVALID>.
Hey,
I think we are mostly done with the JWT 1.1 work. At least the TCK is passing except for two tests with the issue described here: https://github.com/eclipse/microprofile-jwt-auth/issues/118 <https://github.com/eclipse/microprofile-jwt-auth/issues/118>. I did copy the test code and added a second arquillian deployment to deploy the key endpoint for test in a separate app. In this case, the test works as expected. I’ll also try to submit a PR with this work to the JWT TCK project.
The entire work can be seen here:
https://github.com/apache/tomee/pull/173 <https://github.com/apache/tomee/pull/173>
MP JWT 1.1 mostly adds support for:
- Loading keys using MP Config from multiple sources (inline, classpath, file, url).
- JWK and JWKS support.
- JWT as Principal injection.
Thank you Jon for helping out with the implementation.
Cheers,
Roberto
> On 3 Dec 2018, at 18:00, Roberto Cortez <ra...@yahoo.com> wrote:
>
> Sure. If you don’t mind, I’ll merge your branch with mine and then submit a PR with everything.
>
>> On 3 Dec 2018, at 17:12, Jonathan Gallimore <jo...@gmail.com> wrote:
>>
>> If you have the cycles, it would be great if you could do it.
>>
>> Cheers!
>>
>> Jon
>>
>> On Mon, Dec 3, 2018 at 5:06 PM Roberto Cortez <ra...@yahoo.com.invalid>
>> wrote:
>>
>>> Yes, I would be in favor on commenting these tests, but implement on our
>>> tests that set up an endpoint and try to deploy and app to load the key
>>> from the endpoint. At least we make sure that the feature is working as
>>> supposed.
>>>
>>> Do you want to do it, or should I do it?
>>>
>>>> On 3 Dec 2018, at 16:49, Jonathan Gallimore <
>>> jonathan.gallimore@gmail.com> wrote:
>>>>
>>>> Interesting. I'd be in favor of commenting those tests out and merging
>>> the
>>>> PR, if you think the rest of it is in shape. If the spec says there
>>> should
>>>> be a deployment exception, then that makes sense. The TCK should probably
>>>> start its own little embedded http server to supply these keys instead.
>>> We
>>>> could contribute a PR there for consideration there.
>>>>
>>>> Jon
>>>>
>>>> On Mon, Dec 3, 2018 at 4:39 PM Roberto Cortez
>>> <ra...@yahoo.com.invalid>
>>>> wrote:
>>>>
>>>>> Yes,
>>>>>
>>>>> I think that the current state of the TCK is actually wrong. Look here:
>>>>> https://github.com/eclipse/microprofile-jwt-auth/issues/118 <
>>>>> https://github.com/eclipse/microprofile-jwt-auth/issues/118>
>>>>>
>>>>> And also from the spec:
>>>>> MicroProfile JWT implementations are required to throw a
>>>>> `DeploymentException` when given
>>>>> a public key that cannot be parsed using either the standardly
>>> supported or
>>>>> vendor-specific key formats.
>>>>>
>>>>> My understanding of this is that the load / parsing of the key is part
>>> of
>>>>> the application deployment, so if you fail to load the key you should
>>> fail
>>>>> with DeploymentException. It doesn’t make sense to defer the loading of
>>> the
>>>>> key when you need it and then fail with the DeploymentException, when
>>> the
>>>>> application is already deployed.
>>>>>
>>>>> Now, the issue is a chicken / egg. The TCK test exposes the key to load
>>>>> from an endpoint in the actual test app that we are testing. I believe
>>> the
>>>>> correct behaviour should be to have a separate test app that exposes the
>>>>> test keys and then have a separate app to test the behaviour.
>>>>>
>>>>> I think we can implement our own tests like these and then contribute
>>> them
>>>>> back / fix the TCK.
>>>>>
>>>>> Cheers,
>>>>> Roberto
>>>>>
>>>>>> On 3 Dec 2018, at 16:24, Jonathan Gallimore <
>>>>> jonathan.gallimore@gmail.com> wrote:
>>>>>>
>>>>>> Thanks for asking. There are 3 tests I can't get passing. These are the
>>>>>> ones where the key is referred to by a HTTP url, which isn't available
>>> at
>>>>>> deployment time where the keys are actually read. I spent quite a lot
>>> of
>>>>>> time trying to make this happen later in lifecycle (like on first load,
>>>>> or
>>>>>> something like that). I ended up getting lost in a complete maze of
>>>>>> lambdas. I am stuck and in need of help. I think this class is the
>>> issue:
>>>>>>
>>>>>
>>> https://github.com/jgallimore/tomee/blob/jwt-1.1/mp-jwt/src/main/java/org/apache/tomee/microprofile/jwt/config/ConfigurableJWTAuthContextInfo.java
>>>>> ,
>>>>>> and this piece of functionality will probably need some design
>>> discussion
>>>>>> to enable these tests to pass.
>>>>>>
>>>>>> I had tried flip the storage to Map<String,Supplier> with a supplier
>>> that
>>>>>> does a lazy lookup and caches the value. The issue there is the JWKS
>>>>> keys,
>>>>>> where you appear to get multiple keys in one file. Wrapping the whole
>>>>> thing
>>>>>> a supplier might work too - you'd effectively then have run that logic
>>> on
>>>>>> first login, or find something else that can trigger it.
>>>>>>
>>>>>> Do you have any thoughts?
>>>>>>
>>>>>> Jon
>>>>>>
>>>>>> On Mon, Dec 3, 2018 at 3:27 PM Roberto Cortez
>>>>> <ra...@yahoo.com.invalid>
>>>>>> wrote:
>>>>>>
>>>>>>> Hi Jon,
>>>>>>>
>>>>>>> I’ve seen you made some changes in your branch. What is the current
>>>>>>> status? I would like to start pushing for MP 2.0 specs.
>>>>>>>
>>>>>>> Cheers,
>>>>>>> Roberto
>>>>>>>
>>>>>>>> On 21 Nov 2018, at 17:57, Jonathan Gallimore <
>>>>>>> jonathan.gallimore@gmail.com> wrote:
>>>>>>>>
>>>>>>>> Was going to have another look at those tests over the next couple of
>>>>>>> days.
>>>>>>>>
>>>>>>>> Jon
>>>>>>>>
>>>>>>>> On Wed, 21 Nov 2018, 17:53 Roberto Cortez
>>> <radcortez@yahoo.com.invalid
>>>>>>>> wrote:
>>>>>>>>
>>>>>>>>> Hi Jon,
>>>>>>>>>
>>>>>>>>> What it the status of this?
>>>>>>>>>
>>>>>>>>> For the remaining failing tests, the issues are related with this:
>>>>>>>>> https://github.com/eclipse/microprofile-jwt-auth/issues/118 <
>>>>>>>>> https://github.com/eclipse/microprofile-jwt-auth/issues/118>
>>>>>>>>>
>>>>>>>>> I don’t think there is a way to fix it on our side, so se could just
>>>>>>>>> ignore those specific methods and build a specific test for this
>>> with
>>>>> 2
>>>>>>>>> apps deployment so we can reach out then public key endpoint from
>>> the
>>>>>>> test.
>>>>>>>>> Then we should be good to go with this!
>>>>>>>>>
>>>>>>>>> Cheers,
>>>>>>>>> Roberto
>>>>>>>>>
>>>>>>>>>> On 20 Nov 2018, at 15:28, Jean-Louis Monteiro <
>>>>>>> jlmonteiro@tomitribe.com>
>>>>>>>>> wrote:
>>>>>>>>>>
>>>>>>>>>> Ok, yes I see it.
>>>>>>>>>> --
>>>>>>>>>> Jean-Louis Monteiro
>>>>>>>>>> http://twitter.com/jlouismonteiro
>>>>>>>>>> http://www.tomitribe.com
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> On Tue, Nov 20, 2018 at 4:11 PM Jonathan Gallimore <
>>>>>>>>>> jonathan.gallimore@gmail.com> wrote:
>>>>>>>>>>
>>>>>>>>>>> The commits are showing for me (at the bottom). Here's the latest
>>>>> one:
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>
>>>>>>>
>>>>>
>>> https://github.com/apache/tomee/commit/7ce1f8033e239331cfa7843e4e5565ed0aa83345
>>>>>>>>>>>
>>>>>>>>>>> On Tue, Nov 20, 2018 at 2:44 PM Jean-Louis Monteiro <
>>>>>>>>>>> jlmonteiro@tomitribe.com> wrote:
>>>>>>>>>>>
>>>>>>>>>>>> Hey Jon,
>>>>>>>>>>>>
>>>>>>>>>>>> I clicked on the link and the diff tab does not show any
>>>>> difference.
>>>>>>>>>>>> Did you push?
>>>>>>>>>>>> --
>>>>>>>>>>>> Jean-Louis Monteiro
>>>>>>>>>>>> http://twitter.com/jlouismonteiro
>>>>>>>>>>>> http://www.tomitribe.com
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> On Mon, Nov 19, 2018 at 12:36 PM Jonathan Gallimore <
>>>>>>>>>>>> jonathan.gallimore@gmail.com> wrote:
>>>>>>>>>>>>
>>>>>>>>>>>>> I now have the principal injection part of this working - thanks
>>>>>>>>> Romain
>>>>>>>>>>>> for
>>>>>>>>>>>>> your help and explanations. Progress is in my fork here:
>>>>>>>>>>>>> https://github.com/jgallimore/tomee/tree/jwt-1.1 (changes here:
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>
>>>>>>>
>>>>>
>>> https://github.com/apache/tomee/compare/master...jgallimore:jwt-1.1?expand=1
>>>>>>>>>>>>> ).
>>>>>>>>>>>>> There are still a couple of TODOs to clean up, and 3 tests to
>>> get
>>>>>>>>>>>> passing.
>>>>>>>>>>>>> Any feedback is appreciated.
>>>>>>>>>>>>>
>>>>>>>>>>>>> Jon
>>>>>>>>>>>>>
>>>>>>>>>>>>> On Sat, Nov 3, 2018 at 9:10 AM Jonathan Gallimore <
>>>>>>>>>>>>> jonathan.gallimore@gmail.com> wrote:
>>>>>>>>>>>>>
>>>>>>>>>>>>>> Yep, got it. Thanks for the feedback - makes sense now.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Cheers
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Jon
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> On Fri, 2 Nov 2018, 16:46 Romain Manni-Bucau <
>>>>>>> rmannibucau@gmail.com
>>>>>>>>>>>>> wrote:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Answered hopefully "long enough" on dev@geronimo so will just
>>>>> do
>>>>>>> a
>>>>>>>>>>>>> short
>>>>>>>>>>>>>>> one here and shout if not enough: ManagedSecurityService in
>>> cdi
>>>>>>>>>>>> package
>>>>>>>>>>>>> of
>>>>>>>>>>>>>>> openejb-core must make the getCurrentPrincipal contextual so
>>>>>>> hidden
>>>>>>>>>>>>> behind
>>>>>>>>>>>>>>> a proxy. The proxied API must be Principal and JsonWebToken
>>> when
>>>>>>>>>>>>> available
>>>>>>>>>>>>>>> (try { add if can load } catch { ignore } works as pattern).
>>> The
>>>>>>>>>>> proxy
>>>>>>>>>>>>>>> instance can be created once for all app using the container
>>>>>>> loader
>>>>>>>>>>> or
>>>>>>>>>>>>> per
>>>>>>>>>>>>>>> app using the app loader and avoiding to leak between apps
>>> since
>>>>>>> the
>>>>>>>>>>>> API
>>>>>>>>>>>>>>> can use different loaders.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Le ven. 2 nov. 2018 14:44, Jonathan Gallimore <
>>>>>>>>>>>>>>> jonathan.gallimore@gmail.com>
>>>>>>>>>>>>>>> a écrit :
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Thanks for the reply, but I am confused by your response. The
>>>>> PR
>>>>>>> I
>>>>>>>>>>>>>>>> referenced adds a single test to the geronimo-jwt-auth
>>> project
>>>>> (
>>>>>>>>>>>>>>>> https://github.com/apache/geronimo-jwt-auth/pull/3), based
>>> on
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>
>>>>> org.eclipse.microprofile.jwt.tck.container.jaxrs.PrincipalInjectionTest
>>>>>>>>>>>>>>>> from the TCK. It fails at present (hopefully we agree on
>>> that -
>>>>>>> my
>>>>>>>>>>>>>>> results
>>>>>>>>>>>>>>>> attached). The geronimo-jwt-auth project doesn't touch TomEE
>>> at
>>>>>>>>>>> all
>>>>>>>>>>>> -
>>>>>>>>>>>>> it
>>>>>>>>>>>>>>>> uses OWB/Meecrowave to run the MicroProfile JWT TCK. I have
>>> not
>>>>>>>>>>>>> modified
>>>>>>>>>>>>>>>> the project config at all, so it is using the SecurityService
>>>>>>> code
>>>>>>>>>>>> you
>>>>>>>>>>>>>>>> previously posted. If this additional test were part of the
>>>>>>>>>>>>> MicroProfile
>>>>>>>>>>>>>>>> JWT TCK (and I'm going to propose it), the Geronimo JWT Auth
>>>>>>>>>>>>>>> implementation
>>>>>>>>>>>>>>>> would *not* pass the TCK.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> I posted this here as I originally found the issue when
>>>>>>> continuing
>>>>>>>>>>>>>>>> Roberto's efforts, but this has probably contributed to some
>>>>>>>>>>>>> confusion.
>>>>>>>>>>>>>>> I
>>>>>>>>>>>>>>>> would suggest we continue this over on the Geronimo and OWB
>>>>> lists
>>>>>>>>>>> to
>>>>>>>>>>>>>>> avoid
>>>>>>>>>>>>>>>> further confusion.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Jon
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> On Fri, Nov 2, 2018 at 12:46 PM Romain Manni-Bucau <
>>>>>>>>>>>>>>> rmannibucau@gmail.com>
>>>>>>>>>>>>>>>> wrote:
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Hi
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Yes this is an owb misconfiguration/integration
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Geronimo is fine here so likely tomee owb spi to update as
>>> in
>>>>>>>>>>>>> geronimo
>>>>>>>>>>>>>>> tck
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Le ven. 2 nov. 2018 10:42, Jonathan Gallimore <
>>>>>>>>>>>>>>>>> jonathan.gallimore@gmail.com>
>>>>>>>>>>>>>>>>> a écrit :
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> Thanks for the reply. I am still sure there is some sort of
>>>>>>>>>>>> issue.
>>>>>>>>>>>>>>>>> Putting
>>>>>>>>>>>>>>>>>> TomEE to one side for the moment, I am able to reproduce
>>> this
>>>>>>>>>>> in
>>>>>>>>>>>>> the
>>>>>>>>>>>>>>>>>> Geronimo JWT auth library as well. This PR includes a test
>>> to
>>>>>>>>>>>> show
>>>>>>>>>>>>>>> what
>>>>>>>>>>>>>>>>> I
>>>>>>>>>>>>>>>>>> mean: https://github.com/apache/geronimo-jwt-auth/pull/3.
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> I can confirm that this change:
>>>>>>>>>>>>>>>>>> https://github.com/apache/openwebbeans/pull/12 enables
>>> that
>>>>>>>>>>> new
>>>>>>>>>>>>>>> test to
>>>>>>>>>>>>>>>>>> pass.
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> In short, if you @Inject JsonWebToken, or individual
>>> claims,
>>>>> or
>>>>>>>>>>>>>>>>>> use @RolesAllowed, I think you're ok, but if you @Inject
>>>>>>>>>>>> Principal,
>>>>>>>>>>>>>>> you
>>>>>>>>>>>>>>>>>> will most likely get the wrong principal because the
>>> instance
>>>>>>>>>>> is
>>>>>>>>>>>>>>> cache
>>>>>>>>>>>>>>>>> in a
>>>>>>>>>>>>>>>>>> field in the
>>>>> org.apache.webbeans.portable.ProviderBasedProducer
>>>>>>>>>>>>>>> class,
>>>>>>>>>>>>>>>>> and
>>>>>>>>>>>>>>>>>> that looks like a security issue.
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> Jon
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> On Tue, Oct 30, 2018 at 5:56 AM Romain Manni-Bucau <
>>>>>>>>>>>>>>>>> rmannibucau@gmail.com>
>>>>>>>>>>>>>>>>>> wrote:
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> Hi Jon,
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> yes and no, idea is to be fast and for all producers it
>>>>> works
>>>>>>>>>>>>>>> except
>>>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>>>>>> principal which is broken anyway in CDI 1.x so guess this
>>>>> was
>>>>>>>>>>>> not
>>>>>>>>>>>>>>>>> fixed
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> in CDI 2 (tomee 8) we can impl it this way:
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>
>>>>>>>
>>>>>
>>> https://github.com/apache/geronimo-jwt-auth/blob/master/src/test/java/org/apache/geronimo/microprofile/impl/jwtauth/tck/TckSecurityService.java
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> Romain Manni-Bucau
>>>>>>>>>>>>>>>>>>> @rmannibucau <https://twitter.com/rmannibucau> | Blog
>>>>>>>>>>>>>>>>>>> <https://rmannibucau.metawerx.net/> | Old Blog
>>>>>>>>>>>>>>>>>>> <http://rmannibucau.wordpress.com> | Github <
>>>>>>>>>>>>>>>>>>> https://github.com/rmannibucau> |
>>>>>>>>>>>>>>>>>>> LinkedIn <https://www.linkedin.com/in/rmannibucau> | Book
>>>>>>>>>>>>>>>>>>> <
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>
>>>>>>>
>>>>>
>>> https://www.packtpub.com/application-development/java-ee-8-high-performance
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> Le mar. 30 oct. 2018 à 00:58, Jonathan Gallimore <
>>>>>>>>>>>>>>>>>>> jonathan.gallimore@gmail.com> a écrit :
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> Here's a question, probably for Mark or Romain. If I turn
>>>>>>>>>>> the
>>>>>>>>>>>>>>> proxy
>>>>>>>>>>>>>>>>>> *off*
>>>>>>>>>>>>>>>>>>>> in org.apache.webbeans.component.PrincipalBean, I'm
>>> finding
>>>>>>>>>>>>> that
>>>>>>>>>>>>>>> I
>>>>>>>>>>>>>>>>> get
>>>>>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>>>>>>> wrong principal injected sometimes. Specifically, I get
>>> the
>>>>>>>>>>>>>>>>> whatever is
>>>>>>>>>>>>>>>>>>> on
>>>>>>>>>>>>>>>>>>>> the proxyInstance field here:
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>
>>>>>>>
>>>>>
>>> https://github.com/apache/openwebbeans/blob/trunk/webbeans-impl/src/main/java/org/apache/webbeans/portable/ProviderBasedProducer.java#L51
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> Should this line (line 66)
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>
>>>>>>>
>>>>>
>>> https://github.com/apache/openwebbeans/blob/trunk/webbeans-impl/src/main/java/org/apache/webbeans/portable/ProviderBasedProducer.java#L66
>>>>>>>>>>>>>>>>>>>> ,
>>>>>>>>>>>>>>>>>>>> not simply be:
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> return provider.get();
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> as opposed to
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> proxyInstance = provider.get(); ?
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> That way, the proxyInstance field would never get set if
>>>>>>>>>>>> proxy
>>>>>>>>>>>>>>> mode
>>>>>>>>>>>>>>>>> is
>>>>>>>>>>>>>>>>>>> set
>>>>>>>>>>>>>>>>>>>> to false. When proxy is true, this seems to work
>>> correctly
>>>>>>>>>>>>>>>>> (although I
>>>>>>>>>>>>>>>>>>> have
>>>>>>>>>>>>>>>>>>>> other unrelated issues in TomEE).
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> I can probably work around this some other way, but it
>>>>>>>>>>> seems
>>>>>>>>>>>> to
>>>>>>>>>>>>>>> me
>>>>>>>>>>>>>>>>> like
>>>>>>>>>>>>>>>>>>>> that behaviour isn't quite right.
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> Trying to think of a way to test it - I can probably come
>>>>>>>>>>> up
>>>>>>>>>>>>> with
>>>>>>>>>>>>>>>>>>>> something, but I'd appreciate some pointers. Happy to
>>> shift
>>>>>>>>>>>>> this
>>>>>>>>>>>>>>> to
>>>>>>>>>>>>>>>>>>>> openwebbeans-dev, and submit a PR. Replying here
>>> initially
>>>>>>>>>>>> as I
>>>>>>>>>>>>>>> ran
>>>>>>>>>>>>>>>>>> into
>>>>>>>>>>>>>>>>>>>> this while hacking on the JWT code.
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> Jon
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> On Wed, Oct 17, 2018 at 12:41 AM Roberto Cortez
>>>>>>>>>>>>>>>>>>>> <ra...@yahoo.com.invalid>
>>>>>>>>>>>>>>>>>>>> wrote:
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> Please, go ahead. Let me know if need anything. Thanks!
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> On 16 Oct 2018, at 21:53, Jonathan Gallimore <
>>>>>>>>>>>>>>>>>>>>> jonathan.gallimore@gmail.com> wrote:
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> Any objection if I pick this up and have a go at the
>>>>>>>>>>> last
>>>>>>>>>>>>>>>>> tests, or
>>>>>>>>>>>>>>>>>>> is
>>>>>>>>>>>>>>>>>>>>>> someone already working on this?
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> On Thu, Sep 27, 2018 at 5:44 PM Romain Manni-Bucau <
>>>>>>>>>>>>>>>>>>>>> rmannibucau@gmail.com>
>>>>>>>>>>>>>>>>>>>>>> wrote:
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> Yep this feature. Then it must works since we support
>>>>>>>>>>>> user
>>>>>>>>>>>>>>>>>> principal
>>>>>>>>>>>>>>>>>>>> if
>>>>>>>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>>>>>>>>>> jwt filter is corretly placed in the filter chain and
>>>>>>>>>>> we
>>>>>>>>>>>>>>> must
>>>>>>>>>>>>>>>>>>> inherit
>>>>>>>>>>>>>>>>>>>>> from
>>>>>>>>>>>>>>>>>>>>>>> the request principal.
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> Le jeu. 27 sept. 2018 18:37, Roberto Cortez
>>>>>>>>>>>>>>>>>>>> <radcortez@yahoo.com.invalid
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> a
>>>>>>>>>>>>>>>>>>>>>>> écrit :
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> I guess you are referring to this, to remove the
>>>>>>>>>>> proxy?
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>
>>>>>>>
>>>>>
>>> https://github.com/apache/openwebbeans/commit/a21a949fb19247dcc39ee89292a1554b2cf1388e
>>>>>>>>>>>>>>>>>>>>>>>> <
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>
>>>>>>>
>>>>>
>>> https://github.com/apache/openwebbeans/commit/a21a949fb19247dcc39ee89292a1554b2cf1388e
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> Yes, this one step.
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> By default, we do inject the generic Principal of
>>>>>>>>>>>> Tomcat.
>>>>>>>>>>>>>>> We
>>>>>>>>>>>>>>>>>>> probably
>>>>>>>>>>>>>>>>>>>>>>> need
>>>>>>>>>>>>>>>>>>>>>>>> to check first about the existence of a JWT Principal
>>>>>>>>>>>> and
>>>>>>>>>>>>>>> then
>>>>>>>>>>>>>>>>>>>> fallback
>>>>>>>>>>>>>>>>>>>>>>> to
>>>>>>>>>>>>>>>>>>>>>>>> the Tomcat one. I think I know how to do it, I was
>>>>>>>>>>> just
>>>>>>>>>>>>>>>>> trying to
>>>>>>>>>>>>>>>>>>>>> broaden
>>>>>>>>>>>>>>>>>>>>>>>> up the conversation about general integration with EE
>>>>>>>>>>>>>>>>> security.
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> Cheers,
>>>>>>>>>>>>>>>>>>>>>>>> Roberto
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>> On 26 Sep 2018, at 07:21, Romain Manni-Bucau <
>>>>>>>>>>>>>>>>>>> rmannibucau@gmail.com
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> wrote:
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>> OWB enable to do it - we did it in geronimo impl to
>>>>>>>>>>>> pass
>>>>>>>>>>>>>>> tck
>>>>>>>>>>>>>>>>> of
>>>>>>>>>>>>>>>>>>> jwt
>>>>>>>>>>>>>>>>>>>>>>> auth
>>>>>>>>>>>>>>>>>>>>>>>>> spec.
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>> Le mer. 26 sept. 2018 03:28, Roberto Cortez
>>>>>>>>>>>>>>>>>>>>>>> <ra...@yahoo.com.invalid>
>>>>>>>>>>>>>>>>>>>>>>>> a
>>>>>>>>>>>>>>>>>>>>>>>>> écrit :
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>> Hi,
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>> I’ve done some work to push our MP JWT
>>>>>>>>>>> implementation
>>>>>>>>>>>>>>> from
>>>>>>>>>>>>>>>>> 1.0
>>>>>>>>>>>>>>>>>> to
>>>>>>>>>>>>>>>>>>>>> 1.1.
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>> You can check it here:
>>>>>>>>>>>>>>>>>>>>>>>>>> https://github.com/apache/tomee/pull/173 <
>>>>>>>>>>>>>>>>>>>>>>>>>> https://github.com/apache/tomee/pull/173>
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>> There are still a couple of tests in the TCK that I
>>>>>>>>>>>>> have
>>>>>>>>>>>>>>> to
>>>>>>>>>>>>>>>>> fix
>>>>>>>>>>>>>>>>>>>> and a
>>>>>>>>>>>>>>>>>>>>>>>> few
>>>>>>>>>>>>>>>>>>>>>>>>>> things that I would like to improve, but I think
>>>>>>>>>>> the
>>>>>>>>>>>>>>>>> majority
>>>>>>>>>>>>>>>>>> of
>>>>>>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>>>>>>>>>>> work
>>>>>>>>>>>>>>>>>>>>>>>>>> is done.
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>> Some time ago, there was a discussion in the list
>>>>>>>>>>>> about
>>>>>>>>>>>>>>> how
>>>>>>>>>>>>>>>>> to
>>>>>>>>>>>>>>>>>>>>>>> integrate
>>>>>>>>>>>>>>>>>>>>>>>>>> MP JWT with EE security:
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>
>>>>>>>
>>>>>
>>> http://tomee-openejb.979440.n4.nabble.com/Implementing-Microprofile-JWT-td4683212i40.html
>>>>>>>>>>>>>>>>>>>>>>>>>> <
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>
>>>>>>>
>>>>>
>>> http://tomee-openejb.979440.n4.nabble.com/Implementing-Microprofile-JWT-td4683212i40.html
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>> I believe we need to revisit that conversation and
>>>>>>>>>>>>> figure
>>>>>>>>>>>>>>>>> out
>>>>>>>>>>>>>>>>>> how
>>>>>>>>>>>>>>>>>>>> to
>>>>>>>>>>>>>>>>>>>>>>>> move
>>>>>>>>>>>>>>>>>>>>>>>>>> forward.
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>> Right now for instance, we don’t support injecting
>>>>>>>>>>> a
>>>>>>>>>>>>> JWT
>>>>>>>>>>>>>>>>>>> Principal
>>>>>>>>>>>>>>>>>>>>>>> since
>>>>>>>>>>>>>>>>>>>>>>>>>> it clashes with the predefined by CDI. Most likely,
>>>>>>>>>>>> we
>>>>>>>>>>>>>>> would
>>>>>>>>>>>>>>>>>> need
>>>>>>>>>>>>>>>>>>>> to
>>>>>>>>>>>>>>>>>>>>>>>> plugin
>>>>>>>>>>>>>>>>>>>>>>>>>> the JWT Principal lookup in TomcatSecurityService.
>>>>>>>>>>>> I’m
>>>>>>>>>>>>>>> not
>>>>>>>>>>>>>>>>> sure
>>>>>>>>>>>>>>>>>>> if
>>>>>>>>>>>>>>>>>>>> we
>>>>>>>>>>>>>>>>>>>>>>>> want
>>>>>>>>>>>>>>>>>>>>>>>>>> to do it in that way, or if we want to think in
>>>>>>>>>>>>> something
>>>>>>>>>>>>>>>>> else.
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>> Cheers,
>>>>>>>>>>>>>>>>>>>>>>>>>> Roberto
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>
>>>>>
>>>
>>>
>
Re: MicroProfile JWT 1.1
Posted by Roberto Cortez <ra...@yahoo.com.INVALID>.
Sure. If you don’t mind, I’ll merge your branch with mine and then submit a PR with everything.
> On 3 Dec 2018, at 17:12, Jonathan Gallimore <jo...@gmail.com> wrote:
>
> If you have the cycles, it would be great if you could do it.
>
> Cheers!
>
> Jon
>
> On Mon, Dec 3, 2018 at 5:06 PM Roberto Cortez <ra...@yahoo.com.invalid>
> wrote:
>
>> Yes, I would be in favor on commenting these tests, but implement on our
>> tests that set up an endpoint and try to deploy and app to load the key
>> from the endpoint. At least we make sure that the feature is working as
>> supposed.
>>
>> Do you want to do it, or should I do it?
>>
>>> On 3 Dec 2018, at 16:49, Jonathan Gallimore <
>> jonathan.gallimore@gmail.com> wrote:
>>>
>>> Interesting. I'd be in favor of commenting those tests out and merging
>> the
>>> PR, if you think the rest of it is in shape. If the spec says there
>> should
>>> be a deployment exception, then that makes sense. The TCK should probably
>>> start its own little embedded http server to supply these keys instead.
>> We
>>> could contribute a PR there for consideration there.
>>>
>>> Jon
>>>
>>> On Mon, Dec 3, 2018 at 4:39 PM Roberto Cortez
>> <ra...@yahoo.com.invalid>
>>> wrote:
>>>
>>>> Yes,
>>>>
>>>> I think that the current state of the TCK is actually wrong. Look here:
>>>> https://github.com/eclipse/microprofile-jwt-auth/issues/118 <
>>>> https://github.com/eclipse/microprofile-jwt-auth/issues/118>
>>>>
>>>> And also from the spec:
>>>> MicroProfile JWT implementations are required to throw a
>>>> `DeploymentException` when given
>>>> a public key that cannot be parsed using either the standardly
>> supported or
>>>> vendor-specific key formats.
>>>>
>>>> My understanding of this is that the load / parsing of the key is part
>> of
>>>> the application deployment, so if you fail to load the key you should
>> fail
>>>> with DeploymentException. It doesn’t make sense to defer the loading of
>> the
>>>> key when you need it and then fail with the DeploymentException, when
>> the
>>>> application is already deployed.
>>>>
>>>> Now, the issue is a chicken / egg. The TCK test exposes the key to load
>>>> from an endpoint in the actual test app that we are testing. I believe
>> the
>>>> correct behaviour should be to have a separate test app that exposes the
>>>> test keys and then have a separate app to test the behaviour.
>>>>
>>>> I think we can implement our own tests like these and then contribute
>> them
>>>> back / fix the TCK.
>>>>
>>>> Cheers,
>>>> Roberto
>>>>
>>>>> On 3 Dec 2018, at 16:24, Jonathan Gallimore <
>>>> jonathan.gallimore@gmail.com> wrote:
>>>>>
>>>>> Thanks for asking. There are 3 tests I can't get passing. These are the
>>>>> ones where the key is referred to by a HTTP url, which isn't available
>> at
>>>>> deployment time where the keys are actually read. I spent quite a lot
>> of
>>>>> time trying to make this happen later in lifecycle (like on first load,
>>>> or
>>>>> something like that). I ended up getting lost in a complete maze of
>>>>> lambdas. I am stuck and in need of help. I think this class is the
>> issue:
>>>>>
>>>>
>> https://github.com/jgallimore/tomee/blob/jwt-1.1/mp-jwt/src/main/java/org/apache/tomee/microprofile/jwt/config/ConfigurableJWTAuthContextInfo.java
>>>> ,
>>>>> and this piece of functionality will probably need some design
>> discussion
>>>>> to enable these tests to pass.
>>>>>
>>>>> I had tried flip the storage to Map<String,Supplier> with a supplier
>> that
>>>>> does a lazy lookup and caches the value. The issue there is the JWKS
>>>> keys,
>>>>> where you appear to get multiple keys in one file. Wrapping the whole
>>>> thing
>>>>> a supplier might work too - you'd effectively then have run that logic
>> on
>>>>> first login, or find something else that can trigger it.
>>>>>
>>>>> Do you have any thoughts?
>>>>>
>>>>> Jon
>>>>>
>>>>> On Mon, Dec 3, 2018 at 3:27 PM Roberto Cortez
>>>> <ra...@yahoo.com.invalid>
>>>>> wrote:
>>>>>
>>>>>> Hi Jon,
>>>>>>
>>>>>> I’ve seen you made some changes in your branch. What is the current
>>>>>> status? I would like to start pushing for MP 2.0 specs.
>>>>>>
>>>>>> Cheers,
>>>>>> Roberto
>>>>>>
>>>>>>> On 21 Nov 2018, at 17:57, Jonathan Gallimore <
>>>>>> jonathan.gallimore@gmail.com> wrote:
>>>>>>>
>>>>>>> Was going to have another look at those tests over the next couple of
>>>>>> days.
>>>>>>>
>>>>>>> Jon
>>>>>>>
>>>>>>> On Wed, 21 Nov 2018, 17:53 Roberto Cortez
>> <radcortez@yahoo.com.invalid
>>>>>>> wrote:
>>>>>>>
>>>>>>>> Hi Jon,
>>>>>>>>
>>>>>>>> What it the status of this?
>>>>>>>>
>>>>>>>> For the remaining failing tests, the issues are related with this:
>>>>>>>> https://github.com/eclipse/microprofile-jwt-auth/issues/118 <
>>>>>>>> https://github.com/eclipse/microprofile-jwt-auth/issues/118>
>>>>>>>>
>>>>>>>> I don’t think there is a way to fix it on our side, so se could just
>>>>>>>> ignore those specific methods and build a specific test for this
>> with
>>>> 2
>>>>>>>> apps deployment so we can reach out then public key endpoint from
>> the
>>>>>> test.
>>>>>>>> Then we should be good to go with this!
>>>>>>>>
>>>>>>>> Cheers,
>>>>>>>> Roberto
>>>>>>>>
>>>>>>>>> On 20 Nov 2018, at 15:28, Jean-Louis Monteiro <
>>>>>> jlmonteiro@tomitribe.com>
>>>>>>>> wrote:
>>>>>>>>>
>>>>>>>>> Ok, yes I see it.
>>>>>>>>> --
>>>>>>>>> Jean-Louis Monteiro
>>>>>>>>> http://twitter.com/jlouismonteiro
>>>>>>>>> http://www.tomitribe.com
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On Tue, Nov 20, 2018 at 4:11 PM Jonathan Gallimore <
>>>>>>>>> jonathan.gallimore@gmail.com> wrote:
>>>>>>>>>
>>>>>>>>>> The commits are showing for me (at the bottom). Here's the latest
>>>> one:
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>
>>>>>>
>>>>
>> https://github.com/apache/tomee/commit/7ce1f8033e239331cfa7843e4e5565ed0aa83345
>>>>>>>>>>
>>>>>>>>>> On Tue, Nov 20, 2018 at 2:44 PM Jean-Louis Monteiro <
>>>>>>>>>> jlmonteiro@tomitribe.com> wrote:
>>>>>>>>>>
>>>>>>>>>>> Hey Jon,
>>>>>>>>>>>
>>>>>>>>>>> I clicked on the link and the diff tab does not show any
>>>> difference.
>>>>>>>>>>> Did you push?
>>>>>>>>>>> --
>>>>>>>>>>> Jean-Louis Monteiro
>>>>>>>>>>> http://twitter.com/jlouismonteiro
>>>>>>>>>>> http://www.tomitribe.com
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> On Mon, Nov 19, 2018 at 12:36 PM Jonathan Gallimore <
>>>>>>>>>>> jonathan.gallimore@gmail.com> wrote:
>>>>>>>>>>>
>>>>>>>>>>>> I now have the principal injection part of this working - thanks
>>>>>>>> Romain
>>>>>>>>>>> for
>>>>>>>>>>>> your help and explanations. Progress is in my fork here:
>>>>>>>>>>>> https://github.com/jgallimore/tomee/tree/jwt-1.1 (changes here:
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>
>>>>>>
>>>>
>> https://github.com/apache/tomee/compare/master...jgallimore:jwt-1.1?expand=1
>>>>>>>>>>>> ).
>>>>>>>>>>>> There are still a couple of TODOs to clean up, and 3 tests to
>> get
>>>>>>>>>>> passing.
>>>>>>>>>>>> Any feedback is appreciated.
>>>>>>>>>>>>
>>>>>>>>>>>> Jon
>>>>>>>>>>>>
>>>>>>>>>>>> On Sat, Nov 3, 2018 at 9:10 AM Jonathan Gallimore <
>>>>>>>>>>>> jonathan.gallimore@gmail.com> wrote:
>>>>>>>>>>>>
>>>>>>>>>>>>> Yep, got it. Thanks for the feedback - makes sense now.
>>>>>>>>>>>>>
>>>>>>>>>>>>> Cheers
>>>>>>>>>>>>>
>>>>>>>>>>>>> Jon
>>>>>>>>>>>>>
>>>>>>>>>>>>> On Fri, 2 Nov 2018, 16:46 Romain Manni-Bucau <
>>>>>> rmannibucau@gmail.com
>>>>>>>>>>>> wrote:
>>>>>>>>>>>>>
>>>>>>>>>>>>>> Answered hopefully "long enough" on dev@geronimo so will just
>>>> do
>>>>>> a
>>>>>>>>>>>> short
>>>>>>>>>>>>>> one here and shout if not enough: ManagedSecurityService in
>> cdi
>>>>>>>>>>> package
>>>>>>>>>>>> of
>>>>>>>>>>>>>> openejb-core must make the getCurrentPrincipal contextual so
>>>>>> hidden
>>>>>>>>>>>> behind
>>>>>>>>>>>>>> a proxy. The proxied API must be Principal and JsonWebToken
>> when
>>>>>>>>>>>> available
>>>>>>>>>>>>>> (try { add if can load } catch { ignore } works as pattern).
>> The
>>>>>>>>>> proxy
>>>>>>>>>>>>>> instance can be created once for all app using the container
>>>>>> loader
>>>>>>>>>> or
>>>>>>>>>>>> per
>>>>>>>>>>>>>> app using the app loader and avoiding to leak between apps
>> since
>>>>>> the
>>>>>>>>>>> API
>>>>>>>>>>>>>> can use different loaders.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Le ven. 2 nov. 2018 14:44, Jonathan Gallimore <
>>>>>>>>>>>>>> jonathan.gallimore@gmail.com>
>>>>>>>>>>>>>> a écrit :
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Thanks for the reply, but I am confused by your response. The
>>>> PR
>>>>>> I
>>>>>>>>>>>>>>> referenced adds a single test to the geronimo-jwt-auth
>> project
>>>> (
>>>>>>>>>>>>>>> https://github.com/apache/geronimo-jwt-auth/pull/3), based
>> on
>>>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>
>>>> org.eclipse.microprofile.jwt.tck.container.jaxrs.PrincipalInjectionTest
>>>>>>>>>>>>>>> from the TCK. It fails at present (hopefully we agree on
>> that -
>>>>>> my
>>>>>>>>>>>>>> results
>>>>>>>>>>>>>>> attached). The geronimo-jwt-auth project doesn't touch TomEE
>> at
>>>>>>>>>> all
>>>>>>>>>>> -
>>>>>>>>>>>> it
>>>>>>>>>>>>>>> uses OWB/Meecrowave to run the MicroProfile JWT TCK. I have
>> not
>>>>>>>>>>>> modified
>>>>>>>>>>>>>>> the project config at all, so it is using the SecurityService
>>>>>> code
>>>>>>>>>>> you
>>>>>>>>>>>>>>> previously posted. If this additional test were part of the
>>>>>>>>>>>> MicroProfile
>>>>>>>>>>>>>>> JWT TCK (and I'm going to propose it), the Geronimo JWT Auth
>>>>>>>>>>>>>> implementation
>>>>>>>>>>>>>>> would *not* pass the TCK.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> I posted this here as I originally found the issue when
>>>>>> continuing
>>>>>>>>>>>>>>> Roberto's efforts, but this has probably contributed to some
>>>>>>>>>>>> confusion.
>>>>>>>>>>>>>> I
>>>>>>>>>>>>>>> would suggest we continue this over on the Geronimo and OWB
>>>> lists
>>>>>>>>>> to
>>>>>>>>>>>>>> avoid
>>>>>>>>>>>>>>> further confusion.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Jon
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> On Fri, Nov 2, 2018 at 12:46 PM Romain Manni-Bucau <
>>>>>>>>>>>>>> rmannibucau@gmail.com>
>>>>>>>>>>>>>>> wrote:
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Hi
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Yes this is an owb misconfiguration/integration
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Geronimo is fine here so likely tomee owb spi to update as
>> in
>>>>>>>>>>>> geronimo
>>>>>>>>>>>>>> tck
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Le ven. 2 nov. 2018 10:42, Jonathan Gallimore <
>>>>>>>>>>>>>>>> jonathan.gallimore@gmail.com>
>>>>>>>>>>>>>>>> a écrit :
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Thanks for the reply. I am still sure there is some sort of
>>>>>>>>>>> issue.
>>>>>>>>>>>>>>>> Putting
>>>>>>>>>>>>>>>>> TomEE to one side for the moment, I am able to reproduce
>> this
>>>>>>>>>> in
>>>>>>>>>>>> the
>>>>>>>>>>>>>>>>> Geronimo JWT auth library as well. This PR includes a test
>> to
>>>>>>>>>>> show
>>>>>>>>>>>>>> what
>>>>>>>>>>>>>>>> I
>>>>>>>>>>>>>>>>> mean: https://github.com/apache/geronimo-jwt-auth/pull/3.
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> I can confirm that this change:
>>>>>>>>>>>>>>>>> https://github.com/apache/openwebbeans/pull/12 enables
>> that
>>>>>>>>>> new
>>>>>>>>>>>>>> test to
>>>>>>>>>>>>>>>>> pass.
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> In short, if you @Inject JsonWebToken, or individual
>> claims,
>>>> or
>>>>>>>>>>>>>>>>> use @RolesAllowed, I think you're ok, but if you @Inject
>>>>>>>>>>> Principal,
>>>>>>>>>>>>>> you
>>>>>>>>>>>>>>>>> will most likely get the wrong principal because the
>> instance
>>>>>>>>>> is
>>>>>>>>>>>>>> cache
>>>>>>>>>>>>>>>> in a
>>>>>>>>>>>>>>>>> field in the
>>>> org.apache.webbeans.portable.ProviderBasedProducer
>>>>>>>>>>>>>> class,
>>>>>>>>>>>>>>>> and
>>>>>>>>>>>>>>>>> that looks like a security issue.
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Jon
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> On Tue, Oct 30, 2018 at 5:56 AM Romain Manni-Bucau <
>>>>>>>>>>>>>>>> rmannibucau@gmail.com>
>>>>>>>>>>>>>>>>> wrote:
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> Hi Jon,
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> yes and no, idea is to be fast and for all producers it
>>>> works
>>>>>>>>>>>>>> except
>>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>>>>> principal which is broken anyway in CDI 1.x so guess this
>>>> was
>>>>>>>>>>> not
>>>>>>>>>>>>>>>> fixed
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> in CDI 2 (tomee 8) we can impl it this way:
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>
>>>>>>
>>>>
>> https://github.com/apache/geronimo-jwt-auth/blob/master/src/test/java/org/apache/geronimo/microprofile/impl/jwtauth/tck/TckSecurityService.java
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> Romain Manni-Bucau
>>>>>>>>>>>>>>>>>> @rmannibucau <https://twitter.com/rmannibucau> | Blog
>>>>>>>>>>>>>>>>>> <https://rmannibucau.metawerx.net/> | Old Blog
>>>>>>>>>>>>>>>>>> <http://rmannibucau.wordpress.com> | Github <
>>>>>>>>>>>>>>>>>> https://github.com/rmannibucau> |
>>>>>>>>>>>>>>>>>> LinkedIn <https://www.linkedin.com/in/rmannibucau> | Book
>>>>>>>>>>>>>>>>>> <
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>
>>>>>>
>>>>
>> https://www.packtpub.com/application-development/java-ee-8-high-performance
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> Le mar. 30 oct. 2018 à 00:58, Jonathan Gallimore <
>>>>>>>>>>>>>>>>>> jonathan.gallimore@gmail.com> a écrit :
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> Here's a question, probably for Mark or Romain. If I turn
>>>>>>>>>> the
>>>>>>>>>>>>>> proxy
>>>>>>>>>>>>>>>>> *off*
>>>>>>>>>>>>>>>>>>> in org.apache.webbeans.component.PrincipalBean, I'm
>> finding
>>>>>>>>>>>> that
>>>>>>>>>>>>>> I
>>>>>>>>>>>>>>>> get
>>>>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>>>>>> wrong principal injected sometimes. Specifically, I get
>> the
>>>>>>>>>>>>>>>> whatever is
>>>>>>>>>>>>>>>>>> on
>>>>>>>>>>>>>>>>>>> the proxyInstance field here:
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>
>>>>>>
>>>>
>> https://github.com/apache/openwebbeans/blob/trunk/webbeans-impl/src/main/java/org/apache/webbeans/portable/ProviderBasedProducer.java#L51
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> Should this line (line 66)
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>
>>>>>>
>>>>
>> https://github.com/apache/openwebbeans/blob/trunk/webbeans-impl/src/main/java/org/apache/webbeans/portable/ProviderBasedProducer.java#L66
>>>>>>>>>>>>>>>>>>> ,
>>>>>>>>>>>>>>>>>>> not simply be:
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> return provider.get();
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> as opposed to
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> proxyInstance = provider.get(); ?
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> That way, the proxyInstance field would never get set if
>>>>>>>>>>> proxy
>>>>>>>>>>>>>> mode
>>>>>>>>>>>>>>>> is
>>>>>>>>>>>>>>>>>> set
>>>>>>>>>>>>>>>>>>> to false. When proxy is true, this seems to work
>> correctly
>>>>>>>>>>>>>>>> (although I
>>>>>>>>>>>>>>>>>> have
>>>>>>>>>>>>>>>>>>> other unrelated issues in TomEE).
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> I can probably work around this some other way, but it
>>>>>>>>>> seems
>>>>>>>>>>> to
>>>>>>>>>>>>>> me
>>>>>>>>>>>>>>>> like
>>>>>>>>>>>>>>>>>>> that behaviour isn't quite right.
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> Trying to think of a way to test it - I can probably come
>>>>>>>>>> up
>>>>>>>>>>>> with
>>>>>>>>>>>>>>>>>>> something, but I'd appreciate some pointers. Happy to
>> shift
>>>>>>>>>>>> this
>>>>>>>>>>>>>> to
>>>>>>>>>>>>>>>>>>> openwebbeans-dev, and submit a PR. Replying here
>> initially
>>>>>>>>>>> as I
>>>>>>>>>>>>>> ran
>>>>>>>>>>>>>>>>> into
>>>>>>>>>>>>>>>>>>> this while hacking on the JWT code.
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> Jon
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> On Wed, Oct 17, 2018 at 12:41 AM Roberto Cortez
>>>>>>>>>>>>>>>>>>> <ra...@yahoo.com.invalid>
>>>>>>>>>>>>>>>>>>> wrote:
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> Please, go ahead. Let me know if need anything. Thanks!
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> On 16 Oct 2018, at 21:53, Jonathan Gallimore <
>>>>>>>>>>>>>>>>>>>> jonathan.gallimore@gmail.com> wrote:
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> Any objection if I pick this up and have a go at the
>>>>>>>>>> last
>>>>>>>>>>>>>>>> tests, or
>>>>>>>>>>>>>>>>>> is
>>>>>>>>>>>>>>>>>>>>> someone already working on this?
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> On Thu, Sep 27, 2018 at 5:44 PM Romain Manni-Bucau <
>>>>>>>>>>>>>>>>>>>> rmannibucau@gmail.com>
>>>>>>>>>>>>>>>>>>>>> wrote:
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> Yep this feature. Then it must works since we support
>>>>>>>>>>> user
>>>>>>>>>>>>>>>>> principal
>>>>>>>>>>>>>>>>>>> if
>>>>>>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>>>>>>>>> jwt filter is corretly placed in the filter chain and
>>>>>>>>>> we
>>>>>>>>>>>>>> must
>>>>>>>>>>>>>>>>>> inherit
>>>>>>>>>>>>>>>>>>>> from
>>>>>>>>>>>>>>>>>>>>>> the request principal.
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> Le jeu. 27 sept. 2018 18:37, Roberto Cortez
>>>>>>>>>>>>>>>>>>> <radcortez@yahoo.com.invalid
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> a
>>>>>>>>>>>>>>>>>>>>>> écrit :
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> I guess you are referring to this, to remove the
>>>>>>>>>> proxy?
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>
>>>>>>
>>>>
>> https://github.com/apache/openwebbeans/commit/a21a949fb19247dcc39ee89292a1554b2cf1388e
>>>>>>>>>>>>>>>>>>>>>>> <
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>
>>>>>>
>>>>
>> https://github.com/apache/openwebbeans/commit/a21a949fb19247dcc39ee89292a1554b2cf1388e
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> Yes, this one step.
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> By default, we do inject the generic Principal of
>>>>>>>>>>> Tomcat.
>>>>>>>>>>>>>> We
>>>>>>>>>>>>>>>>>> probably
>>>>>>>>>>>>>>>>>>>>>> need
>>>>>>>>>>>>>>>>>>>>>>> to check first about the existence of a JWT Principal
>>>>>>>>>>> and
>>>>>>>>>>>>>> then
>>>>>>>>>>>>>>>>>>> fallback
>>>>>>>>>>>>>>>>>>>>>> to
>>>>>>>>>>>>>>>>>>>>>>> the Tomcat one. I think I know how to do it, I was
>>>>>>>>>> just
>>>>>>>>>>>>>>>> trying to
>>>>>>>>>>>>>>>>>>>> broaden
>>>>>>>>>>>>>>>>>>>>>>> up the conversation about general integration with EE
>>>>>>>>>>>>>>>> security.
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> Cheers,
>>>>>>>>>>>>>>>>>>>>>>> Roberto
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> On 26 Sep 2018, at 07:21, Romain Manni-Bucau <
>>>>>>>>>>>>>>>>>> rmannibucau@gmail.com
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> wrote:
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> OWB enable to do it - we did it in geronimo impl to
>>>>>>>>>>> pass
>>>>>>>>>>>>>> tck
>>>>>>>>>>>>>>>> of
>>>>>>>>>>>>>>>>>> jwt
>>>>>>>>>>>>>>>>>>>>>> auth
>>>>>>>>>>>>>>>>>>>>>>>> spec.
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> Le mer. 26 sept. 2018 03:28, Roberto Cortez
>>>>>>>>>>>>>>>>>>>>>> <ra...@yahoo.com.invalid>
>>>>>>>>>>>>>>>>>>>>>>> a
>>>>>>>>>>>>>>>>>>>>>>>> écrit :
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>> Hi,
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>> I’ve done some work to push our MP JWT
>>>>>>>>>> implementation
>>>>>>>>>>>>>> from
>>>>>>>>>>>>>>>> 1.0
>>>>>>>>>>>>>>>>> to
>>>>>>>>>>>>>>>>>>>> 1.1.
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>> You can check it here:
>>>>>>>>>>>>>>>>>>>>>>>>> https://github.com/apache/tomee/pull/173 <
>>>>>>>>>>>>>>>>>>>>>>>>> https://github.com/apache/tomee/pull/173>
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>> There are still a couple of tests in the TCK that I
>>>>>>>>>>>> have
>>>>>>>>>>>>>> to
>>>>>>>>>>>>>>>> fix
>>>>>>>>>>>>>>>>>>> and a
>>>>>>>>>>>>>>>>>>>>>>> few
>>>>>>>>>>>>>>>>>>>>>>>>> things that I would like to improve, but I think
>>>>>>>>>> the
>>>>>>>>>>>>>>>> majority
>>>>>>>>>>>>>>>>> of
>>>>>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>>>>>>>>>> work
>>>>>>>>>>>>>>>>>>>>>>>>> is done.
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>> Some time ago, there was a discussion in the list
>>>>>>>>>>> about
>>>>>>>>>>>>>> how
>>>>>>>>>>>>>>>> to
>>>>>>>>>>>>>>>>>>>>>> integrate
>>>>>>>>>>>>>>>>>>>>>>>>> MP JWT with EE security:
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>
>>>>>>
>>>>
>> http://tomee-openejb.979440.n4.nabble.com/Implementing-Microprofile-JWT-td4683212i40.html
>>>>>>>>>>>>>>>>>>>>>>>>> <
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>
>>>>>>
>>>>
>> http://tomee-openejb.979440.n4.nabble.com/Implementing-Microprofile-JWT-td4683212i40.html
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>> I believe we need to revisit that conversation and
>>>>>>>>>>>> figure
>>>>>>>>>>>>>>>> out
>>>>>>>>>>>>>>>>> how
>>>>>>>>>>>>>>>>>>> to
>>>>>>>>>>>>>>>>>>>>>>> move
>>>>>>>>>>>>>>>>>>>>>>>>> forward.
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>> Right now for instance, we don’t support injecting
>>>>>>>>>> a
>>>>>>>>>>>> JWT
>>>>>>>>>>>>>>>>>> Principal
>>>>>>>>>>>>>>>>>>>>>> since
>>>>>>>>>>>>>>>>>>>>>>>>> it clashes with the predefined by CDI. Most likely,
>>>>>>>>>>> we
>>>>>>>>>>>>>> would
>>>>>>>>>>>>>>>>> need
>>>>>>>>>>>>>>>>>>> to
>>>>>>>>>>>>>>>>>>>>>>> plugin
>>>>>>>>>>>>>>>>>>>>>>>>> the JWT Principal lookup in TomcatSecurityService.
>>>>>>>>>>> I’m
>>>>>>>>>>>>>> not
>>>>>>>>>>>>>>>> sure
>>>>>>>>>>>>>>>>>> if
>>>>>>>>>>>>>>>>>>> we
>>>>>>>>>>>>>>>>>>>>>>> want
>>>>>>>>>>>>>>>>>>>>>>>>> to do it in that way, or if we want to think in
>>>>>>>>>>>> something
>>>>>>>>>>>>>>>> else.
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>> Cheers,
>>>>>>>>>>>>>>>>>>>>>>>>> Roberto
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>
>>>>>>
>>>>
>>>>
>>
>>
Re: MicroProfile JWT 1.1
Posted by Jonathan Gallimore <jo...@gmail.com>.
If you have the cycles, it would be great if you could do it.
Cheers!
Jon
On Mon, Dec 3, 2018 at 5:06 PM Roberto Cortez <ra...@yahoo.com.invalid>
wrote:
> Yes, I would be in favor on commenting these tests, but implement on our
> tests that set up an endpoint and try to deploy and app to load the key
> from the endpoint. At least we make sure that the feature is working as
> supposed.
>
> Do you want to do it, or should I do it?
>
> > On 3 Dec 2018, at 16:49, Jonathan Gallimore <
> jonathan.gallimore@gmail.com> wrote:
> >
> > Interesting. I'd be in favor of commenting those tests out and merging
> the
> > PR, if you think the rest of it is in shape. If the spec says there
> should
> > be a deployment exception, then that makes sense. The TCK should probably
> > start its own little embedded http server to supply these keys instead.
> We
> > could contribute a PR there for consideration there.
> >
> > Jon
> >
> > On Mon, Dec 3, 2018 at 4:39 PM Roberto Cortez
> <ra...@yahoo.com.invalid>
> > wrote:
> >
> >> Yes,
> >>
> >> I think that the current state of the TCK is actually wrong. Look here:
> >> https://github.com/eclipse/microprofile-jwt-auth/issues/118 <
> >> https://github.com/eclipse/microprofile-jwt-auth/issues/118>
> >>
> >> And also from the spec:
> >> MicroProfile JWT implementations are required to throw a
> >> `DeploymentException` when given
> >> a public key that cannot be parsed using either the standardly
> supported or
> >> vendor-specific key formats.
> >>
> >> My understanding of this is that the load / parsing of the key is part
> of
> >> the application deployment, so if you fail to load the key you should
> fail
> >> with DeploymentException. It doesn’t make sense to defer the loading of
> the
> >> key when you need it and then fail with the DeploymentException, when
> the
> >> application is already deployed.
> >>
> >> Now, the issue is a chicken / egg. The TCK test exposes the key to load
> >> from an endpoint in the actual test app that we are testing. I believe
> the
> >> correct behaviour should be to have a separate test app that exposes the
> >> test keys and then have a separate app to test the behaviour.
> >>
> >> I think we can implement our own tests like these and then contribute
> them
> >> back / fix the TCK.
> >>
> >> Cheers,
> >> Roberto
> >>
> >>> On 3 Dec 2018, at 16:24, Jonathan Gallimore <
> >> jonathan.gallimore@gmail.com> wrote:
> >>>
> >>> Thanks for asking. There are 3 tests I can't get passing. These are the
> >>> ones where the key is referred to by a HTTP url, which isn't available
> at
> >>> deployment time where the keys are actually read. I spent quite a lot
> of
> >>> time trying to make this happen later in lifecycle (like on first load,
> >> or
> >>> something like that). I ended up getting lost in a complete maze of
> >>> lambdas. I am stuck and in need of help. I think this class is the
> issue:
> >>>
> >>
> https://github.com/jgallimore/tomee/blob/jwt-1.1/mp-jwt/src/main/java/org/apache/tomee/microprofile/jwt/config/ConfigurableJWTAuthContextInfo.java
> >> ,
> >>> and this piece of functionality will probably need some design
> discussion
> >>> to enable these tests to pass.
> >>>
> >>> I had tried flip the storage to Map<String,Supplier> with a supplier
> that
> >>> does a lazy lookup and caches the value. The issue there is the JWKS
> >> keys,
> >>> where you appear to get multiple keys in one file. Wrapping the whole
> >> thing
> >>> a supplier might work too - you'd effectively then have run that logic
> on
> >>> first login, or find something else that can trigger it.
> >>>
> >>> Do you have any thoughts?
> >>>
> >>> Jon
> >>>
> >>> On Mon, Dec 3, 2018 at 3:27 PM Roberto Cortez
> >> <ra...@yahoo.com.invalid>
> >>> wrote:
> >>>
> >>>> Hi Jon,
> >>>>
> >>>> I’ve seen you made some changes in your branch. What is the current
> >>>> status? I would like to start pushing for MP 2.0 specs.
> >>>>
> >>>> Cheers,
> >>>> Roberto
> >>>>
> >>>>> On 21 Nov 2018, at 17:57, Jonathan Gallimore <
> >>>> jonathan.gallimore@gmail.com> wrote:
> >>>>>
> >>>>> Was going to have another look at those tests over the next couple of
> >>>> days.
> >>>>>
> >>>>> Jon
> >>>>>
> >>>>> On Wed, 21 Nov 2018, 17:53 Roberto Cortez
> <radcortez@yahoo.com.invalid
> >>>>> wrote:
> >>>>>
> >>>>>> Hi Jon,
> >>>>>>
> >>>>>> What it the status of this?
> >>>>>>
> >>>>>> For the remaining failing tests, the issues are related with this:
> >>>>>> https://github.com/eclipse/microprofile-jwt-auth/issues/118 <
> >>>>>> https://github.com/eclipse/microprofile-jwt-auth/issues/118>
> >>>>>>
> >>>>>> I don’t think there is a way to fix it on our side, so se could just
> >>>>>> ignore those specific methods and build a specific test for this
> with
> >> 2
> >>>>>> apps deployment so we can reach out then public key endpoint from
> the
> >>>> test.
> >>>>>> Then we should be good to go with this!
> >>>>>>
> >>>>>> Cheers,
> >>>>>> Roberto
> >>>>>>
> >>>>>>> On 20 Nov 2018, at 15:28, Jean-Louis Monteiro <
> >>>> jlmonteiro@tomitribe.com>
> >>>>>> wrote:
> >>>>>>>
> >>>>>>> Ok, yes I see it.
> >>>>>>> --
> >>>>>>> Jean-Louis Monteiro
> >>>>>>> http://twitter.com/jlouismonteiro
> >>>>>>> http://www.tomitribe.com
> >>>>>>>
> >>>>>>>
> >>>>>>> On Tue, Nov 20, 2018 at 4:11 PM Jonathan Gallimore <
> >>>>>>> jonathan.gallimore@gmail.com> wrote:
> >>>>>>>
> >>>>>>>> The commits are showing for me (at the bottom). Here's the latest
> >> one:
> >>>>>>>>
> >>>>>>>>
> >>>>>>
> >>>>
> >>
> https://github.com/apache/tomee/commit/7ce1f8033e239331cfa7843e4e5565ed0aa83345
> >>>>>>>>
> >>>>>>>> On Tue, Nov 20, 2018 at 2:44 PM Jean-Louis Monteiro <
> >>>>>>>> jlmonteiro@tomitribe.com> wrote:
> >>>>>>>>
> >>>>>>>>> Hey Jon,
> >>>>>>>>>
> >>>>>>>>> I clicked on the link and the diff tab does not show any
> >> difference.
> >>>>>>>>> Did you push?
> >>>>>>>>> --
> >>>>>>>>> Jean-Louis Monteiro
> >>>>>>>>> http://twitter.com/jlouismonteiro
> >>>>>>>>> http://www.tomitribe.com
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>> On Mon, Nov 19, 2018 at 12:36 PM Jonathan Gallimore <
> >>>>>>>>> jonathan.gallimore@gmail.com> wrote:
> >>>>>>>>>
> >>>>>>>>>> I now have the principal injection part of this working - thanks
> >>>>>> Romain
> >>>>>>>>> for
> >>>>>>>>>> your help and explanations. Progress is in my fork here:
> >>>>>>>>>> https://github.com/jgallimore/tomee/tree/jwt-1.1 (changes here:
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>
> >>>>>>>>
> >>>>>>
> >>>>
> >>
> https://github.com/apache/tomee/compare/master...jgallimore:jwt-1.1?expand=1
> >>>>>>>>>> ).
> >>>>>>>>>> There are still a couple of TODOs to clean up, and 3 tests to
> get
> >>>>>>>>> passing.
> >>>>>>>>>> Any feedback is appreciated.
> >>>>>>>>>>
> >>>>>>>>>> Jon
> >>>>>>>>>>
> >>>>>>>>>> On Sat, Nov 3, 2018 at 9:10 AM Jonathan Gallimore <
> >>>>>>>>>> jonathan.gallimore@gmail.com> wrote:
> >>>>>>>>>>
> >>>>>>>>>>> Yep, got it. Thanks for the feedback - makes sense now.
> >>>>>>>>>>>
> >>>>>>>>>>> Cheers
> >>>>>>>>>>>
> >>>>>>>>>>> Jon
> >>>>>>>>>>>
> >>>>>>>>>>> On Fri, 2 Nov 2018, 16:46 Romain Manni-Bucau <
> >>>> rmannibucau@gmail.com
> >>>>>>>>>> wrote:
> >>>>>>>>>>>
> >>>>>>>>>>>> Answered hopefully "long enough" on dev@geronimo so will just
> >> do
> >>>> a
> >>>>>>>>>> short
> >>>>>>>>>>>> one here and shout if not enough: ManagedSecurityService in
> cdi
> >>>>>>>>> package
> >>>>>>>>>> of
> >>>>>>>>>>>> openejb-core must make the getCurrentPrincipal contextual so
> >>>> hidden
> >>>>>>>>>> behind
> >>>>>>>>>>>> a proxy. The proxied API must be Principal and JsonWebToken
> when
> >>>>>>>>>> available
> >>>>>>>>>>>> (try { add if can load } catch { ignore } works as pattern).
> The
> >>>>>>>> proxy
> >>>>>>>>>>>> instance can be created once for all app using the container
> >>>> loader
> >>>>>>>> or
> >>>>>>>>>> per
> >>>>>>>>>>>> app using the app loader and avoiding to leak between apps
> since
> >>>> the
> >>>>>>>>> API
> >>>>>>>>>>>> can use different loaders.
> >>>>>>>>>>>>
> >>>>>>>>>>>> Le ven. 2 nov. 2018 14:44, Jonathan Gallimore <
> >>>>>>>>>>>> jonathan.gallimore@gmail.com>
> >>>>>>>>>>>> a écrit :
> >>>>>>>>>>>>
> >>>>>>>>>>>>> Thanks for the reply, but I am confused by your response. The
> >> PR
> >>>> I
> >>>>>>>>>>>>> referenced adds a single test to the geronimo-jwt-auth
> project
> >> (
> >>>>>>>>>>>>> https://github.com/apache/geronimo-jwt-auth/pull/3), based
> on
> >>>>>>>>>>>>>
> >>>>>>>>>>
> >>>>>>
> >> org.eclipse.microprofile.jwt.tck.container.jaxrs.PrincipalInjectionTest
> >>>>>>>>>>>>> from the TCK. It fails at present (hopefully we agree on
> that -
> >>>> my
> >>>>>>>>>>>> results
> >>>>>>>>>>>>> attached). The geronimo-jwt-auth project doesn't touch TomEE
> at
> >>>>>>>> all
> >>>>>>>>> -
> >>>>>>>>>> it
> >>>>>>>>>>>>> uses OWB/Meecrowave to run the MicroProfile JWT TCK. I have
> not
> >>>>>>>>>> modified
> >>>>>>>>>>>>> the project config at all, so it is using the SecurityService
> >>>> code
> >>>>>>>>> you
> >>>>>>>>>>>>> previously posted. If this additional test were part of the
> >>>>>>>>>> MicroProfile
> >>>>>>>>>>>>> JWT TCK (and I'm going to propose it), the Geronimo JWT Auth
> >>>>>>>>>>>> implementation
> >>>>>>>>>>>>> would *not* pass the TCK.
> >>>>>>>>>>>>>
> >>>>>>>>>>>>> I posted this here as I originally found the issue when
> >>>> continuing
> >>>>>>>>>>>>> Roberto's efforts, but this has probably contributed to some
> >>>>>>>>>> confusion.
> >>>>>>>>>>>> I
> >>>>>>>>>>>>> would suggest we continue this over on the Geronimo and OWB
> >> lists
> >>>>>>>> to
> >>>>>>>>>>>> avoid
> >>>>>>>>>>>>> further confusion.
> >>>>>>>>>>>>>
> >>>>>>>>>>>>> Jon
> >>>>>>>>>>>>>
> >>>>>>>>>>>>> On Fri, Nov 2, 2018 at 12:46 PM Romain Manni-Bucau <
> >>>>>>>>>>>> rmannibucau@gmail.com>
> >>>>>>>>>>>>> wrote:
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>> Hi
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>> Yes this is an owb misconfiguration/integration
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>> Geronimo is fine here so likely tomee owb spi to update as
> in
> >>>>>>>>>> geronimo
> >>>>>>>>>>>> tck
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>> Le ven. 2 nov. 2018 10:42, Jonathan Gallimore <
> >>>>>>>>>>>>>> jonathan.gallimore@gmail.com>
> >>>>>>>>>>>>>> a écrit :
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>> Thanks for the reply. I am still sure there is some sort of
> >>>>>>>>> issue.
> >>>>>>>>>>>>>> Putting
> >>>>>>>>>>>>>>> TomEE to one side for the moment, I am able to reproduce
> this
> >>>>>>>> in
> >>>>>>>>>> the
> >>>>>>>>>>>>>>> Geronimo JWT auth library as well. This PR includes a test
> to
> >>>>>>>>> show
> >>>>>>>>>>>> what
> >>>>>>>>>>>>>> I
> >>>>>>>>>>>>>>> mean: https://github.com/apache/geronimo-jwt-auth/pull/3.
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>> I can confirm that this change:
> >>>>>>>>>>>>>>> https://github.com/apache/openwebbeans/pull/12 enables
> that
> >>>>>>>> new
> >>>>>>>>>>>> test to
> >>>>>>>>>>>>>>> pass.
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>> In short, if you @Inject JsonWebToken, or individual
> claims,
> >> or
> >>>>>>>>>>>>>>> use @RolesAllowed, I think you're ok, but if you @Inject
> >>>>>>>>> Principal,
> >>>>>>>>>>>> you
> >>>>>>>>>>>>>>> will most likely get the wrong principal because the
> instance
> >>>>>>>> is
> >>>>>>>>>>>> cache
> >>>>>>>>>>>>>> in a
> >>>>>>>>>>>>>>> field in the
> >> org.apache.webbeans.portable.ProviderBasedProducer
> >>>>>>>>>>>> class,
> >>>>>>>>>>>>>> and
> >>>>>>>>>>>>>>> that looks like a security issue.
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>> Jon
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>> On Tue, Oct 30, 2018 at 5:56 AM Romain Manni-Bucau <
> >>>>>>>>>>>>>> rmannibucau@gmail.com>
> >>>>>>>>>>>>>>> wrote:
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>> Hi Jon,
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>> yes and no, idea is to be fast and for all producers it
> >> works
> >>>>>>>>>>>> except
> >>>>>>>>>>>>>> the
> >>>>>>>>>>>>>>>> principal which is broken anyway in CDI 1.x so guess this
> >> was
> >>>>>>>>> not
> >>>>>>>>>>>>>> fixed
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>> in CDI 2 (tomee 8) we can impl it this way:
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>
> >>>>>>>>
> >>>>>>
> >>>>
> >>
> https://github.com/apache/geronimo-jwt-auth/blob/master/src/test/java/org/apache/geronimo/microprofile/impl/jwtauth/tck/TckSecurityService.java
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>> Romain Manni-Bucau
> >>>>>>>>>>>>>>>> @rmannibucau <https://twitter.com/rmannibucau> | Blog
> >>>>>>>>>>>>>>>> <https://rmannibucau.metawerx.net/> | Old Blog
> >>>>>>>>>>>>>>>> <http://rmannibucau.wordpress.com> | Github <
> >>>>>>>>>>>>>>>> https://github.com/rmannibucau> |
> >>>>>>>>>>>>>>>> LinkedIn <https://www.linkedin.com/in/rmannibucau> | Book
> >>>>>>>>>>>>>>>> <
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>
> >>>>>>>>
> >>>>>>
> >>>>
> >>
> https://www.packtpub.com/application-development/java-ee-8-high-performance
> >>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>> Le mar. 30 oct. 2018 à 00:58, Jonathan Gallimore <
> >>>>>>>>>>>>>>>> jonathan.gallimore@gmail.com> a écrit :
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>> Here's a question, probably for Mark or Romain. If I turn
> >>>>>>>> the
> >>>>>>>>>>>> proxy
> >>>>>>>>>>>>>>> *off*
> >>>>>>>>>>>>>>>>> in org.apache.webbeans.component.PrincipalBean, I'm
> finding
> >>>>>>>>>> that
> >>>>>>>>>>>> I
> >>>>>>>>>>>>>> get
> >>>>>>>>>>>>>>>> the
> >>>>>>>>>>>>>>>>> wrong principal injected sometimes. Specifically, I get
> the
> >>>>>>>>>>>>>> whatever is
> >>>>>>>>>>>>>>>> on
> >>>>>>>>>>>>>>>>> the proxyInstance field here:
> >>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>
> >>>>>>>>
> >>>>>>
> >>>>
> >>
> https://github.com/apache/openwebbeans/blob/trunk/webbeans-impl/src/main/java/org/apache/webbeans/portable/ProviderBasedProducer.java#L51
> >>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>> Should this line (line 66)
> >>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>
> >>>>>>>>
> >>>>>>
> >>>>
> >>
> https://github.com/apache/openwebbeans/blob/trunk/webbeans-impl/src/main/java/org/apache/webbeans/portable/ProviderBasedProducer.java#L66
> >>>>>>>>>>>>>>>>> ,
> >>>>>>>>>>>>>>>>> not simply be:
> >>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>> return provider.get();
> >>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>> as opposed to
> >>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>> proxyInstance = provider.get(); ?
> >>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>> That way, the proxyInstance field would never get set if
> >>>>>>>>> proxy
> >>>>>>>>>>>> mode
> >>>>>>>>>>>>>> is
> >>>>>>>>>>>>>>>> set
> >>>>>>>>>>>>>>>>> to false. When proxy is true, this seems to work
> correctly
> >>>>>>>>>>>>>> (although I
> >>>>>>>>>>>>>>>> have
> >>>>>>>>>>>>>>>>> other unrelated issues in TomEE).
> >>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>> I can probably work around this some other way, but it
> >>>>>>>> seems
> >>>>>>>>> to
> >>>>>>>>>>>> me
> >>>>>>>>>>>>>> like
> >>>>>>>>>>>>>>>>> that behaviour isn't quite right.
> >>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>> Trying to think of a way to test it - I can probably come
> >>>>>>>> up
> >>>>>>>>>> with
> >>>>>>>>>>>>>>>>> something, but I'd appreciate some pointers. Happy to
> shift
> >>>>>>>>>> this
> >>>>>>>>>>>> to
> >>>>>>>>>>>>>>>>> openwebbeans-dev, and submit a PR. Replying here
> initially
> >>>>>>>>> as I
> >>>>>>>>>>>> ran
> >>>>>>>>>>>>>>> into
> >>>>>>>>>>>>>>>>> this while hacking on the JWT code.
> >>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>> Jon
> >>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>> On Wed, Oct 17, 2018 at 12:41 AM Roberto Cortez
> >>>>>>>>>>>>>>>>> <ra...@yahoo.com.invalid>
> >>>>>>>>>>>>>>>>> wrote:
> >>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>> Please, go ahead. Let me know if need anything. Thanks!
> >>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>> On 16 Oct 2018, at 21:53, Jonathan Gallimore <
> >>>>>>>>>>>>>>>>>> jonathan.gallimore@gmail.com> wrote:
> >>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>> Any objection if I pick this up and have a go at the
> >>>>>>>> last
> >>>>>>>>>>>>>> tests, or
> >>>>>>>>>>>>>>>> is
> >>>>>>>>>>>>>>>>>>> someone already working on this?
> >>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>> On Thu, Sep 27, 2018 at 5:44 PM Romain Manni-Bucau <
> >>>>>>>>>>>>>>>>>> rmannibucau@gmail.com>
> >>>>>>>>>>>>>>>>>>> wrote:
> >>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>> Yep this feature. Then it must works since we support
> >>>>>>>>> user
> >>>>>>>>>>>>>>> principal
> >>>>>>>>>>>>>>>>> if
> >>>>>>>>>>>>>>>>>> the
> >>>>>>>>>>>>>>>>>>>> jwt filter is corretly placed in the filter chain and
> >>>>>>>> we
> >>>>>>>>>>>> must
> >>>>>>>>>>>>>>>> inherit
> >>>>>>>>>>>>>>>>>> from
> >>>>>>>>>>>>>>>>>>>> the request principal.
> >>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>> Le jeu. 27 sept. 2018 18:37, Roberto Cortez
> >>>>>>>>>>>>>>>>> <radcortez@yahoo.com.invalid
> >>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>> a
> >>>>>>>>>>>>>>>>>>>> écrit :
> >>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>> I guess you are referring to this, to remove the
> >>>>>>>> proxy?
> >>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>
> >>>>>>>>
> >>>>>>
> >>>>
> >>
> https://github.com/apache/openwebbeans/commit/a21a949fb19247dcc39ee89292a1554b2cf1388e
> >>>>>>>>>>>>>>>>>>>>> <
> >>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>
> >>>>>>>>
> >>>>>>
> >>>>
> >>
> https://github.com/apache/openwebbeans/commit/a21a949fb19247dcc39ee89292a1554b2cf1388e
> >>>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>> Yes, this one step.
> >>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>> By default, we do inject the generic Principal of
> >>>>>>>>> Tomcat.
> >>>>>>>>>>>> We
> >>>>>>>>>>>>>>>> probably
> >>>>>>>>>>>>>>>>>>>> need
> >>>>>>>>>>>>>>>>>>>>> to check first about the existence of a JWT Principal
> >>>>>>>>> and
> >>>>>>>>>>>> then
> >>>>>>>>>>>>>>>>> fallback
> >>>>>>>>>>>>>>>>>>>> to
> >>>>>>>>>>>>>>>>>>>>> the Tomcat one. I think I know how to do it, I was
> >>>>>>>> just
> >>>>>>>>>>>>>> trying to
> >>>>>>>>>>>>>>>>>> broaden
> >>>>>>>>>>>>>>>>>>>>> up the conversation about general integration with EE
> >>>>>>>>>>>>>> security.
> >>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>> Cheers,
> >>>>>>>>>>>>>>>>>>>>> Roberto
> >>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>>> On 26 Sep 2018, at 07:21, Romain Manni-Bucau <
> >>>>>>>>>>>>>>>> rmannibucau@gmail.com
> >>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>> wrote:
> >>>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>>> OWB enable to do it - we did it in geronimo impl to
> >>>>>>>>> pass
> >>>>>>>>>>>> tck
> >>>>>>>>>>>>>> of
> >>>>>>>>>>>>>>>> jwt
> >>>>>>>>>>>>>>>>>>>> auth
> >>>>>>>>>>>>>>>>>>>>>> spec.
> >>>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>>> Le mer. 26 sept. 2018 03:28, Roberto Cortez
> >>>>>>>>>>>>>>>>>>>> <ra...@yahoo.com.invalid>
> >>>>>>>>>>>>>>>>>>>>> a
> >>>>>>>>>>>>>>>>>>>>>> écrit :
> >>>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>>>> Hi,
> >>>>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>>>> I’ve done some work to push our MP JWT
> >>>>>>>> implementation
> >>>>>>>>>>>> from
> >>>>>>>>>>>>>> 1.0
> >>>>>>>>>>>>>>> to
> >>>>>>>>>>>>>>>>>> 1.1.
> >>>>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>>>> You can check it here:
> >>>>>>>>>>>>>>>>>>>>>>> https://github.com/apache/tomee/pull/173 <
> >>>>>>>>>>>>>>>>>>>>>>> https://github.com/apache/tomee/pull/173>
> >>>>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>>>> There are still a couple of tests in the TCK that I
> >>>>>>>>>> have
> >>>>>>>>>>>> to
> >>>>>>>>>>>>>> fix
> >>>>>>>>>>>>>>>>> and a
> >>>>>>>>>>>>>>>>>>>>> few
> >>>>>>>>>>>>>>>>>>>>>>> things that I would like to improve, but I think
> >>>>>>>> the
> >>>>>>>>>>>>>> majority
> >>>>>>>>>>>>>>> of
> >>>>>>>>>>>>>>>>> the
> >>>>>>>>>>>>>>>>>>>>> work
> >>>>>>>>>>>>>>>>>>>>>>> is done.
> >>>>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>>>> Some time ago, there was a discussion in the list
> >>>>>>>>> about
> >>>>>>>>>>>> how
> >>>>>>>>>>>>>> to
> >>>>>>>>>>>>>>>>>>>> integrate
> >>>>>>>>>>>>>>>>>>>>>>> MP JWT with EE security:
> >>>>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>
> >>>>>>>>
> >>>>>>
> >>>>
> >>
> http://tomee-openejb.979440.n4.nabble.com/Implementing-Microprofile-JWT-td4683212i40.html
> >>>>>>>>>>>>>>>>>>>>>>> <
> >>>>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>
> >>>>>>>>
> >>>>>>
> >>>>
> >>
> http://tomee-openejb.979440.n4.nabble.com/Implementing-Microprofile-JWT-td4683212i40.html
> >>>>>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>>>> I believe we need to revisit that conversation and
> >>>>>>>>>> figure
> >>>>>>>>>>>>>> out
> >>>>>>>>>>>>>>> how
> >>>>>>>>>>>>>>>>> to
> >>>>>>>>>>>>>>>>>>>>> move
> >>>>>>>>>>>>>>>>>>>>>>> forward.
> >>>>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>>>> Right now for instance, we don’t support injecting
> >>>>>>>> a
> >>>>>>>>>> JWT
> >>>>>>>>>>>>>>>> Principal
> >>>>>>>>>>>>>>>>>>>> since
> >>>>>>>>>>>>>>>>>>>>>>> it clashes with the predefined by CDI. Most likely,
> >>>>>>>>> we
> >>>>>>>>>>>> would
> >>>>>>>>>>>>>>> need
> >>>>>>>>>>>>>>>>> to
> >>>>>>>>>>>>>>>>>>>>> plugin
> >>>>>>>>>>>>>>>>>>>>>>> the JWT Principal lookup in TomcatSecurityService.
> >>>>>>>>> I’m
> >>>>>>>>>>>> not
> >>>>>>>>>>>>>> sure
> >>>>>>>>>>>>>>>> if
> >>>>>>>>>>>>>>>>> we
> >>>>>>>>>>>>>>>>>>>>> want
> >>>>>>>>>>>>>>>>>>>>>>> to do it in that way, or if we want to think in
> >>>>>>>>>> something
> >>>>>>>>>>>>>> else.
> >>>>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>>>> Cheers,
> >>>>>>>>>>>>>>>>>>>>>>> Roberto
> >>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>
> >>>>>>>>
> >>>>>>
> >>>>>>
> >>>>
> >>>>
> >>
> >>
>
>
Re: MicroProfile JWT 1.1
Posted by Roberto Cortez <ra...@yahoo.com.INVALID>.
Yes, I would be in favor on commenting these tests, but implement on our tests that set up an endpoint and try to deploy and app to load the key from the endpoint. At least we make sure that the feature is working as supposed.
Do you want to do it, or should I do it?
> On 3 Dec 2018, at 16:49, Jonathan Gallimore <jo...@gmail.com> wrote:
>
> Interesting. I'd be in favor of commenting those tests out and merging the
> PR, if you think the rest of it is in shape. If the spec says there should
> be a deployment exception, then that makes sense. The TCK should probably
> start its own little embedded http server to supply these keys instead. We
> could contribute a PR there for consideration there.
>
> Jon
>
> On Mon, Dec 3, 2018 at 4:39 PM Roberto Cortez <ra...@yahoo.com.invalid>
> wrote:
>
>> Yes,
>>
>> I think that the current state of the TCK is actually wrong. Look here:
>> https://github.com/eclipse/microprofile-jwt-auth/issues/118 <
>> https://github.com/eclipse/microprofile-jwt-auth/issues/118>
>>
>> And also from the spec:
>> MicroProfile JWT implementations are required to throw a
>> `DeploymentException` when given
>> a public key that cannot be parsed using either the standardly supported or
>> vendor-specific key formats.
>>
>> My understanding of this is that the load / parsing of the key is part of
>> the application deployment, so if you fail to load the key you should fail
>> with DeploymentException. It doesn’t make sense to defer the loading of the
>> key when you need it and then fail with the DeploymentException, when the
>> application is already deployed.
>>
>> Now, the issue is a chicken / egg. The TCK test exposes the key to load
>> from an endpoint in the actual test app that we are testing. I believe the
>> correct behaviour should be to have a separate test app that exposes the
>> test keys and then have a separate app to test the behaviour.
>>
>> I think we can implement our own tests like these and then contribute them
>> back / fix the TCK.
>>
>> Cheers,
>> Roberto
>>
>>> On 3 Dec 2018, at 16:24, Jonathan Gallimore <
>> jonathan.gallimore@gmail.com> wrote:
>>>
>>> Thanks for asking. There are 3 tests I can't get passing. These are the
>>> ones where the key is referred to by a HTTP url, which isn't available at
>>> deployment time where the keys are actually read. I spent quite a lot of
>>> time trying to make this happen later in lifecycle (like on first load,
>> or
>>> something like that). I ended up getting lost in a complete maze of
>>> lambdas. I am stuck and in need of help. I think this class is the issue:
>>>
>> https://github.com/jgallimore/tomee/blob/jwt-1.1/mp-jwt/src/main/java/org/apache/tomee/microprofile/jwt/config/ConfigurableJWTAuthContextInfo.java
>> ,
>>> and this piece of functionality will probably need some design discussion
>>> to enable these tests to pass.
>>>
>>> I had tried flip the storage to Map<String,Supplier> with a supplier that
>>> does a lazy lookup and caches the value. The issue there is the JWKS
>> keys,
>>> where you appear to get multiple keys in one file. Wrapping the whole
>> thing
>>> a supplier might work too - you'd effectively then have run that logic on
>>> first login, or find something else that can trigger it.
>>>
>>> Do you have any thoughts?
>>>
>>> Jon
>>>
>>> On Mon, Dec 3, 2018 at 3:27 PM Roberto Cortez
>> <ra...@yahoo.com.invalid>
>>> wrote:
>>>
>>>> Hi Jon,
>>>>
>>>> I’ve seen you made some changes in your branch. What is the current
>>>> status? I would like to start pushing for MP 2.0 specs.
>>>>
>>>> Cheers,
>>>> Roberto
>>>>
>>>>> On 21 Nov 2018, at 17:57, Jonathan Gallimore <
>>>> jonathan.gallimore@gmail.com> wrote:
>>>>>
>>>>> Was going to have another look at those tests over the next couple of
>>>> days.
>>>>>
>>>>> Jon
>>>>>
>>>>> On Wed, 21 Nov 2018, 17:53 Roberto Cortez <radcortez@yahoo.com.invalid
>>>>> wrote:
>>>>>
>>>>>> Hi Jon,
>>>>>>
>>>>>> What it the status of this?
>>>>>>
>>>>>> For the remaining failing tests, the issues are related with this:
>>>>>> https://github.com/eclipse/microprofile-jwt-auth/issues/118 <
>>>>>> https://github.com/eclipse/microprofile-jwt-auth/issues/118>
>>>>>>
>>>>>> I don’t think there is a way to fix it on our side, so se could just
>>>>>> ignore those specific methods and build a specific test for this with
>> 2
>>>>>> apps deployment so we can reach out then public key endpoint from the
>>>> test.
>>>>>> Then we should be good to go with this!
>>>>>>
>>>>>> Cheers,
>>>>>> Roberto
>>>>>>
>>>>>>> On 20 Nov 2018, at 15:28, Jean-Louis Monteiro <
>>>> jlmonteiro@tomitribe.com>
>>>>>> wrote:
>>>>>>>
>>>>>>> Ok, yes I see it.
>>>>>>> --
>>>>>>> Jean-Louis Monteiro
>>>>>>> http://twitter.com/jlouismonteiro
>>>>>>> http://www.tomitribe.com
>>>>>>>
>>>>>>>
>>>>>>> On Tue, Nov 20, 2018 at 4:11 PM Jonathan Gallimore <
>>>>>>> jonathan.gallimore@gmail.com> wrote:
>>>>>>>
>>>>>>>> The commits are showing for me (at the bottom). Here's the latest
>> one:
>>>>>>>>
>>>>>>>>
>>>>>>
>>>>
>> https://github.com/apache/tomee/commit/7ce1f8033e239331cfa7843e4e5565ed0aa83345
>>>>>>>>
>>>>>>>> On Tue, Nov 20, 2018 at 2:44 PM Jean-Louis Monteiro <
>>>>>>>> jlmonteiro@tomitribe.com> wrote:
>>>>>>>>
>>>>>>>>> Hey Jon,
>>>>>>>>>
>>>>>>>>> I clicked on the link and the diff tab does not show any
>> difference.
>>>>>>>>> Did you push?
>>>>>>>>> --
>>>>>>>>> Jean-Louis Monteiro
>>>>>>>>> http://twitter.com/jlouismonteiro
>>>>>>>>> http://www.tomitribe.com
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On Mon, Nov 19, 2018 at 12:36 PM Jonathan Gallimore <
>>>>>>>>> jonathan.gallimore@gmail.com> wrote:
>>>>>>>>>
>>>>>>>>>> I now have the principal injection part of this working - thanks
>>>>>> Romain
>>>>>>>>> for
>>>>>>>>>> your help and explanations. Progress is in my fork here:
>>>>>>>>>> https://github.com/jgallimore/tomee/tree/jwt-1.1 (changes here:
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>
>>>>
>> https://github.com/apache/tomee/compare/master...jgallimore:jwt-1.1?expand=1
>>>>>>>>>> ).
>>>>>>>>>> There are still a couple of TODOs to clean up, and 3 tests to get
>>>>>>>>> passing.
>>>>>>>>>> Any feedback is appreciated.
>>>>>>>>>>
>>>>>>>>>> Jon
>>>>>>>>>>
>>>>>>>>>> On Sat, Nov 3, 2018 at 9:10 AM Jonathan Gallimore <
>>>>>>>>>> jonathan.gallimore@gmail.com> wrote:
>>>>>>>>>>
>>>>>>>>>>> Yep, got it. Thanks for the feedback - makes sense now.
>>>>>>>>>>>
>>>>>>>>>>> Cheers
>>>>>>>>>>>
>>>>>>>>>>> Jon
>>>>>>>>>>>
>>>>>>>>>>> On Fri, 2 Nov 2018, 16:46 Romain Manni-Bucau <
>>>> rmannibucau@gmail.com
>>>>>>>>>> wrote:
>>>>>>>>>>>
>>>>>>>>>>>> Answered hopefully "long enough" on dev@geronimo so will just
>> do
>>>> a
>>>>>>>>>> short
>>>>>>>>>>>> one here and shout if not enough: ManagedSecurityService in cdi
>>>>>>>>> package
>>>>>>>>>> of
>>>>>>>>>>>> openejb-core must make the getCurrentPrincipal contextual so
>>>> hidden
>>>>>>>>>> behind
>>>>>>>>>>>> a proxy. The proxied API must be Principal and JsonWebToken when
>>>>>>>>>> available
>>>>>>>>>>>> (try { add if can load } catch { ignore } works as pattern). The
>>>>>>>> proxy
>>>>>>>>>>>> instance can be created once for all app using the container
>>>> loader
>>>>>>>> or
>>>>>>>>>> per
>>>>>>>>>>>> app using the app loader and avoiding to leak between apps since
>>>> the
>>>>>>>>> API
>>>>>>>>>>>> can use different loaders.
>>>>>>>>>>>>
>>>>>>>>>>>> Le ven. 2 nov. 2018 14:44, Jonathan Gallimore <
>>>>>>>>>>>> jonathan.gallimore@gmail.com>
>>>>>>>>>>>> a écrit :
>>>>>>>>>>>>
>>>>>>>>>>>>> Thanks for the reply, but I am confused by your response. The
>> PR
>>>> I
>>>>>>>>>>>>> referenced adds a single test to the geronimo-jwt-auth project
>> (
>>>>>>>>>>>>> https://github.com/apache/geronimo-jwt-auth/pull/3), based on
>>>>>>>>>>>>>
>>>>>>>>>>
>>>>>>
>> org.eclipse.microprofile.jwt.tck.container.jaxrs.PrincipalInjectionTest
>>>>>>>>>>>>> from the TCK. It fails at present (hopefully we agree on that -
>>>> my
>>>>>>>>>>>> results
>>>>>>>>>>>>> attached). The geronimo-jwt-auth project doesn't touch TomEE at
>>>>>>>> all
>>>>>>>>> -
>>>>>>>>>> it
>>>>>>>>>>>>> uses OWB/Meecrowave to run the MicroProfile JWT TCK. I have not
>>>>>>>>>> modified
>>>>>>>>>>>>> the project config at all, so it is using the SecurityService
>>>> code
>>>>>>>>> you
>>>>>>>>>>>>> previously posted. If this additional test were part of the
>>>>>>>>>> MicroProfile
>>>>>>>>>>>>> JWT TCK (and I'm going to propose it), the Geronimo JWT Auth
>>>>>>>>>>>> implementation
>>>>>>>>>>>>> would *not* pass the TCK.
>>>>>>>>>>>>>
>>>>>>>>>>>>> I posted this here as I originally found the issue when
>>>> continuing
>>>>>>>>>>>>> Roberto's efforts, but this has probably contributed to some
>>>>>>>>>> confusion.
>>>>>>>>>>>> I
>>>>>>>>>>>>> would suggest we continue this over on the Geronimo and OWB
>> lists
>>>>>>>> to
>>>>>>>>>>>> avoid
>>>>>>>>>>>>> further confusion.
>>>>>>>>>>>>>
>>>>>>>>>>>>> Jon
>>>>>>>>>>>>>
>>>>>>>>>>>>> On Fri, Nov 2, 2018 at 12:46 PM Romain Manni-Bucau <
>>>>>>>>>>>> rmannibucau@gmail.com>
>>>>>>>>>>>>> wrote:
>>>>>>>>>>>>>
>>>>>>>>>>>>>> Hi
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Yes this is an owb misconfiguration/integration
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Geronimo is fine here so likely tomee owb spi to update as in
>>>>>>>>>> geronimo
>>>>>>>>>>>> tck
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Le ven. 2 nov. 2018 10:42, Jonathan Gallimore <
>>>>>>>>>>>>>> jonathan.gallimore@gmail.com>
>>>>>>>>>>>>>> a écrit :
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Thanks for the reply. I am still sure there is some sort of
>>>>>>>>> issue.
>>>>>>>>>>>>>> Putting
>>>>>>>>>>>>>>> TomEE to one side for the moment, I am able to reproduce this
>>>>>>>> in
>>>>>>>>>> the
>>>>>>>>>>>>>>> Geronimo JWT auth library as well. This PR includes a test to
>>>>>>>>> show
>>>>>>>>>>>> what
>>>>>>>>>>>>>> I
>>>>>>>>>>>>>>> mean: https://github.com/apache/geronimo-jwt-auth/pull/3.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> I can confirm that this change:
>>>>>>>>>>>>>>> https://github.com/apache/openwebbeans/pull/12 enables that
>>>>>>>> new
>>>>>>>>>>>> test to
>>>>>>>>>>>>>>> pass.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> In short, if you @Inject JsonWebToken, or individual claims,
>> or
>>>>>>>>>>>>>>> use @RolesAllowed, I think you're ok, but if you @Inject
>>>>>>>>> Principal,
>>>>>>>>>>>> you
>>>>>>>>>>>>>>> will most likely get the wrong principal because the instance
>>>>>>>> is
>>>>>>>>>>>> cache
>>>>>>>>>>>>>> in a
>>>>>>>>>>>>>>> field in the
>> org.apache.webbeans.portable.ProviderBasedProducer
>>>>>>>>>>>> class,
>>>>>>>>>>>>>> and
>>>>>>>>>>>>>>> that looks like a security issue.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Jon
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> On Tue, Oct 30, 2018 at 5:56 AM Romain Manni-Bucau <
>>>>>>>>>>>>>> rmannibucau@gmail.com>
>>>>>>>>>>>>>>> wrote:
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Hi Jon,
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> yes and no, idea is to be fast and for all producers it
>> works
>>>>>>>>>>>> except
>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>>> principal which is broken anyway in CDI 1.x so guess this
>> was
>>>>>>>>> not
>>>>>>>>>>>>>> fixed
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> in CDI 2 (tomee 8) we can impl it this way:
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>
>>>>
>> https://github.com/apache/geronimo-jwt-auth/blob/master/src/test/java/org/apache/geronimo/microprofile/impl/jwtauth/tck/TckSecurityService.java
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Romain Manni-Bucau
>>>>>>>>>>>>>>>> @rmannibucau <https://twitter.com/rmannibucau> | Blog
>>>>>>>>>>>>>>>> <https://rmannibucau.metawerx.net/> | Old Blog
>>>>>>>>>>>>>>>> <http://rmannibucau.wordpress.com> | Github <
>>>>>>>>>>>>>>>> https://github.com/rmannibucau> |
>>>>>>>>>>>>>>>> LinkedIn <https://www.linkedin.com/in/rmannibucau> | Book
>>>>>>>>>>>>>>>> <
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>
>>>>
>> https://www.packtpub.com/application-development/java-ee-8-high-performance
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Le mar. 30 oct. 2018 à 00:58, Jonathan Gallimore <
>>>>>>>>>>>>>>>> jonathan.gallimore@gmail.com> a écrit :
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Here's a question, probably for Mark or Romain. If I turn
>>>>>>>> the
>>>>>>>>>>>> proxy
>>>>>>>>>>>>>>> *off*
>>>>>>>>>>>>>>>>> in org.apache.webbeans.component.PrincipalBean, I'm finding
>>>>>>>>>> that
>>>>>>>>>>>> I
>>>>>>>>>>>>>> get
>>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>>>> wrong principal injected sometimes. Specifically, I get the
>>>>>>>>>>>>>> whatever is
>>>>>>>>>>>>>>>> on
>>>>>>>>>>>>>>>>> the proxyInstance field here:
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>
>>>>
>> https://github.com/apache/openwebbeans/blob/trunk/webbeans-impl/src/main/java/org/apache/webbeans/portable/ProviderBasedProducer.java#L51
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Should this line (line 66)
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>
>>>>
>> https://github.com/apache/openwebbeans/blob/trunk/webbeans-impl/src/main/java/org/apache/webbeans/portable/ProviderBasedProducer.java#L66
>>>>>>>>>>>>>>>>> ,
>>>>>>>>>>>>>>>>> not simply be:
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> return provider.get();
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> as opposed to
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> proxyInstance = provider.get(); ?
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> That way, the proxyInstance field would never get set if
>>>>>>>>> proxy
>>>>>>>>>>>> mode
>>>>>>>>>>>>>> is
>>>>>>>>>>>>>>>> set
>>>>>>>>>>>>>>>>> to false. When proxy is true, this seems to work correctly
>>>>>>>>>>>>>> (although I
>>>>>>>>>>>>>>>> have
>>>>>>>>>>>>>>>>> other unrelated issues in TomEE).
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> I can probably work around this some other way, but it
>>>>>>>> seems
>>>>>>>>> to
>>>>>>>>>>>> me
>>>>>>>>>>>>>> like
>>>>>>>>>>>>>>>>> that behaviour isn't quite right.
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Trying to think of a way to test it - I can probably come
>>>>>>>> up
>>>>>>>>>> with
>>>>>>>>>>>>>>>>> something, but I'd appreciate some pointers. Happy to shift
>>>>>>>>>> this
>>>>>>>>>>>> to
>>>>>>>>>>>>>>>>> openwebbeans-dev, and submit a PR. Replying here initially
>>>>>>>>> as I
>>>>>>>>>>>> ran
>>>>>>>>>>>>>>> into
>>>>>>>>>>>>>>>>> this while hacking on the JWT code.
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Jon
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> On Wed, Oct 17, 2018 at 12:41 AM Roberto Cortez
>>>>>>>>>>>>>>>>> <ra...@yahoo.com.invalid>
>>>>>>>>>>>>>>>>> wrote:
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> Please, go ahead. Let me know if need anything. Thanks!
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> On 16 Oct 2018, at 21:53, Jonathan Gallimore <
>>>>>>>>>>>>>>>>>> jonathan.gallimore@gmail.com> wrote:
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> Any objection if I pick this up and have a go at the
>>>>>>>> last
>>>>>>>>>>>>>> tests, or
>>>>>>>>>>>>>>>> is
>>>>>>>>>>>>>>>>>>> someone already working on this?
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> On Thu, Sep 27, 2018 at 5:44 PM Romain Manni-Bucau <
>>>>>>>>>>>>>>>>>> rmannibucau@gmail.com>
>>>>>>>>>>>>>>>>>>> wrote:
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> Yep this feature. Then it must works since we support
>>>>>>>>> user
>>>>>>>>>>>>>>> principal
>>>>>>>>>>>>>>>>> if
>>>>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>>>>>>> jwt filter is corretly placed in the filter chain and
>>>>>>>> we
>>>>>>>>>>>> must
>>>>>>>>>>>>>>>> inherit
>>>>>>>>>>>>>>>>>> from
>>>>>>>>>>>>>>>>>>>> the request principal.
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> Le jeu. 27 sept. 2018 18:37, Roberto Cortez
>>>>>>>>>>>>>>>>> <radcortez@yahoo.com.invalid
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> a
>>>>>>>>>>>>>>>>>>>> écrit :
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> I guess you are referring to this, to remove the
>>>>>>>> proxy?
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>
>>>>
>> https://github.com/apache/openwebbeans/commit/a21a949fb19247dcc39ee89292a1554b2cf1388e
>>>>>>>>>>>>>>>>>>>>> <
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>
>>>>
>> https://github.com/apache/openwebbeans/commit/a21a949fb19247dcc39ee89292a1554b2cf1388e
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> Yes, this one step.
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> By default, we do inject the generic Principal of
>>>>>>>>> Tomcat.
>>>>>>>>>>>> We
>>>>>>>>>>>>>>>> probably
>>>>>>>>>>>>>>>>>>>> need
>>>>>>>>>>>>>>>>>>>>> to check first about the existence of a JWT Principal
>>>>>>>>> and
>>>>>>>>>>>> then
>>>>>>>>>>>>>>>>> fallback
>>>>>>>>>>>>>>>>>>>> to
>>>>>>>>>>>>>>>>>>>>> the Tomcat one. I think I know how to do it, I was
>>>>>>>> just
>>>>>>>>>>>>>> trying to
>>>>>>>>>>>>>>>>>> broaden
>>>>>>>>>>>>>>>>>>>>> up the conversation about general integration with EE
>>>>>>>>>>>>>> security.
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> Cheers,
>>>>>>>>>>>>>>>>>>>>> Roberto
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> On 26 Sep 2018, at 07:21, Romain Manni-Bucau <
>>>>>>>>>>>>>>>> rmannibucau@gmail.com
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> wrote:
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> OWB enable to do it - we did it in geronimo impl to
>>>>>>>>> pass
>>>>>>>>>>>> tck
>>>>>>>>>>>>>> of
>>>>>>>>>>>>>>>> jwt
>>>>>>>>>>>>>>>>>>>> auth
>>>>>>>>>>>>>>>>>>>>>> spec.
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> Le mer. 26 sept. 2018 03:28, Roberto Cortez
>>>>>>>>>>>>>>>>>>>> <ra...@yahoo.com.invalid>
>>>>>>>>>>>>>>>>>>>>> a
>>>>>>>>>>>>>>>>>>>>>> écrit :
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> Hi,
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> I’ve done some work to push our MP JWT
>>>>>>>> implementation
>>>>>>>>>>>> from
>>>>>>>>>>>>>> 1.0
>>>>>>>>>>>>>>> to
>>>>>>>>>>>>>>>>>> 1.1.
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> You can check it here:
>>>>>>>>>>>>>>>>>>>>>>> https://github.com/apache/tomee/pull/173 <
>>>>>>>>>>>>>>>>>>>>>>> https://github.com/apache/tomee/pull/173>
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> There are still a couple of tests in the TCK that I
>>>>>>>>>> have
>>>>>>>>>>>> to
>>>>>>>>>>>>>> fix
>>>>>>>>>>>>>>>>> and a
>>>>>>>>>>>>>>>>>>>>> few
>>>>>>>>>>>>>>>>>>>>>>> things that I would like to improve, but I think
>>>>>>>> the
>>>>>>>>>>>>>> majority
>>>>>>>>>>>>>>> of
>>>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>>>>>>>> work
>>>>>>>>>>>>>>>>>>>>>>> is done.
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> Some time ago, there was a discussion in the list
>>>>>>>>> about
>>>>>>>>>>>> how
>>>>>>>>>>>>>> to
>>>>>>>>>>>>>>>>>>>> integrate
>>>>>>>>>>>>>>>>>>>>>>> MP JWT with EE security:
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>
>>>>
>> http://tomee-openejb.979440.n4.nabble.com/Implementing-Microprofile-JWT-td4683212i40.html
>>>>>>>>>>>>>>>>>>>>>>> <
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>
>>>>
>> http://tomee-openejb.979440.n4.nabble.com/Implementing-Microprofile-JWT-td4683212i40.html
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> I believe we need to revisit that conversation and
>>>>>>>>>> figure
>>>>>>>>>>>>>> out
>>>>>>>>>>>>>>> how
>>>>>>>>>>>>>>>>> to
>>>>>>>>>>>>>>>>>>>>> move
>>>>>>>>>>>>>>>>>>>>>>> forward.
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> Right now for instance, we don’t support injecting
>>>>>>>> a
>>>>>>>>>> JWT
>>>>>>>>>>>>>>>> Principal
>>>>>>>>>>>>>>>>>>>> since
>>>>>>>>>>>>>>>>>>>>>>> it clashes with the predefined by CDI. Most likely,
>>>>>>>>> we
>>>>>>>>>>>> would
>>>>>>>>>>>>>>> need
>>>>>>>>>>>>>>>>> to
>>>>>>>>>>>>>>>>>>>>> plugin
>>>>>>>>>>>>>>>>>>>>>>> the JWT Principal lookup in TomcatSecurityService.
>>>>>>>>> I’m
>>>>>>>>>>>> not
>>>>>>>>>>>>>> sure
>>>>>>>>>>>>>>>> if
>>>>>>>>>>>>>>>>> we
>>>>>>>>>>>>>>>>>>>>> want
>>>>>>>>>>>>>>>>>>>>>>> to do it in that way, or if we want to think in
>>>>>>>>>> something
>>>>>>>>>>>>>> else.
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> Cheers,
>>>>>>>>>>>>>>>>>>>>>>> Roberto
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>
>>>>>>
>>>>
>>>>
>>
>>
Re: MicroProfile JWT 1.1
Posted by Jonathan Gallimore <jo...@gmail.com>.
Interesting. I'd be in favor of commenting those tests out and merging the
PR, if you think the rest of it is in shape. If the spec says there should
be a deployment exception, then that makes sense. The TCK should probably
start its own little embedded http server to supply these keys instead. We
could contribute a PR there for consideration there.
Jon
On Mon, Dec 3, 2018 at 4:39 PM Roberto Cortez <ra...@yahoo.com.invalid>
wrote:
> Yes,
>
> I think that the current state of the TCK is actually wrong. Look here:
> https://github.com/eclipse/microprofile-jwt-auth/issues/118 <
> https://github.com/eclipse/microprofile-jwt-auth/issues/118>
>
> And also from the spec:
> MicroProfile JWT implementations are required to throw a
> `DeploymentException` when given
> a public key that cannot be parsed using either the standardly supported or
> vendor-specific key formats.
>
> My understanding of this is that the load / parsing of the key is part of
> the application deployment, so if you fail to load the key you should fail
> with DeploymentException. It doesn’t make sense to defer the loading of the
> key when you need it and then fail with the DeploymentException, when the
> application is already deployed.
>
> Now, the issue is a chicken / egg. The TCK test exposes the key to load
> from an endpoint in the actual test app that we are testing. I believe the
> correct behaviour should be to have a separate test app that exposes the
> test keys and then have a separate app to test the behaviour.
>
> I think we can implement our own tests like these and then contribute them
> back / fix the TCK.
>
> Cheers,
> Roberto
>
> > On 3 Dec 2018, at 16:24, Jonathan Gallimore <
> jonathan.gallimore@gmail.com> wrote:
> >
> > Thanks for asking. There are 3 tests I can't get passing. These are the
> > ones where the key is referred to by a HTTP url, which isn't available at
> > deployment time where the keys are actually read. I spent quite a lot of
> > time trying to make this happen later in lifecycle (like on first load,
> or
> > something like that). I ended up getting lost in a complete maze of
> > lambdas. I am stuck and in need of help. I think this class is the issue:
> >
> https://github.com/jgallimore/tomee/blob/jwt-1.1/mp-jwt/src/main/java/org/apache/tomee/microprofile/jwt/config/ConfigurableJWTAuthContextInfo.java
> ,
> > and this piece of functionality will probably need some design discussion
> > to enable these tests to pass.
> >
> > I had tried flip the storage to Map<String,Supplier> with a supplier that
> > does a lazy lookup and caches the value. The issue there is the JWKS
> keys,
> > where you appear to get multiple keys in one file. Wrapping the whole
> thing
> > a supplier might work too - you'd effectively then have run that logic on
> > first login, or find something else that can trigger it.
> >
> > Do you have any thoughts?
> >
> > Jon
> >
> > On Mon, Dec 3, 2018 at 3:27 PM Roberto Cortez
> <ra...@yahoo.com.invalid>
> > wrote:
> >
> >> Hi Jon,
> >>
> >> I’ve seen you made some changes in your branch. What is the current
> >> status? I would like to start pushing for MP 2.0 specs.
> >>
> >> Cheers,
> >> Roberto
> >>
> >>> On 21 Nov 2018, at 17:57, Jonathan Gallimore <
> >> jonathan.gallimore@gmail.com> wrote:
> >>>
> >>> Was going to have another look at those tests over the next couple of
> >> days.
> >>>
> >>> Jon
> >>>
> >>> On Wed, 21 Nov 2018, 17:53 Roberto Cortez <radcortez@yahoo.com.invalid
> >>> wrote:
> >>>
> >>>> Hi Jon,
> >>>>
> >>>> What it the status of this?
> >>>>
> >>>> For the remaining failing tests, the issues are related with this:
> >>>> https://github.com/eclipse/microprofile-jwt-auth/issues/118 <
> >>>> https://github.com/eclipse/microprofile-jwt-auth/issues/118>
> >>>>
> >>>> I don’t think there is a way to fix it on our side, so se could just
> >>>> ignore those specific methods and build a specific test for this with
> 2
> >>>> apps deployment so we can reach out then public key endpoint from the
> >> test.
> >>>> Then we should be good to go with this!
> >>>>
> >>>> Cheers,
> >>>> Roberto
> >>>>
> >>>>> On 20 Nov 2018, at 15:28, Jean-Louis Monteiro <
> >> jlmonteiro@tomitribe.com>
> >>>> wrote:
> >>>>>
> >>>>> Ok, yes I see it.
> >>>>> --
> >>>>> Jean-Louis Monteiro
> >>>>> http://twitter.com/jlouismonteiro
> >>>>> http://www.tomitribe.com
> >>>>>
> >>>>>
> >>>>> On Tue, Nov 20, 2018 at 4:11 PM Jonathan Gallimore <
> >>>>> jonathan.gallimore@gmail.com> wrote:
> >>>>>
> >>>>>> The commits are showing for me (at the bottom). Here's the latest
> one:
> >>>>>>
> >>>>>>
> >>>>
> >>
> https://github.com/apache/tomee/commit/7ce1f8033e239331cfa7843e4e5565ed0aa83345
> >>>>>>
> >>>>>> On Tue, Nov 20, 2018 at 2:44 PM Jean-Louis Monteiro <
> >>>>>> jlmonteiro@tomitribe.com> wrote:
> >>>>>>
> >>>>>>> Hey Jon,
> >>>>>>>
> >>>>>>> I clicked on the link and the diff tab does not show any
> difference.
> >>>>>>> Did you push?
> >>>>>>> --
> >>>>>>> Jean-Louis Monteiro
> >>>>>>> http://twitter.com/jlouismonteiro
> >>>>>>> http://www.tomitribe.com
> >>>>>>>
> >>>>>>>
> >>>>>>> On Mon, Nov 19, 2018 at 12:36 PM Jonathan Gallimore <
> >>>>>>> jonathan.gallimore@gmail.com> wrote:
> >>>>>>>
> >>>>>>>> I now have the principal injection part of this working - thanks
> >>>> Romain
> >>>>>>> for
> >>>>>>>> your help and explanations. Progress is in my fork here:
> >>>>>>>> https://github.com/jgallimore/tomee/tree/jwt-1.1 (changes here:
> >>>>>>>>
> >>>>>>>>
> >>>>>>>
> >>>>>>
> >>>>
> >>
> https://github.com/apache/tomee/compare/master...jgallimore:jwt-1.1?expand=1
> >>>>>>>> ).
> >>>>>>>> There are still a couple of TODOs to clean up, and 3 tests to get
> >>>>>>> passing.
> >>>>>>>> Any feedback is appreciated.
> >>>>>>>>
> >>>>>>>> Jon
> >>>>>>>>
> >>>>>>>> On Sat, Nov 3, 2018 at 9:10 AM Jonathan Gallimore <
> >>>>>>>> jonathan.gallimore@gmail.com> wrote:
> >>>>>>>>
> >>>>>>>>> Yep, got it. Thanks for the feedback - makes sense now.
> >>>>>>>>>
> >>>>>>>>> Cheers
> >>>>>>>>>
> >>>>>>>>> Jon
> >>>>>>>>>
> >>>>>>>>> On Fri, 2 Nov 2018, 16:46 Romain Manni-Bucau <
> >> rmannibucau@gmail.com
> >>>>>>>> wrote:
> >>>>>>>>>
> >>>>>>>>>> Answered hopefully "long enough" on dev@geronimo so will just
> do
> >> a
> >>>>>>>> short
> >>>>>>>>>> one here and shout if not enough: ManagedSecurityService in cdi
> >>>>>>> package
> >>>>>>>> of
> >>>>>>>>>> openejb-core must make the getCurrentPrincipal contextual so
> >> hidden
> >>>>>>>> behind
> >>>>>>>>>> a proxy. The proxied API must be Principal and JsonWebToken when
> >>>>>>>> available
> >>>>>>>>>> (try { add if can load } catch { ignore } works as pattern). The
> >>>>>> proxy
> >>>>>>>>>> instance can be created once for all app using the container
> >> loader
> >>>>>> or
> >>>>>>>> per
> >>>>>>>>>> app using the app loader and avoiding to leak between apps since
> >> the
> >>>>>>> API
> >>>>>>>>>> can use different loaders.
> >>>>>>>>>>
> >>>>>>>>>> Le ven. 2 nov. 2018 14:44, Jonathan Gallimore <
> >>>>>>>>>> jonathan.gallimore@gmail.com>
> >>>>>>>>>> a écrit :
> >>>>>>>>>>
> >>>>>>>>>>> Thanks for the reply, but I am confused by your response. The
> PR
> >> I
> >>>>>>>>>>> referenced adds a single test to the geronimo-jwt-auth project
> (
> >>>>>>>>>>> https://github.com/apache/geronimo-jwt-auth/pull/3), based on
> >>>>>>>>>>>
> >>>>>>>>
> >>>>
> org.eclipse.microprofile.jwt.tck.container.jaxrs.PrincipalInjectionTest
> >>>>>>>>>>> from the TCK. It fails at present (hopefully we agree on that -
> >> my
> >>>>>>>>>> results
> >>>>>>>>>>> attached). The geronimo-jwt-auth project doesn't touch TomEE at
> >>>>>> all
> >>>>>>> -
> >>>>>>>> it
> >>>>>>>>>>> uses OWB/Meecrowave to run the MicroProfile JWT TCK. I have not
> >>>>>>>> modified
> >>>>>>>>>>> the project config at all, so it is using the SecurityService
> >> code
> >>>>>>> you
> >>>>>>>>>>> previously posted. If this additional test were part of the
> >>>>>>>> MicroProfile
> >>>>>>>>>>> JWT TCK (and I'm going to propose it), the Geronimo JWT Auth
> >>>>>>>>>> implementation
> >>>>>>>>>>> would *not* pass the TCK.
> >>>>>>>>>>>
> >>>>>>>>>>> I posted this here as I originally found the issue when
> >> continuing
> >>>>>>>>>>> Roberto's efforts, but this has probably contributed to some
> >>>>>>>> confusion.
> >>>>>>>>>> I
> >>>>>>>>>>> would suggest we continue this over on the Geronimo and OWB
> lists
> >>>>>> to
> >>>>>>>>>> avoid
> >>>>>>>>>>> further confusion.
> >>>>>>>>>>>
> >>>>>>>>>>> Jon
> >>>>>>>>>>>
> >>>>>>>>>>> On Fri, Nov 2, 2018 at 12:46 PM Romain Manni-Bucau <
> >>>>>>>>>> rmannibucau@gmail.com>
> >>>>>>>>>>> wrote:
> >>>>>>>>>>>
> >>>>>>>>>>>> Hi
> >>>>>>>>>>>>
> >>>>>>>>>>>> Yes this is an owb misconfiguration/integration
> >>>>>>>>>>>>
> >>>>>>>>>>>> Geronimo is fine here so likely tomee owb spi to update as in
> >>>>>>>> geronimo
> >>>>>>>>>> tck
> >>>>>>>>>>>>
> >>>>>>>>>>>> Le ven. 2 nov. 2018 10:42, Jonathan Gallimore <
> >>>>>>>>>>>> jonathan.gallimore@gmail.com>
> >>>>>>>>>>>> a écrit :
> >>>>>>>>>>>>
> >>>>>>>>>>>>> Thanks for the reply. I am still sure there is some sort of
> >>>>>>> issue.
> >>>>>>>>>>>> Putting
> >>>>>>>>>>>>> TomEE to one side for the moment, I am able to reproduce this
> >>>>>> in
> >>>>>>>> the
> >>>>>>>>>>>>> Geronimo JWT auth library as well. This PR includes a test to
> >>>>>>> show
> >>>>>>>>>> what
> >>>>>>>>>>>> I
> >>>>>>>>>>>>> mean: https://github.com/apache/geronimo-jwt-auth/pull/3.
> >>>>>>>>>>>>>
> >>>>>>>>>>>>> I can confirm that this change:
> >>>>>>>>>>>>> https://github.com/apache/openwebbeans/pull/12 enables that
> >>>>>> new
> >>>>>>>>>> test to
> >>>>>>>>>>>>> pass.
> >>>>>>>>>>>>>
> >>>>>>>>>>>>> In short, if you @Inject JsonWebToken, or individual claims,
> or
> >>>>>>>>>>>>> use @RolesAllowed, I think you're ok, but if you @Inject
> >>>>>>> Principal,
> >>>>>>>>>> you
> >>>>>>>>>>>>> will most likely get the wrong principal because the instance
> >>>>>> is
> >>>>>>>>>> cache
> >>>>>>>>>>>> in a
> >>>>>>>>>>>>> field in the
> org.apache.webbeans.portable.ProviderBasedProducer
> >>>>>>>>>> class,
> >>>>>>>>>>>> and
> >>>>>>>>>>>>> that looks like a security issue.
> >>>>>>>>>>>>>
> >>>>>>>>>>>>> Jon
> >>>>>>>>>>>>>
> >>>>>>>>>>>>> On Tue, Oct 30, 2018 at 5:56 AM Romain Manni-Bucau <
> >>>>>>>>>>>> rmannibucau@gmail.com>
> >>>>>>>>>>>>> wrote:
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>> Hi Jon,
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>> yes and no, idea is to be fast and for all producers it
> works
> >>>>>>>>>> except
> >>>>>>>>>>>> the
> >>>>>>>>>>>>>> principal which is broken anyway in CDI 1.x so guess this
> was
> >>>>>>> not
> >>>>>>>>>>>> fixed
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>> in CDI 2 (tomee 8) we can impl it this way:
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>
> >>>>>>>
> >>>>>>
> >>>>
> >>
> https://github.com/apache/geronimo-jwt-auth/blob/master/src/test/java/org/apache/geronimo/microprofile/impl/jwtauth/tck/TckSecurityService.java
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>> Romain Manni-Bucau
> >>>>>>>>>>>>>> @rmannibucau <https://twitter.com/rmannibucau> | Blog
> >>>>>>>>>>>>>> <https://rmannibucau.metawerx.net/> | Old Blog
> >>>>>>>>>>>>>> <http://rmannibucau.wordpress.com> | Github <
> >>>>>>>>>>>>>> https://github.com/rmannibucau> |
> >>>>>>>>>>>>>> LinkedIn <https://www.linkedin.com/in/rmannibucau> | Book
> >>>>>>>>>>>>>> <
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>
> >>>>>>>
> >>>>>>
> >>>>
> >>
> https://www.packtpub.com/application-development/java-ee-8-high-performance
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>> Le mar. 30 oct. 2018 à 00:58, Jonathan Gallimore <
> >>>>>>>>>>>>>> jonathan.gallimore@gmail.com> a écrit :
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>> Here's a question, probably for Mark or Romain. If I turn
> >>>>>> the
> >>>>>>>>>> proxy
> >>>>>>>>>>>>> *off*
> >>>>>>>>>>>>>>> in org.apache.webbeans.component.PrincipalBean, I'm finding
> >>>>>>>> that
> >>>>>>>>>> I
> >>>>>>>>>>>> get
> >>>>>>>>>>>>>> the
> >>>>>>>>>>>>>>> wrong principal injected sometimes. Specifically, I get the
> >>>>>>>>>>>> whatever is
> >>>>>>>>>>>>>> on
> >>>>>>>>>>>>>>> the proxyInstance field here:
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>
> >>>>>>>
> >>>>>>
> >>>>
> >>
> https://github.com/apache/openwebbeans/blob/trunk/webbeans-impl/src/main/java/org/apache/webbeans/portable/ProviderBasedProducer.java#L51
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>> Should this line (line 66)
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>
> >>>>>>>
> >>>>>>
> >>>>
> >>
> https://github.com/apache/openwebbeans/blob/trunk/webbeans-impl/src/main/java/org/apache/webbeans/portable/ProviderBasedProducer.java#L66
> >>>>>>>>>>>>>>> ,
> >>>>>>>>>>>>>>> not simply be:
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>> return provider.get();
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>> as opposed to
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>> proxyInstance = provider.get(); ?
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>> That way, the proxyInstance field would never get set if
> >>>>>>> proxy
> >>>>>>>>>> mode
> >>>>>>>>>>>> is
> >>>>>>>>>>>>>> set
> >>>>>>>>>>>>>>> to false. When proxy is true, this seems to work correctly
> >>>>>>>>>>>> (although I
> >>>>>>>>>>>>>> have
> >>>>>>>>>>>>>>> other unrelated issues in TomEE).
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>> I can probably work around this some other way, but it
> >>>>>> seems
> >>>>>>> to
> >>>>>>>>>> me
> >>>>>>>>>>>> like
> >>>>>>>>>>>>>>> that behaviour isn't quite right.
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>> Trying to think of a way to test it - I can probably come
> >>>>>> up
> >>>>>>>> with
> >>>>>>>>>>>>>>> something, but I'd appreciate some pointers. Happy to shift
> >>>>>>>> this
> >>>>>>>>>> to
> >>>>>>>>>>>>>>> openwebbeans-dev, and submit a PR. Replying here initially
> >>>>>>> as I
> >>>>>>>>>> ran
> >>>>>>>>>>>>> into
> >>>>>>>>>>>>>>> this while hacking on the JWT code.
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>> Jon
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>> On Wed, Oct 17, 2018 at 12:41 AM Roberto Cortez
> >>>>>>>>>>>>>>> <ra...@yahoo.com.invalid>
> >>>>>>>>>>>>>>> wrote:
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>> Please, go ahead. Let me know if need anything. Thanks!
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>> On 16 Oct 2018, at 21:53, Jonathan Gallimore <
> >>>>>>>>>>>>>>>> jonathan.gallimore@gmail.com> wrote:
> >>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>> Any objection if I pick this up and have a go at the
> >>>>>> last
> >>>>>>>>>>>> tests, or
> >>>>>>>>>>>>>> is
> >>>>>>>>>>>>>>>>> someone already working on this?
> >>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>> On Thu, Sep 27, 2018 at 5:44 PM Romain Manni-Bucau <
> >>>>>>>>>>>>>>>> rmannibucau@gmail.com>
> >>>>>>>>>>>>>>>>> wrote:
> >>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>> Yep this feature. Then it must works since we support
> >>>>>>> user
> >>>>>>>>>>>>> principal
> >>>>>>>>>>>>>>> if
> >>>>>>>>>>>>>>>> the
> >>>>>>>>>>>>>>>>>> jwt filter is corretly placed in the filter chain and
> >>>>>> we
> >>>>>>>>>> must
> >>>>>>>>>>>>>> inherit
> >>>>>>>>>>>>>>>> from
> >>>>>>>>>>>>>>>>>> the request principal.
> >>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>> Le jeu. 27 sept. 2018 18:37, Roberto Cortez
> >>>>>>>>>>>>>>> <radcortez@yahoo.com.invalid
> >>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>> a
> >>>>>>>>>>>>>>>>>> écrit :
> >>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>> I guess you are referring to this, to remove the
> >>>>>> proxy?
> >>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>
> >>>>>>>
> >>>>>>
> >>>>
> >>
> https://github.com/apache/openwebbeans/commit/a21a949fb19247dcc39ee89292a1554b2cf1388e
> >>>>>>>>>>>>>>>>>>> <
> >>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>
> >>>>>>>
> >>>>>>
> >>>>
> >>
> https://github.com/apache/openwebbeans/commit/a21a949fb19247dcc39ee89292a1554b2cf1388e
> >>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>> Yes, this one step.
> >>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>> By default, we do inject the generic Principal of
> >>>>>>> Tomcat.
> >>>>>>>>>> We
> >>>>>>>>>>>>>> probably
> >>>>>>>>>>>>>>>>>> need
> >>>>>>>>>>>>>>>>>>> to check first about the existence of a JWT Principal
> >>>>>>> and
> >>>>>>>>>> then
> >>>>>>>>>>>>>>> fallback
> >>>>>>>>>>>>>>>>>> to
> >>>>>>>>>>>>>>>>>>> the Tomcat one. I think I know how to do it, I was
> >>>>>> just
> >>>>>>>>>>>> trying to
> >>>>>>>>>>>>>>>> broaden
> >>>>>>>>>>>>>>>>>>> up the conversation about general integration with EE
> >>>>>>>>>>>> security.
> >>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>> Cheers,
> >>>>>>>>>>>>>>>>>>> Roberto
> >>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>> On 26 Sep 2018, at 07:21, Romain Manni-Bucau <
> >>>>>>>>>>>>>> rmannibucau@gmail.com
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>> wrote:
> >>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>> OWB enable to do it - we did it in geronimo impl to
> >>>>>>> pass
> >>>>>>>>>> tck
> >>>>>>>>>>>> of
> >>>>>>>>>>>>>> jwt
> >>>>>>>>>>>>>>>>>> auth
> >>>>>>>>>>>>>>>>>>>> spec.
> >>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>> Le mer. 26 sept. 2018 03:28, Roberto Cortez
> >>>>>>>>>>>>>>>>>> <ra...@yahoo.com.invalid>
> >>>>>>>>>>>>>>>>>>> a
> >>>>>>>>>>>>>>>>>>>> écrit :
> >>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>> Hi,
> >>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>> I’ve done some work to push our MP JWT
> >>>>>> implementation
> >>>>>>>>>> from
> >>>>>>>>>>>> 1.0
> >>>>>>>>>>>>> to
> >>>>>>>>>>>>>>>> 1.1.
> >>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>> You can check it here:
> >>>>>>>>>>>>>>>>>>>>> https://github.com/apache/tomee/pull/173 <
> >>>>>>>>>>>>>>>>>>>>> https://github.com/apache/tomee/pull/173>
> >>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>> There are still a couple of tests in the TCK that I
> >>>>>>>> have
> >>>>>>>>>> to
> >>>>>>>>>>>> fix
> >>>>>>>>>>>>>>> and a
> >>>>>>>>>>>>>>>>>>> few
> >>>>>>>>>>>>>>>>>>>>> things that I would like to improve, but I think
> >>>>>> the
> >>>>>>>>>>>> majority
> >>>>>>>>>>>>> of
> >>>>>>>>>>>>>>> the
> >>>>>>>>>>>>>>>>>>> work
> >>>>>>>>>>>>>>>>>>>>> is done.
> >>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>> Some time ago, there was a discussion in the list
> >>>>>>> about
> >>>>>>>>>> how
> >>>>>>>>>>>> to
> >>>>>>>>>>>>>>>>>> integrate
> >>>>>>>>>>>>>>>>>>>>> MP JWT with EE security:
> >>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>
> >>>>>>>
> >>>>>>
> >>>>
> >>
> http://tomee-openejb.979440.n4.nabble.com/Implementing-Microprofile-JWT-td4683212i40.html
> >>>>>>>>>>>>>>>>>>>>> <
> >>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>
> >>>>>>>
> >>>>>>
> >>>>
> >>
> http://tomee-openejb.979440.n4.nabble.com/Implementing-Microprofile-JWT-td4683212i40.html
> >>>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>> I believe we need to revisit that conversation and
> >>>>>>>> figure
> >>>>>>>>>>>> out
> >>>>>>>>>>>>> how
> >>>>>>>>>>>>>>> to
> >>>>>>>>>>>>>>>>>>> move
> >>>>>>>>>>>>>>>>>>>>> forward.
> >>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>> Right now for instance, we don’t support injecting
> >>>>>> a
> >>>>>>>> JWT
> >>>>>>>>>>>>>> Principal
> >>>>>>>>>>>>>>>>>> since
> >>>>>>>>>>>>>>>>>>>>> it clashes with the predefined by CDI. Most likely,
> >>>>>>> we
> >>>>>>>>>> would
> >>>>>>>>>>>>> need
> >>>>>>>>>>>>>>> to
> >>>>>>>>>>>>>>>>>>> plugin
> >>>>>>>>>>>>>>>>>>>>> the JWT Principal lookup in TomcatSecurityService.
> >>>>>>> I’m
> >>>>>>>>>> not
> >>>>>>>>>>>> sure
> >>>>>>>>>>>>>> if
> >>>>>>>>>>>>>>> we
> >>>>>>>>>>>>>>>>>>> want
> >>>>>>>>>>>>>>>>>>>>> to do it in that way, or if we want to think in
> >>>>>>>> something
> >>>>>>>>>>>> else.
> >>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>> Cheers,
> >>>>>>>>>>>>>>>>>>>>> Roberto
> >>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>
> >>>>>>>>
> >>>>>>>
> >>>>>>
> >>>>
> >>>>
> >>
> >>
>
>
Re: MicroProfile JWT 1.1
Posted by Roberto Cortez <ra...@yahoo.com.INVALID>.
Yes,
I think that the current state of the TCK is actually wrong. Look here:
https://github.com/eclipse/microprofile-jwt-auth/issues/118 <https://github.com/eclipse/microprofile-jwt-auth/issues/118>
And also from the spec:
MicroProfile JWT implementations are required to throw a `DeploymentException` when given
a public key that cannot be parsed using either the standardly supported or
vendor-specific key formats.
My understanding of this is that the load / parsing of the key is part of the application deployment, so if you fail to load the key you should fail with DeploymentException. It doesn’t make sense to defer the loading of the key when you need it and then fail with the DeploymentException, when the application is already deployed.
Now, the issue is a chicken / egg. The TCK test exposes the key to load from an endpoint in the actual test app that we are testing. I believe the correct behaviour should be to have a separate test app that exposes the test keys and then have a separate app to test the behaviour.
I think we can implement our own tests like these and then contribute them back / fix the TCK.
Cheers,
Roberto
> On 3 Dec 2018, at 16:24, Jonathan Gallimore <jo...@gmail.com> wrote:
>
> Thanks for asking. There are 3 tests I can't get passing. These are the
> ones where the key is referred to by a HTTP url, which isn't available at
> deployment time where the keys are actually read. I spent quite a lot of
> time trying to make this happen later in lifecycle (like on first load, or
> something like that). I ended up getting lost in a complete maze of
> lambdas. I am stuck and in need of help. I think this class is the issue:
> https://github.com/jgallimore/tomee/blob/jwt-1.1/mp-jwt/src/main/java/org/apache/tomee/microprofile/jwt/config/ConfigurableJWTAuthContextInfo.java,
> and this piece of functionality will probably need some design discussion
> to enable these tests to pass.
>
> I had tried flip the storage to Map<String,Supplier> with a supplier that
> does a lazy lookup and caches the value. The issue there is the JWKS keys,
> where you appear to get multiple keys in one file. Wrapping the whole thing
> a supplier might work too - you'd effectively then have run that logic on
> first login, or find something else that can trigger it.
>
> Do you have any thoughts?
>
> Jon
>
> On Mon, Dec 3, 2018 at 3:27 PM Roberto Cortez <ra...@yahoo.com.invalid>
> wrote:
>
>> Hi Jon,
>>
>> I’ve seen you made some changes in your branch. What is the current
>> status? I would like to start pushing for MP 2.0 specs.
>>
>> Cheers,
>> Roberto
>>
>>> On 21 Nov 2018, at 17:57, Jonathan Gallimore <
>> jonathan.gallimore@gmail.com> wrote:
>>>
>>> Was going to have another look at those tests over the next couple of
>> days.
>>>
>>> Jon
>>>
>>> On Wed, 21 Nov 2018, 17:53 Roberto Cortez <radcortez@yahoo.com.invalid
>>> wrote:
>>>
>>>> Hi Jon,
>>>>
>>>> What it the status of this?
>>>>
>>>> For the remaining failing tests, the issues are related with this:
>>>> https://github.com/eclipse/microprofile-jwt-auth/issues/118 <
>>>> https://github.com/eclipse/microprofile-jwt-auth/issues/118>
>>>>
>>>> I don’t think there is a way to fix it on our side, so se could just
>>>> ignore those specific methods and build a specific test for this with 2
>>>> apps deployment so we can reach out then public key endpoint from the
>> test.
>>>> Then we should be good to go with this!
>>>>
>>>> Cheers,
>>>> Roberto
>>>>
>>>>> On 20 Nov 2018, at 15:28, Jean-Louis Monteiro <
>> jlmonteiro@tomitribe.com>
>>>> wrote:
>>>>>
>>>>> Ok, yes I see it.
>>>>> --
>>>>> Jean-Louis Monteiro
>>>>> http://twitter.com/jlouismonteiro
>>>>> http://www.tomitribe.com
>>>>>
>>>>>
>>>>> On Tue, Nov 20, 2018 at 4:11 PM Jonathan Gallimore <
>>>>> jonathan.gallimore@gmail.com> wrote:
>>>>>
>>>>>> The commits are showing for me (at the bottom). Here's the latest one:
>>>>>>
>>>>>>
>>>>
>> https://github.com/apache/tomee/commit/7ce1f8033e239331cfa7843e4e5565ed0aa83345
>>>>>>
>>>>>> On Tue, Nov 20, 2018 at 2:44 PM Jean-Louis Monteiro <
>>>>>> jlmonteiro@tomitribe.com> wrote:
>>>>>>
>>>>>>> Hey Jon,
>>>>>>>
>>>>>>> I clicked on the link and the diff tab does not show any difference.
>>>>>>> Did you push?
>>>>>>> --
>>>>>>> Jean-Louis Monteiro
>>>>>>> http://twitter.com/jlouismonteiro
>>>>>>> http://www.tomitribe.com
>>>>>>>
>>>>>>>
>>>>>>> On Mon, Nov 19, 2018 at 12:36 PM Jonathan Gallimore <
>>>>>>> jonathan.gallimore@gmail.com> wrote:
>>>>>>>
>>>>>>>> I now have the principal injection part of this working - thanks
>>>> Romain
>>>>>>> for
>>>>>>>> your help and explanations. Progress is in my fork here:
>>>>>>>> https://github.com/jgallimore/tomee/tree/jwt-1.1 (changes here:
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>
>> https://github.com/apache/tomee/compare/master...jgallimore:jwt-1.1?expand=1
>>>>>>>> ).
>>>>>>>> There are still a couple of TODOs to clean up, and 3 tests to get
>>>>>>> passing.
>>>>>>>> Any feedback is appreciated.
>>>>>>>>
>>>>>>>> Jon
>>>>>>>>
>>>>>>>> On Sat, Nov 3, 2018 at 9:10 AM Jonathan Gallimore <
>>>>>>>> jonathan.gallimore@gmail.com> wrote:
>>>>>>>>
>>>>>>>>> Yep, got it. Thanks for the feedback - makes sense now.
>>>>>>>>>
>>>>>>>>> Cheers
>>>>>>>>>
>>>>>>>>> Jon
>>>>>>>>>
>>>>>>>>> On Fri, 2 Nov 2018, 16:46 Romain Manni-Bucau <
>> rmannibucau@gmail.com
>>>>>>>> wrote:
>>>>>>>>>
>>>>>>>>>> Answered hopefully "long enough" on dev@geronimo so will just do
>> a
>>>>>>>> short
>>>>>>>>>> one here and shout if not enough: ManagedSecurityService in cdi
>>>>>>> package
>>>>>>>> of
>>>>>>>>>> openejb-core must make the getCurrentPrincipal contextual so
>> hidden
>>>>>>>> behind
>>>>>>>>>> a proxy. The proxied API must be Principal and JsonWebToken when
>>>>>>>> available
>>>>>>>>>> (try { add if can load } catch { ignore } works as pattern). The
>>>>>> proxy
>>>>>>>>>> instance can be created once for all app using the container
>> loader
>>>>>> or
>>>>>>>> per
>>>>>>>>>> app using the app loader and avoiding to leak between apps since
>> the
>>>>>>> API
>>>>>>>>>> can use different loaders.
>>>>>>>>>>
>>>>>>>>>> Le ven. 2 nov. 2018 14:44, Jonathan Gallimore <
>>>>>>>>>> jonathan.gallimore@gmail.com>
>>>>>>>>>> a écrit :
>>>>>>>>>>
>>>>>>>>>>> Thanks for the reply, but I am confused by your response. The PR
>> I
>>>>>>>>>>> referenced adds a single test to the geronimo-jwt-auth project (
>>>>>>>>>>> https://github.com/apache/geronimo-jwt-auth/pull/3), based on
>>>>>>>>>>>
>>>>>>>>
>>>> org.eclipse.microprofile.jwt.tck.container.jaxrs.PrincipalInjectionTest
>>>>>>>>>>> from the TCK. It fails at present (hopefully we agree on that -
>> my
>>>>>>>>>> results
>>>>>>>>>>> attached). The geronimo-jwt-auth project doesn't touch TomEE at
>>>>>> all
>>>>>>> -
>>>>>>>> it
>>>>>>>>>>> uses OWB/Meecrowave to run the MicroProfile JWT TCK. I have not
>>>>>>>> modified
>>>>>>>>>>> the project config at all, so it is using the SecurityService
>> code
>>>>>>> you
>>>>>>>>>>> previously posted. If this additional test were part of the
>>>>>>>> MicroProfile
>>>>>>>>>>> JWT TCK (and I'm going to propose it), the Geronimo JWT Auth
>>>>>>>>>> implementation
>>>>>>>>>>> would *not* pass the TCK.
>>>>>>>>>>>
>>>>>>>>>>> I posted this here as I originally found the issue when
>> continuing
>>>>>>>>>>> Roberto's efforts, but this has probably contributed to some
>>>>>>>> confusion.
>>>>>>>>>> I
>>>>>>>>>>> would suggest we continue this over on the Geronimo and OWB lists
>>>>>> to
>>>>>>>>>> avoid
>>>>>>>>>>> further confusion.
>>>>>>>>>>>
>>>>>>>>>>> Jon
>>>>>>>>>>>
>>>>>>>>>>> On Fri, Nov 2, 2018 at 12:46 PM Romain Manni-Bucau <
>>>>>>>>>> rmannibucau@gmail.com>
>>>>>>>>>>> wrote:
>>>>>>>>>>>
>>>>>>>>>>>> Hi
>>>>>>>>>>>>
>>>>>>>>>>>> Yes this is an owb misconfiguration/integration
>>>>>>>>>>>>
>>>>>>>>>>>> Geronimo is fine here so likely tomee owb spi to update as in
>>>>>>>> geronimo
>>>>>>>>>> tck
>>>>>>>>>>>>
>>>>>>>>>>>> Le ven. 2 nov. 2018 10:42, Jonathan Gallimore <
>>>>>>>>>>>> jonathan.gallimore@gmail.com>
>>>>>>>>>>>> a écrit :
>>>>>>>>>>>>
>>>>>>>>>>>>> Thanks for the reply. I am still sure there is some sort of
>>>>>>> issue.
>>>>>>>>>>>> Putting
>>>>>>>>>>>>> TomEE to one side for the moment, I am able to reproduce this
>>>>>> in
>>>>>>>> the
>>>>>>>>>>>>> Geronimo JWT auth library as well. This PR includes a test to
>>>>>>> show
>>>>>>>>>> what
>>>>>>>>>>>> I
>>>>>>>>>>>>> mean: https://github.com/apache/geronimo-jwt-auth/pull/3.
>>>>>>>>>>>>>
>>>>>>>>>>>>> I can confirm that this change:
>>>>>>>>>>>>> https://github.com/apache/openwebbeans/pull/12 enables that
>>>>>> new
>>>>>>>>>> test to
>>>>>>>>>>>>> pass.
>>>>>>>>>>>>>
>>>>>>>>>>>>> In short, if you @Inject JsonWebToken, or individual claims, or
>>>>>>>>>>>>> use @RolesAllowed, I think you're ok, but if you @Inject
>>>>>>> Principal,
>>>>>>>>>> you
>>>>>>>>>>>>> will most likely get the wrong principal because the instance
>>>>>> is
>>>>>>>>>> cache
>>>>>>>>>>>> in a
>>>>>>>>>>>>> field in the org.apache.webbeans.portable.ProviderBasedProducer
>>>>>>>>>> class,
>>>>>>>>>>>> and
>>>>>>>>>>>>> that looks like a security issue.
>>>>>>>>>>>>>
>>>>>>>>>>>>> Jon
>>>>>>>>>>>>>
>>>>>>>>>>>>> On Tue, Oct 30, 2018 at 5:56 AM Romain Manni-Bucau <
>>>>>>>>>>>> rmannibucau@gmail.com>
>>>>>>>>>>>>> wrote:
>>>>>>>>>>>>>
>>>>>>>>>>>>>> Hi Jon,
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> yes and no, idea is to be fast and for all producers it works
>>>>>>>>>> except
>>>>>>>>>>>> the
>>>>>>>>>>>>>> principal which is broken anyway in CDI 1.x so guess this was
>>>>>>> not
>>>>>>>>>>>> fixed
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> in CDI 2 (tomee 8) we can impl it this way:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>
>> https://github.com/apache/geronimo-jwt-auth/blob/master/src/test/java/org/apache/geronimo/microprofile/impl/jwtauth/tck/TckSecurityService.java
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Romain Manni-Bucau
>>>>>>>>>>>>>> @rmannibucau <https://twitter.com/rmannibucau> | Blog
>>>>>>>>>>>>>> <https://rmannibucau.metawerx.net/> | Old Blog
>>>>>>>>>>>>>> <http://rmannibucau.wordpress.com> | Github <
>>>>>>>>>>>>>> https://github.com/rmannibucau> |
>>>>>>>>>>>>>> LinkedIn <https://www.linkedin.com/in/rmannibucau> | Book
>>>>>>>>>>>>>> <
>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>
>> https://www.packtpub.com/application-development/java-ee-8-high-performance
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Le mar. 30 oct. 2018 à 00:58, Jonathan Gallimore <
>>>>>>>>>>>>>> jonathan.gallimore@gmail.com> a écrit :
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Here's a question, probably for Mark or Romain. If I turn
>>>>>> the
>>>>>>>>>> proxy
>>>>>>>>>>>>> *off*
>>>>>>>>>>>>>>> in org.apache.webbeans.component.PrincipalBean, I'm finding
>>>>>>>> that
>>>>>>>>>> I
>>>>>>>>>>>> get
>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>> wrong principal injected sometimes. Specifically, I get the
>>>>>>>>>>>> whatever is
>>>>>>>>>>>>>> on
>>>>>>>>>>>>>>> the proxyInstance field here:
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>
>> https://github.com/apache/openwebbeans/blob/trunk/webbeans-impl/src/main/java/org/apache/webbeans/portable/ProviderBasedProducer.java#L51
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Should this line (line 66)
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>
>> https://github.com/apache/openwebbeans/blob/trunk/webbeans-impl/src/main/java/org/apache/webbeans/portable/ProviderBasedProducer.java#L66
>>>>>>>>>>>>>>> ,
>>>>>>>>>>>>>>> not simply be:
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> return provider.get();
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> as opposed to
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> proxyInstance = provider.get(); ?
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> That way, the proxyInstance field would never get set if
>>>>>>> proxy
>>>>>>>>>> mode
>>>>>>>>>>>> is
>>>>>>>>>>>>>> set
>>>>>>>>>>>>>>> to false. When proxy is true, this seems to work correctly
>>>>>>>>>>>> (although I
>>>>>>>>>>>>>> have
>>>>>>>>>>>>>>> other unrelated issues in TomEE).
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> I can probably work around this some other way, but it
>>>>>> seems
>>>>>>> to
>>>>>>>>>> me
>>>>>>>>>>>> like
>>>>>>>>>>>>>>> that behaviour isn't quite right.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Trying to think of a way to test it - I can probably come
>>>>>> up
>>>>>>>> with
>>>>>>>>>>>>>>> something, but I'd appreciate some pointers. Happy to shift
>>>>>>>> this
>>>>>>>>>> to
>>>>>>>>>>>>>>> openwebbeans-dev, and submit a PR. Replying here initially
>>>>>>> as I
>>>>>>>>>> ran
>>>>>>>>>>>>> into
>>>>>>>>>>>>>>> this while hacking on the JWT code.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Jon
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> On Wed, Oct 17, 2018 at 12:41 AM Roberto Cortez
>>>>>>>>>>>>>>> <ra...@yahoo.com.invalid>
>>>>>>>>>>>>>>> wrote:
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Please, go ahead. Let me know if need anything. Thanks!
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> On 16 Oct 2018, at 21:53, Jonathan Gallimore <
>>>>>>>>>>>>>>>> jonathan.gallimore@gmail.com> wrote:
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Any objection if I pick this up and have a go at the
>>>>>> last
>>>>>>>>>>>> tests, or
>>>>>>>>>>>>>> is
>>>>>>>>>>>>>>>>> someone already working on this?
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> On Thu, Sep 27, 2018 at 5:44 PM Romain Manni-Bucau <
>>>>>>>>>>>>>>>> rmannibucau@gmail.com>
>>>>>>>>>>>>>>>>> wrote:
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> Yep this feature. Then it must works since we support
>>>>>>> user
>>>>>>>>>>>>> principal
>>>>>>>>>>>>>>> if
>>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>>>>> jwt filter is corretly placed in the filter chain and
>>>>>> we
>>>>>>>>>> must
>>>>>>>>>>>>>> inherit
>>>>>>>>>>>>>>>> from
>>>>>>>>>>>>>>>>>> the request principal.
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> Le jeu. 27 sept. 2018 18:37, Roberto Cortez
>>>>>>>>>>>>>>> <radcortez@yahoo.com.invalid
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> a
>>>>>>>>>>>>>>>>>> écrit :
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> I guess you are referring to this, to remove the
>>>>>> proxy?
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>
>> https://github.com/apache/openwebbeans/commit/a21a949fb19247dcc39ee89292a1554b2cf1388e
>>>>>>>>>>>>>>>>>>> <
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>
>> https://github.com/apache/openwebbeans/commit/a21a949fb19247dcc39ee89292a1554b2cf1388e
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> Yes, this one step.
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> By default, we do inject the generic Principal of
>>>>>>> Tomcat.
>>>>>>>>>> We
>>>>>>>>>>>>>> probably
>>>>>>>>>>>>>>>>>> need
>>>>>>>>>>>>>>>>>>> to check first about the existence of a JWT Principal
>>>>>>> and
>>>>>>>>>> then
>>>>>>>>>>>>>>> fallback
>>>>>>>>>>>>>>>>>> to
>>>>>>>>>>>>>>>>>>> the Tomcat one. I think I know how to do it, I was
>>>>>> just
>>>>>>>>>>>> trying to
>>>>>>>>>>>>>>>> broaden
>>>>>>>>>>>>>>>>>>> up the conversation about general integration with EE
>>>>>>>>>>>> security.
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> Cheers,
>>>>>>>>>>>>>>>>>>> Roberto
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> On 26 Sep 2018, at 07:21, Romain Manni-Bucau <
>>>>>>>>>>>>>> rmannibucau@gmail.com
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> wrote:
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> OWB enable to do it - we did it in geronimo impl to
>>>>>>> pass
>>>>>>>>>> tck
>>>>>>>>>>>> of
>>>>>>>>>>>>>> jwt
>>>>>>>>>>>>>>>>>> auth
>>>>>>>>>>>>>>>>>>>> spec.
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> Le mer. 26 sept. 2018 03:28, Roberto Cortez
>>>>>>>>>>>>>>>>>> <ra...@yahoo.com.invalid>
>>>>>>>>>>>>>>>>>>> a
>>>>>>>>>>>>>>>>>>>> écrit :
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> Hi,
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> I’ve done some work to push our MP JWT
>>>>>> implementation
>>>>>>>>>> from
>>>>>>>>>>>> 1.0
>>>>>>>>>>>>> to
>>>>>>>>>>>>>>>> 1.1.
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> You can check it here:
>>>>>>>>>>>>>>>>>>>>> https://github.com/apache/tomee/pull/173 <
>>>>>>>>>>>>>>>>>>>>> https://github.com/apache/tomee/pull/173>
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> There are still a couple of tests in the TCK that I
>>>>>>>> have
>>>>>>>>>> to
>>>>>>>>>>>> fix
>>>>>>>>>>>>>>> and a
>>>>>>>>>>>>>>>>>>> few
>>>>>>>>>>>>>>>>>>>>> things that I would like to improve, but I think
>>>>>> the
>>>>>>>>>>>> majority
>>>>>>>>>>>>> of
>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>>>>>> work
>>>>>>>>>>>>>>>>>>>>> is done.
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> Some time ago, there was a discussion in the list
>>>>>>> about
>>>>>>>>>> how
>>>>>>>>>>>> to
>>>>>>>>>>>>>>>>>> integrate
>>>>>>>>>>>>>>>>>>>>> MP JWT with EE security:
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>
>> http://tomee-openejb.979440.n4.nabble.com/Implementing-Microprofile-JWT-td4683212i40.html
>>>>>>>>>>>>>>>>>>>>> <
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>
>> http://tomee-openejb.979440.n4.nabble.com/Implementing-Microprofile-JWT-td4683212i40.html
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> I believe we need to revisit that conversation and
>>>>>>>> figure
>>>>>>>>>>>> out
>>>>>>>>>>>>> how
>>>>>>>>>>>>>>> to
>>>>>>>>>>>>>>>>>>> move
>>>>>>>>>>>>>>>>>>>>> forward.
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> Right now for instance, we don’t support injecting
>>>>>> a
>>>>>>>> JWT
>>>>>>>>>>>>>> Principal
>>>>>>>>>>>>>>>>>> since
>>>>>>>>>>>>>>>>>>>>> it clashes with the predefined by CDI. Most likely,
>>>>>>> we
>>>>>>>>>> would
>>>>>>>>>>>>> need
>>>>>>>>>>>>>>> to
>>>>>>>>>>>>>>>>>>> plugin
>>>>>>>>>>>>>>>>>>>>> the JWT Principal lookup in TomcatSecurityService.
>>>>>>> I’m
>>>>>>>>>> not
>>>>>>>>>>>> sure
>>>>>>>>>>>>>> if
>>>>>>>>>>>>>>> we
>>>>>>>>>>>>>>>>>>> want
>>>>>>>>>>>>>>>>>>>>> to do it in that way, or if we want to think in
>>>>>>>> something
>>>>>>>>>>>> else.
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> Cheers,
>>>>>>>>>>>>>>>>>>>>> Roberto
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>
>>>>
>>
>>
Re: MicroProfile JWT 1.1
Posted by Jonathan Gallimore <jo...@gmail.com>.
Thanks for asking. There are 3 tests I can't get passing. These are the
ones where the key is referred to by a HTTP url, which isn't available at
deployment time where the keys are actually read. I spent quite a lot of
time trying to make this happen later in lifecycle (like on first load, or
something like that). I ended up getting lost in a complete maze of
lambdas. I am stuck and in need of help. I think this class is the issue:
https://github.com/jgallimore/tomee/blob/jwt-1.1/mp-jwt/src/main/java/org/apache/tomee/microprofile/jwt/config/ConfigurableJWTAuthContextInfo.java,
and this piece of functionality will probably need some design discussion
to enable these tests to pass.
I had tried flip the storage to Map<String,Supplier> with a supplier that
does a lazy lookup and caches the value. The issue there is the JWKS keys,
where you appear to get multiple keys in one file. Wrapping the whole thing
a supplier might work too - you'd effectively then have run that logic on
first login, or find something else that can trigger it.
Do you have any thoughts?
Jon
On Mon, Dec 3, 2018 at 3:27 PM Roberto Cortez <ra...@yahoo.com.invalid>
wrote:
> Hi Jon,
>
> I’ve seen you made some changes in your branch. What is the current
> status? I would like to start pushing for MP 2.0 specs.
>
> Cheers,
> Roberto
>
> > On 21 Nov 2018, at 17:57, Jonathan Gallimore <
> jonathan.gallimore@gmail.com> wrote:
> >
> > Was going to have another look at those tests over the next couple of
> days.
> >
> > Jon
> >
> > On Wed, 21 Nov 2018, 17:53 Roberto Cortez <radcortez@yahoo.com.invalid
> > wrote:
> >
> >> Hi Jon,
> >>
> >> What it the status of this?
> >>
> >> For the remaining failing tests, the issues are related with this:
> >> https://github.com/eclipse/microprofile-jwt-auth/issues/118 <
> >> https://github.com/eclipse/microprofile-jwt-auth/issues/118>
> >>
> >> I don’t think there is a way to fix it on our side, so se could just
> >> ignore those specific methods and build a specific test for this with 2
> >> apps deployment so we can reach out then public key endpoint from the
> test.
> >> Then we should be good to go with this!
> >>
> >> Cheers,
> >> Roberto
> >>
> >>> On 20 Nov 2018, at 15:28, Jean-Louis Monteiro <
> jlmonteiro@tomitribe.com>
> >> wrote:
> >>>
> >>> Ok, yes I see it.
> >>> --
> >>> Jean-Louis Monteiro
> >>> http://twitter.com/jlouismonteiro
> >>> http://www.tomitribe.com
> >>>
> >>>
> >>> On Tue, Nov 20, 2018 at 4:11 PM Jonathan Gallimore <
> >>> jonathan.gallimore@gmail.com> wrote:
> >>>
> >>>> The commits are showing for me (at the bottom). Here's the latest one:
> >>>>
> >>>>
> >>
> https://github.com/apache/tomee/commit/7ce1f8033e239331cfa7843e4e5565ed0aa83345
> >>>>
> >>>> On Tue, Nov 20, 2018 at 2:44 PM Jean-Louis Monteiro <
> >>>> jlmonteiro@tomitribe.com> wrote:
> >>>>
> >>>>> Hey Jon,
> >>>>>
> >>>>> I clicked on the link and the diff tab does not show any difference.
> >>>>> Did you push?
> >>>>> --
> >>>>> Jean-Louis Monteiro
> >>>>> http://twitter.com/jlouismonteiro
> >>>>> http://www.tomitribe.com
> >>>>>
> >>>>>
> >>>>> On Mon, Nov 19, 2018 at 12:36 PM Jonathan Gallimore <
> >>>>> jonathan.gallimore@gmail.com> wrote:
> >>>>>
> >>>>>> I now have the principal injection part of this working - thanks
> >> Romain
> >>>>> for
> >>>>>> your help and explanations. Progress is in my fork here:
> >>>>>> https://github.com/jgallimore/tomee/tree/jwt-1.1 (changes here:
> >>>>>>
> >>>>>>
> >>>>>
> >>>>
> >>
> https://github.com/apache/tomee/compare/master...jgallimore:jwt-1.1?expand=1
> >>>>>> ).
> >>>>>> There are still a couple of TODOs to clean up, and 3 tests to get
> >>>>> passing.
> >>>>>> Any feedback is appreciated.
> >>>>>>
> >>>>>> Jon
> >>>>>>
> >>>>>> On Sat, Nov 3, 2018 at 9:10 AM Jonathan Gallimore <
> >>>>>> jonathan.gallimore@gmail.com> wrote:
> >>>>>>
> >>>>>>> Yep, got it. Thanks for the feedback - makes sense now.
> >>>>>>>
> >>>>>>> Cheers
> >>>>>>>
> >>>>>>> Jon
> >>>>>>>
> >>>>>>> On Fri, 2 Nov 2018, 16:46 Romain Manni-Bucau <
> rmannibucau@gmail.com
> >>>>>> wrote:
> >>>>>>>
> >>>>>>>> Answered hopefully "long enough" on dev@geronimo so will just do
> a
> >>>>>> short
> >>>>>>>> one here and shout if not enough: ManagedSecurityService in cdi
> >>>>> package
> >>>>>> of
> >>>>>>>> openejb-core must make the getCurrentPrincipal contextual so
> hidden
> >>>>>> behind
> >>>>>>>> a proxy. The proxied API must be Principal and JsonWebToken when
> >>>>>> available
> >>>>>>>> (try { add if can load } catch { ignore } works as pattern). The
> >>>> proxy
> >>>>>>>> instance can be created once for all app using the container
> loader
> >>>> or
> >>>>>> per
> >>>>>>>> app using the app loader and avoiding to leak between apps since
> the
> >>>>> API
> >>>>>>>> can use different loaders.
> >>>>>>>>
> >>>>>>>> Le ven. 2 nov. 2018 14:44, Jonathan Gallimore <
> >>>>>>>> jonathan.gallimore@gmail.com>
> >>>>>>>> a écrit :
> >>>>>>>>
> >>>>>>>>> Thanks for the reply, but I am confused by your response. The PR
> I
> >>>>>>>>> referenced adds a single test to the geronimo-jwt-auth project (
> >>>>>>>>> https://github.com/apache/geronimo-jwt-auth/pull/3), based on
> >>>>>>>>>
> >>>>>>
> >> org.eclipse.microprofile.jwt.tck.container.jaxrs.PrincipalInjectionTest
> >>>>>>>>> from the TCK. It fails at present (hopefully we agree on that -
> my
> >>>>>>>> results
> >>>>>>>>> attached). The geronimo-jwt-auth project doesn't touch TomEE at
> >>>> all
> >>>>> -
> >>>>>> it
> >>>>>>>>> uses OWB/Meecrowave to run the MicroProfile JWT TCK. I have not
> >>>>>> modified
> >>>>>>>>> the project config at all, so it is using the SecurityService
> code
> >>>>> you
> >>>>>>>>> previously posted. If this additional test were part of the
> >>>>>> MicroProfile
> >>>>>>>>> JWT TCK (and I'm going to propose it), the Geronimo JWT Auth
> >>>>>>>> implementation
> >>>>>>>>> would *not* pass the TCK.
> >>>>>>>>>
> >>>>>>>>> I posted this here as I originally found the issue when
> continuing
> >>>>>>>>> Roberto's efforts, but this has probably contributed to some
> >>>>>> confusion.
> >>>>>>>> I
> >>>>>>>>> would suggest we continue this over on the Geronimo and OWB lists
> >>>> to
> >>>>>>>> avoid
> >>>>>>>>> further confusion.
> >>>>>>>>>
> >>>>>>>>> Jon
> >>>>>>>>>
> >>>>>>>>> On Fri, Nov 2, 2018 at 12:46 PM Romain Manni-Bucau <
> >>>>>>>> rmannibucau@gmail.com>
> >>>>>>>>> wrote:
> >>>>>>>>>
> >>>>>>>>>> Hi
> >>>>>>>>>>
> >>>>>>>>>> Yes this is an owb misconfiguration/integration
> >>>>>>>>>>
> >>>>>>>>>> Geronimo is fine here so likely tomee owb spi to update as in
> >>>>>> geronimo
> >>>>>>>> tck
> >>>>>>>>>>
> >>>>>>>>>> Le ven. 2 nov. 2018 10:42, Jonathan Gallimore <
> >>>>>>>>>> jonathan.gallimore@gmail.com>
> >>>>>>>>>> a écrit :
> >>>>>>>>>>
> >>>>>>>>>>> Thanks for the reply. I am still sure there is some sort of
> >>>>> issue.
> >>>>>>>>>> Putting
> >>>>>>>>>>> TomEE to one side for the moment, I am able to reproduce this
> >>>> in
> >>>>>> the
> >>>>>>>>>>> Geronimo JWT auth library as well. This PR includes a test to
> >>>>> show
> >>>>>>>> what
> >>>>>>>>>> I
> >>>>>>>>>>> mean: https://github.com/apache/geronimo-jwt-auth/pull/3.
> >>>>>>>>>>>
> >>>>>>>>>>> I can confirm that this change:
> >>>>>>>>>>> https://github.com/apache/openwebbeans/pull/12 enables that
> >>>> new
> >>>>>>>> test to
> >>>>>>>>>>> pass.
> >>>>>>>>>>>
> >>>>>>>>>>> In short, if you @Inject JsonWebToken, or individual claims, or
> >>>>>>>>>>> use @RolesAllowed, I think you're ok, but if you @Inject
> >>>>> Principal,
> >>>>>>>> you
> >>>>>>>>>>> will most likely get the wrong principal because the instance
> >>>> is
> >>>>>>>> cache
> >>>>>>>>>> in a
> >>>>>>>>>>> field in the org.apache.webbeans.portable.ProviderBasedProducer
> >>>>>>>> class,
> >>>>>>>>>> and
> >>>>>>>>>>> that looks like a security issue.
> >>>>>>>>>>>
> >>>>>>>>>>> Jon
> >>>>>>>>>>>
> >>>>>>>>>>> On Tue, Oct 30, 2018 at 5:56 AM Romain Manni-Bucau <
> >>>>>>>>>> rmannibucau@gmail.com>
> >>>>>>>>>>> wrote:
> >>>>>>>>>>>
> >>>>>>>>>>>> Hi Jon,
> >>>>>>>>>>>>
> >>>>>>>>>>>> yes and no, idea is to be fast and for all producers it works
> >>>>>>>> except
> >>>>>>>>>> the
> >>>>>>>>>>>> principal which is broken anyway in CDI 1.x so guess this was
> >>>>> not
> >>>>>>>>>> fixed
> >>>>>>>>>>>>
> >>>>>>>>>>>> in CDI 2 (tomee 8) we can impl it this way:
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>
> >>>>>>
> >>>>>
> >>>>
> >>
> https://github.com/apache/geronimo-jwt-auth/blob/master/src/test/java/org/apache/geronimo/microprofile/impl/jwtauth/tck/TckSecurityService.java
> >>>>>>>>>>>>
> >>>>>>>>>>>> Romain Manni-Bucau
> >>>>>>>>>>>> @rmannibucau <https://twitter.com/rmannibucau> | Blog
> >>>>>>>>>>>> <https://rmannibucau.metawerx.net/> | Old Blog
> >>>>>>>>>>>> <http://rmannibucau.wordpress.com> | Github <
> >>>>>>>>>>>> https://github.com/rmannibucau> |
> >>>>>>>>>>>> LinkedIn <https://www.linkedin.com/in/rmannibucau> | Book
> >>>>>>>>>>>> <
> >>>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>
> >>>>>>
> >>>>>
> >>>>
> >>
> https://www.packtpub.com/application-development/java-ee-8-high-performance
> >>>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>> Le mar. 30 oct. 2018 à 00:58, Jonathan Gallimore <
> >>>>>>>>>>>> jonathan.gallimore@gmail.com> a écrit :
> >>>>>>>>>>>>
> >>>>>>>>>>>>> Here's a question, probably for Mark or Romain. If I turn
> >>>> the
> >>>>>>>> proxy
> >>>>>>>>>>> *off*
> >>>>>>>>>>>>> in org.apache.webbeans.component.PrincipalBean, I'm finding
> >>>>>> that
> >>>>>>>> I
> >>>>>>>>>> get
> >>>>>>>>>>>> the
> >>>>>>>>>>>>> wrong principal injected sometimes. Specifically, I get the
> >>>>>>>>>> whatever is
> >>>>>>>>>>>> on
> >>>>>>>>>>>>> the proxyInstance field here:
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>
> >>>>>>
> >>>>>
> >>>>
> >>
> https://github.com/apache/openwebbeans/blob/trunk/webbeans-impl/src/main/java/org/apache/webbeans/portable/ProviderBasedProducer.java#L51
> >>>>>>>>>>>>>
> >>>>>>>>>>>>> Should this line (line 66)
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>
> >>>>>>
> >>>>>
> >>>>
> >>
> https://github.com/apache/openwebbeans/blob/trunk/webbeans-impl/src/main/java/org/apache/webbeans/portable/ProviderBasedProducer.java#L66
> >>>>>>>>>>>>> ,
> >>>>>>>>>>>>> not simply be:
> >>>>>>>>>>>>>
> >>>>>>>>>>>>> return provider.get();
> >>>>>>>>>>>>>
> >>>>>>>>>>>>> as opposed to
> >>>>>>>>>>>>>
> >>>>>>>>>>>>> proxyInstance = provider.get(); ?
> >>>>>>>>>>>>>
> >>>>>>>>>>>>> That way, the proxyInstance field would never get set if
> >>>>> proxy
> >>>>>>>> mode
> >>>>>>>>>> is
> >>>>>>>>>>>> set
> >>>>>>>>>>>>> to false. When proxy is true, this seems to work correctly
> >>>>>>>>>> (although I
> >>>>>>>>>>>> have
> >>>>>>>>>>>>> other unrelated issues in TomEE).
> >>>>>>>>>>>>>
> >>>>>>>>>>>>> I can probably work around this some other way, but it
> >>>> seems
> >>>>> to
> >>>>>>>> me
> >>>>>>>>>> like
> >>>>>>>>>>>>> that behaviour isn't quite right.
> >>>>>>>>>>>>>
> >>>>>>>>>>>>> Trying to think of a way to test it - I can probably come
> >>>> up
> >>>>>> with
> >>>>>>>>>>>>> something, but I'd appreciate some pointers. Happy to shift
> >>>>>> this
> >>>>>>>> to
> >>>>>>>>>>>>> openwebbeans-dev, and submit a PR. Replying here initially
> >>>>> as I
> >>>>>>>> ran
> >>>>>>>>>>> into
> >>>>>>>>>>>>> this while hacking on the JWT code.
> >>>>>>>>>>>>>
> >>>>>>>>>>>>> Jon
> >>>>>>>>>>>>>
> >>>>>>>>>>>>> On Wed, Oct 17, 2018 at 12:41 AM Roberto Cortez
> >>>>>>>>>>>>> <ra...@yahoo.com.invalid>
> >>>>>>>>>>>>> wrote:
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>> Please, go ahead. Let me know if need anything. Thanks!
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>> On 16 Oct 2018, at 21:53, Jonathan Gallimore <
> >>>>>>>>>>>>>> jonathan.gallimore@gmail.com> wrote:
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>> Any objection if I pick this up and have a go at the
> >>>> last
> >>>>>>>>>> tests, or
> >>>>>>>>>>>> is
> >>>>>>>>>>>>>>> someone already working on this?
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>> On Thu, Sep 27, 2018 at 5:44 PM Romain Manni-Bucau <
> >>>>>>>>>>>>>> rmannibucau@gmail.com>
> >>>>>>>>>>>>>>> wrote:
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>> Yep this feature. Then it must works since we support
> >>>>> user
> >>>>>>>>>>> principal
> >>>>>>>>>>>>> if
> >>>>>>>>>>>>>> the
> >>>>>>>>>>>>>>>> jwt filter is corretly placed in the filter chain and
> >>>> we
> >>>>>>>> must
> >>>>>>>>>>>> inherit
> >>>>>>>>>>>>>> from
> >>>>>>>>>>>>>>>> the request principal.
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>> Le jeu. 27 sept. 2018 18:37, Roberto Cortez
> >>>>>>>>>>>>> <radcortez@yahoo.com.invalid
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>> a
> >>>>>>>>>>>>>>>> écrit :
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>> I guess you are referring to this, to remove the
> >>>> proxy?
> >>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>
> >>>>>>
> >>>>>
> >>>>
> >>
> https://github.com/apache/openwebbeans/commit/a21a949fb19247dcc39ee89292a1554b2cf1388e
> >>>>>>>>>>>>>>>>> <
> >>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>
> >>>>>>
> >>>>>
> >>>>
> >>
> https://github.com/apache/openwebbeans/commit/a21a949fb19247dcc39ee89292a1554b2cf1388e
> >>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>> Yes, this one step.
> >>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>> By default, we do inject the generic Principal of
> >>>>> Tomcat.
> >>>>>>>> We
> >>>>>>>>>>>> probably
> >>>>>>>>>>>>>>>> need
> >>>>>>>>>>>>>>>>> to check first about the existence of a JWT Principal
> >>>>> and
> >>>>>>>> then
> >>>>>>>>>>>>> fallback
> >>>>>>>>>>>>>>>> to
> >>>>>>>>>>>>>>>>> the Tomcat one. I think I know how to do it, I was
> >>>> just
> >>>>>>>>>> trying to
> >>>>>>>>>>>>>> broaden
> >>>>>>>>>>>>>>>>> up the conversation about general integration with EE
> >>>>>>>>>> security.
> >>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>> Cheers,
> >>>>>>>>>>>>>>>>> Roberto
> >>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>> On 26 Sep 2018, at 07:21, Romain Manni-Bucau <
> >>>>>>>>>>>> rmannibucau@gmail.com
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>> wrote:
> >>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>> OWB enable to do it - we did it in geronimo impl to
> >>>>> pass
> >>>>>>>> tck
> >>>>>>>>>> of
> >>>>>>>>>>>> jwt
> >>>>>>>>>>>>>>>> auth
> >>>>>>>>>>>>>>>>>> spec.
> >>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>> Le mer. 26 sept. 2018 03:28, Roberto Cortez
> >>>>>>>>>>>>>>>> <ra...@yahoo.com.invalid>
> >>>>>>>>>>>>>>>>> a
> >>>>>>>>>>>>>>>>>> écrit :
> >>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>> Hi,
> >>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>> I’ve done some work to push our MP JWT
> >>>> implementation
> >>>>>>>> from
> >>>>>>>>>> 1.0
> >>>>>>>>>>> to
> >>>>>>>>>>>>>> 1.1.
> >>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>> You can check it here:
> >>>>>>>>>>>>>>>>>>> https://github.com/apache/tomee/pull/173 <
> >>>>>>>>>>>>>>>>>>> https://github.com/apache/tomee/pull/173>
> >>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>> There are still a couple of tests in the TCK that I
> >>>>>> have
> >>>>>>>> to
> >>>>>>>>>> fix
> >>>>>>>>>>>>> and a
> >>>>>>>>>>>>>>>>> few
> >>>>>>>>>>>>>>>>>>> things that I would like to improve, but I think
> >>>> the
> >>>>>>>>>> majority
> >>>>>>>>>>> of
> >>>>>>>>>>>>> the
> >>>>>>>>>>>>>>>>> work
> >>>>>>>>>>>>>>>>>>> is done.
> >>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>> Some time ago, there was a discussion in the list
> >>>>> about
> >>>>>>>> how
> >>>>>>>>>> to
> >>>>>>>>>>>>>>>> integrate
> >>>>>>>>>>>>>>>>>>> MP JWT with EE security:
> >>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>
> >>>>>>
> >>>>>
> >>>>
> >>
> http://tomee-openejb.979440.n4.nabble.com/Implementing-Microprofile-JWT-td4683212i40.html
> >>>>>>>>>>>>>>>>>>> <
> >>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>
> >>>>>>
> >>>>>
> >>>>
> >>
> http://tomee-openejb.979440.n4.nabble.com/Implementing-Microprofile-JWT-td4683212i40.html
> >>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>> I believe we need to revisit that conversation and
> >>>>>> figure
> >>>>>>>>>> out
> >>>>>>>>>>> how
> >>>>>>>>>>>>> to
> >>>>>>>>>>>>>>>>> move
> >>>>>>>>>>>>>>>>>>> forward.
> >>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>> Right now for instance, we don’t support injecting
> >>>> a
> >>>>>> JWT
> >>>>>>>>>>>> Principal
> >>>>>>>>>>>>>>>> since
> >>>>>>>>>>>>>>>>>>> it clashes with the predefined by CDI. Most likely,
> >>>>> we
> >>>>>>>> would
> >>>>>>>>>>> need
> >>>>>>>>>>>>> to
> >>>>>>>>>>>>>>>>> plugin
> >>>>>>>>>>>>>>>>>>> the JWT Principal lookup in TomcatSecurityService.
> >>>>> I’m
> >>>>>>>> not
> >>>>>>>>>> sure
> >>>>>>>>>>>> if
> >>>>>>>>>>>>> we
> >>>>>>>>>>>>>>>>> want
> >>>>>>>>>>>>>>>>>>> to do it in that way, or if we want to think in
> >>>>>> something
> >>>>>>>>>> else.
> >>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>> Cheers,
> >>>>>>>>>>>>>>>>>>> Roberto
> >>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>
> >>>>>>>>
> >>>>>>>
> >>>>>>
> >>>>>
> >>>>
> >>
> >>
>
>
Re: MicroProfile JWT 1.1
Posted by Roberto Cortez <ra...@yahoo.com.INVALID>.
Hi Jon,
I’ve seen you made some changes in your branch. What is the current status? I would like to start pushing for MP 2.0 specs.
Cheers,
Roberto
> On 21 Nov 2018, at 17:57, Jonathan Gallimore <jo...@gmail.com> wrote:
>
> Was going to have another look at those tests over the next couple of days.
>
> Jon
>
> On Wed, 21 Nov 2018, 17:53 Roberto Cortez <radcortez@yahoo.com.invalid
> wrote:
>
>> Hi Jon,
>>
>> What it the status of this?
>>
>> For the remaining failing tests, the issues are related with this:
>> https://github.com/eclipse/microprofile-jwt-auth/issues/118 <
>> https://github.com/eclipse/microprofile-jwt-auth/issues/118>
>>
>> I don’t think there is a way to fix it on our side, so se could just
>> ignore those specific methods and build a specific test for this with 2
>> apps deployment so we can reach out then public key endpoint from the test.
>> Then we should be good to go with this!
>>
>> Cheers,
>> Roberto
>>
>>> On 20 Nov 2018, at 15:28, Jean-Louis Monteiro <jl...@tomitribe.com>
>> wrote:
>>>
>>> Ok, yes I see it.
>>> --
>>> Jean-Louis Monteiro
>>> http://twitter.com/jlouismonteiro
>>> http://www.tomitribe.com
>>>
>>>
>>> On Tue, Nov 20, 2018 at 4:11 PM Jonathan Gallimore <
>>> jonathan.gallimore@gmail.com> wrote:
>>>
>>>> The commits are showing for me (at the bottom). Here's the latest one:
>>>>
>>>>
>> https://github.com/apache/tomee/commit/7ce1f8033e239331cfa7843e4e5565ed0aa83345
>>>>
>>>> On Tue, Nov 20, 2018 at 2:44 PM Jean-Louis Monteiro <
>>>> jlmonteiro@tomitribe.com> wrote:
>>>>
>>>>> Hey Jon,
>>>>>
>>>>> I clicked on the link and the diff tab does not show any difference.
>>>>> Did you push?
>>>>> --
>>>>> Jean-Louis Monteiro
>>>>> http://twitter.com/jlouismonteiro
>>>>> http://www.tomitribe.com
>>>>>
>>>>>
>>>>> On Mon, Nov 19, 2018 at 12:36 PM Jonathan Gallimore <
>>>>> jonathan.gallimore@gmail.com> wrote:
>>>>>
>>>>>> I now have the principal injection part of this working - thanks
>> Romain
>>>>> for
>>>>>> your help and explanations. Progress is in my fork here:
>>>>>> https://github.com/jgallimore/tomee/tree/jwt-1.1 (changes here:
>>>>>>
>>>>>>
>>>>>
>>>>
>> https://github.com/apache/tomee/compare/master...jgallimore:jwt-1.1?expand=1
>>>>>> ).
>>>>>> There are still a couple of TODOs to clean up, and 3 tests to get
>>>>> passing.
>>>>>> Any feedback is appreciated.
>>>>>>
>>>>>> Jon
>>>>>>
>>>>>> On Sat, Nov 3, 2018 at 9:10 AM Jonathan Gallimore <
>>>>>> jonathan.gallimore@gmail.com> wrote:
>>>>>>
>>>>>>> Yep, got it. Thanks for the feedback - makes sense now.
>>>>>>>
>>>>>>> Cheers
>>>>>>>
>>>>>>> Jon
>>>>>>>
>>>>>>> On Fri, 2 Nov 2018, 16:46 Romain Manni-Bucau <rmannibucau@gmail.com
>>>>>> wrote:
>>>>>>>
>>>>>>>> Answered hopefully "long enough" on dev@geronimo so will just do a
>>>>>> short
>>>>>>>> one here and shout if not enough: ManagedSecurityService in cdi
>>>>> package
>>>>>> of
>>>>>>>> openejb-core must make the getCurrentPrincipal contextual so hidden
>>>>>> behind
>>>>>>>> a proxy. The proxied API must be Principal and JsonWebToken when
>>>>>> available
>>>>>>>> (try { add if can load } catch { ignore } works as pattern). The
>>>> proxy
>>>>>>>> instance can be created once for all app using the container loader
>>>> or
>>>>>> per
>>>>>>>> app using the app loader and avoiding to leak between apps since the
>>>>> API
>>>>>>>> can use different loaders.
>>>>>>>>
>>>>>>>> Le ven. 2 nov. 2018 14:44, Jonathan Gallimore <
>>>>>>>> jonathan.gallimore@gmail.com>
>>>>>>>> a écrit :
>>>>>>>>
>>>>>>>>> Thanks for the reply, but I am confused by your response. The PR I
>>>>>>>>> referenced adds a single test to the geronimo-jwt-auth project (
>>>>>>>>> https://github.com/apache/geronimo-jwt-auth/pull/3), based on
>>>>>>>>>
>>>>>>
>> org.eclipse.microprofile.jwt.tck.container.jaxrs.PrincipalInjectionTest
>>>>>>>>> from the TCK. It fails at present (hopefully we agree on that - my
>>>>>>>> results
>>>>>>>>> attached). The geronimo-jwt-auth project doesn't touch TomEE at
>>>> all
>>>>> -
>>>>>> it
>>>>>>>>> uses OWB/Meecrowave to run the MicroProfile JWT TCK. I have not
>>>>>> modified
>>>>>>>>> the project config at all, so it is using the SecurityService code
>>>>> you
>>>>>>>>> previously posted. If this additional test were part of the
>>>>>> MicroProfile
>>>>>>>>> JWT TCK (and I'm going to propose it), the Geronimo JWT Auth
>>>>>>>> implementation
>>>>>>>>> would *not* pass the TCK.
>>>>>>>>>
>>>>>>>>> I posted this here as I originally found the issue when continuing
>>>>>>>>> Roberto's efforts, but this has probably contributed to some
>>>>>> confusion.
>>>>>>>> I
>>>>>>>>> would suggest we continue this over on the Geronimo and OWB lists
>>>> to
>>>>>>>> avoid
>>>>>>>>> further confusion.
>>>>>>>>>
>>>>>>>>> Jon
>>>>>>>>>
>>>>>>>>> On Fri, Nov 2, 2018 at 12:46 PM Romain Manni-Bucau <
>>>>>>>> rmannibucau@gmail.com>
>>>>>>>>> wrote:
>>>>>>>>>
>>>>>>>>>> Hi
>>>>>>>>>>
>>>>>>>>>> Yes this is an owb misconfiguration/integration
>>>>>>>>>>
>>>>>>>>>> Geronimo is fine here so likely tomee owb spi to update as in
>>>>>> geronimo
>>>>>>>> tck
>>>>>>>>>>
>>>>>>>>>> Le ven. 2 nov. 2018 10:42, Jonathan Gallimore <
>>>>>>>>>> jonathan.gallimore@gmail.com>
>>>>>>>>>> a écrit :
>>>>>>>>>>
>>>>>>>>>>> Thanks for the reply. I am still sure there is some sort of
>>>>> issue.
>>>>>>>>>> Putting
>>>>>>>>>>> TomEE to one side for the moment, I am able to reproduce this
>>>> in
>>>>>> the
>>>>>>>>>>> Geronimo JWT auth library as well. This PR includes a test to
>>>>> show
>>>>>>>> what
>>>>>>>>>> I
>>>>>>>>>>> mean: https://github.com/apache/geronimo-jwt-auth/pull/3.
>>>>>>>>>>>
>>>>>>>>>>> I can confirm that this change:
>>>>>>>>>>> https://github.com/apache/openwebbeans/pull/12 enables that
>>>> new
>>>>>>>> test to
>>>>>>>>>>> pass.
>>>>>>>>>>>
>>>>>>>>>>> In short, if you @Inject JsonWebToken, or individual claims, or
>>>>>>>>>>> use @RolesAllowed, I think you're ok, but if you @Inject
>>>>> Principal,
>>>>>>>> you
>>>>>>>>>>> will most likely get the wrong principal because the instance
>>>> is
>>>>>>>> cache
>>>>>>>>>> in a
>>>>>>>>>>> field in the org.apache.webbeans.portable.ProviderBasedProducer
>>>>>>>> class,
>>>>>>>>>> and
>>>>>>>>>>> that looks like a security issue.
>>>>>>>>>>>
>>>>>>>>>>> Jon
>>>>>>>>>>>
>>>>>>>>>>> On Tue, Oct 30, 2018 at 5:56 AM Romain Manni-Bucau <
>>>>>>>>>> rmannibucau@gmail.com>
>>>>>>>>>>> wrote:
>>>>>>>>>>>
>>>>>>>>>>>> Hi Jon,
>>>>>>>>>>>>
>>>>>>>>>>>> yes and no, idea is to be fast and for all producers it works
>>>>>>>> except
>>>>>>>>>> the
>>>>>>>>>>>> principal which is broken anyway in CDI 1.x so guess this was
>>>>> not
>>>>>>>>>> fixed
>>>>>>>>>>>>
>>>>>>>>>>>> in CDI 2 (tomee 8) we can impl it this way:
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>
>>>>>>
>>>>>
>>>>
>> https://github.com/apache/geronimo-jwt-auth/blob/master/src/test/java/org/apache/geronimo/microprofile/impl/jwtauth/tck/TckSecurityService.java
>>>>>>>>>>>>
>>>>>>>>>>>> Romain Manni-Bucau
>>>>>>>>>>>> @rmannibucau <https://twitter.com/rmannibucau> | Blog
>>>>>>>>>>>> <https://rmannibucau.metawerx.net/> | Old Blog
>>>>>>>>>>>> <http://rmannibucau.wordpress.com> | Github <
>>>>>>>>>>>> https://github.com/rmannibucau> |
>>>>>>>>>>>> LinkedIn <https://www.linkedin.com/in/rmannibucau> | Book
>>>>>>>>>>>> <
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>
>>>>>>
>>>>>
>>>>
>> https://www.packtpub.com/application-development/java-ee-8-high-performance
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> Le mar. 30 oct. 2018 à 00:58, Jonathan Gallimore <
>>>>>>>>>>>> jonathan.gallimore@gmail.com> a écrit :
>>>>>>>>>>>>
>>>>>>>>>>>>> Here's a question, probably for Mark or Romain. If I turn
>>>> the
>>>>>>>> proxy
>>>>>>>>>>> *off*
>>>>>>>>>>>>> in org.apache.webbeans.component.PrincipalBean, I'm finding
>>>>>> that
>>>>>>>> I
>>>>>>>>>> get
>>>>>>>>>>>> the
>>>>>>>>>>>>> wrong principal injected sometimes. Specifically, I get the
>>>>>>>>>> whatever is
>>>>>>>>>>>> on
>>>>>>>>>>>>> the proxyInstance field here:
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>
>>>>>>
>>>>>
>>>>
>> https://github.com/apache/openwebbeans/blob/trunk/webbeans-impl/src/main/java/org/apache/webbeans/portable/ProviderBasedProducer.java#L51
>>>>>>>>>>>>>
>>>>>>>>>>>>> Should this line (line 66)
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>
>>>>>>
>>>>>
>>>>
>> https://github.com/apache/openwebbeans/blob/trunk/webbeans-impl/src/main/java/org/apache/webbeans/portable/ProviderBasedProducer.java#L66
>>>>>>>>>>>>> ,
>>>>>>>>>>>>> not simply be:
>>>>>>>>>>>>>
>>>>>>>>>>>>> return provider.get();
>>>>>>>>>>>>>
>>>>>>>>>>>>> as opposed to
>>>>>>>>>>>>>
>>>>>>>>>>>>> proxyInstance = provider.get(); ?
>>>>>>>>>>>>>
>>>>>>>>>>>>> That way, the proxyInstance field would never get set if
>>>>> proxy
>>>>>>>> mode
>>>>>>>>>> is
>>>>>>>>>>>> set
>>>>>>>>>>>>> to false. When proxy is true, this seems to work correctly
>>>>>>>>>> (although I
>>>>>>>>>>>> have
>>>>>>>>>>>>> other unrelated issues in TomEE).
>>>>>>>>>>>>>
>>>>>>>>>>>>> I can probably work around this some other way, but it
>>>> seems
>>>>> to
>>>>>>>> me
>>>>>>>>>> like
>>>>>>>>>>>>> that behaviour isn't quite right.
>>>>>>>>>>>>>
>>>>>>>>>>>>> Trying to think of a way to test it - I can probably come
>>>> up
>>>>>> with
>>>>>>>>>>>>> something, but I'd appreciate some pointers. Happy to shift
>>>>>> this
>>>>>>>> to
>>>>>>>>>>>>> openwebbeans-dev, and submit a PR. Replying here initially
>>>>> as I
>>>>>>>> ran
>>>>>>>>>>> into
>>>>>>>>>>>>> this while hacking on the JWT code.
>>>>>>>>>>>>>
>>>>>>>>>>>>> Jon
>>>>>>>>>>>>>
>>>>>>>>>>>>> On Wed, Oct 17, 2018 at 12:41 AM Roberto Cortez
>>>>>>>>>>>>> <ra...@yahoo.com.invalid>
>>>>>>>>>>>>> wrote:
>>>>>>>>>>>>>
>>>>>>>>>>>>>> Please, go ahead. Let me know if need anything. Thanks!
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> On 16 Oct 2018, at 21:53, Jonathan Gallimore <
>>>>>>>>>>>>>> jonathan.gallimore@gmail.com> wrote:
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Any objection if I pick this up and have a go at the
>>>> last
>>>>>>>>>> tests, or
>>>>>>>>>>>> is
>>>>>>>>>>>>>>> someone already working on this?
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> On Thu, Sep 27, 2018 at 5:44 PM Romain Manni-Bucau <
>>>>>>>>>>>>>> rmannibucau@gmail.com>
>>>>>>>>>>>>>>> wrote:
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Yep this feature. Then it must works since we support
>>>>> user
>>>>>>>>>>> principal
>>>>>>>>>>>>> if
>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>>> jwt filter is corretly placed in the filter chain and
>>>> we
>>>>>>>> must
>>>>>>>>>>>> inherit
>>>>>>>>>>>>>> from
>>>>>>>>>>>>>>>> the request principal.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Le jeu. 27 sept. 2018 18:37, Roberto Cortez
>>>>>>>>>>>>> <radcortez@yahoo.com.invalid
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> a
>>>>>>>>>>>>>>>> écrit :
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> I guess you are referring to this, to remove the
>>>> proxy?
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>
>>>>>>
>>>>>
>>>>
>> https://github.com/apache/openwebbeans/commit/a21a949fb19247dcc39ee89292a1554b2cf1388e
>>>>>>>>>>>>>>>>> <
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>
>>>>>>
>>>>>
>>>>
>> https://github.com/apache/openwebbeans/commit/a21a949fb19247dcc39ee89292a1554b2cf1388e
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Yes, this one step.
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> By default, we do inject the generic Principal of
>>>>> Tomcat.
>>>>>>>> We
>>>>>>>>>>>> probably
>>>>>>>>>>>>>>>> need
>>>>>>>>>>>>>>>>> to check first about the existence of a JWT Principal
>>>>> and
>>>>>>>> then
>>>>>>>>>>>>> fallback
>>>>>>>>>>>>>>>> to
>>>>>>>>>>>>>>>>> the Tomcat one. I think I know how to do it, I was
>>>> just
>>>>>>>>>> trying to
>>>>>>>>>>>>>> broaden
>>>>>>>>>>>>>>>>> up the conversation about general integration with EE
>>>>>>>>>> security.
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Cheers,
>>>>>>>>>>>>>>>>> Roberto
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> On 26 Sep 2018, at 07:21, Romain Manni-Bucau <
>>>>>>>>>>>> rmannibucau@gmail.com
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> wrote:
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> OWB enable to do it - we did it in geronimo impl to
>>>>> pass
>>>>>>>> tck
>>>>>>>>>> of
>>>>>>>>>>>> jwt
>>>>>>>>>>>>>>>> auth
>>>>>>>>>>>>>>>>>> spec.
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> Le mer. 26 sept. 2018 03:28, Roberto Cortez
>>>>>>>>>>>>>>>> <ra...@yahoo.com.invalid>
>>>>>>>>>>>>>>>>> a
>>>>>>>>>>>>>>>>>> écrit :
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> Hi,
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> I’ve done some work to push our MP JWT
>>>> implementation
>>>>>>>> from
>>>>>>>>>> 1.0
>>>>>>>>>>> to
>>>>>>>>>>>>>> 1.1.
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> You can check it here:
>>>>>>>>>>>>>>>>>>> https://github.com/apache/tomee/pull/173 <
>>>>>>>>>>>>>>>>>>> https://github.com/apache/tomee/pull/173>
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> There are still a couple of tests in the TCK that I
>>>>>> have
>>>>>>>> to
>>>>>>>>>> fix
>>>>>>>>>>>>> and a
>>>>>>>>>>>>>>>>> few
>>>>>>>>>>>>>>>>>>> things that I would like to improve, but I think
>>>> the
>>>>>>>>>> majority
>>>>>>>>>>> of
>>>>>>>>>>>>> the
>>>>>>>>>>>>>>>>> work
>>>>>>>>>>>>>>>>>>> is done.
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> Some time ago, there was a discussion in the list
>>>>> about
>>>>>>>> how
>>>>>>>>>> to
>>>>>>>>>>>>>>>> integrate
>>>>>>>>>>>>>>>>>>> MP JWT with EE security:
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>
>>>>>>
>>>>>
>>>>
>> http://tomee-openejb.979440.n4.nabble.com/Implementing-Microprofile-JWT-td4683212i40.html
>>>>>>>>>>>>>>>>>>> <
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>
>>>>>>
>>>>>
>>>>
>> http://tomee-openejb.979440.n4.nabble.com/Implementing-Microprofile-JWT-td4683212i40.html
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> I believe we need to revisit that conversation and
>>>>>> figure
>>>>>>>>>> out
>>>>>>>>>>> how
>>>>>>>>>>>>> to
>>>>>>>>>>>>>>>>> move
>>>>>>>>>>>>>>>>>>> forward.
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> Right now for instance, we don’t support injecting
>>>> a
>>>>>> JWT
>>>>>>>>>>>> Principal
>>>>>>>>>>>>>>>> since
>>>>>>>>>>>>>>>>>>> it clashes with the predefined by CDI. Most likely,
>>>>> we
>>>>>>>> would
>>>>>>>>>>> need
>>>>>>>>>>>>> to
>>>>>>>>>>>>>>>>> plugin
>>>>>>>>>>>>>>>>>>> the JWT Principal lookup in TomcatSecurityService.
>>>>> I’m
>>>>>>>> not
>>>>>>>>>> sure
>>>>>>>>>>>> if
>>>>>>>>>>>>> we
>>>>>>>>>>>>>>>>> want
>>>>>>>>>>>>>>>>>>> to do it in that way, or if we want to think in
>>>>>> something
>>>>>>>>>> else.
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> Cheers,
>>>>>>>>>>>>>>>>>>> Roberto
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>
>>
>>
Re: MicroProfile JWT 1.1
Posted by Jonathan Gallimore <jo...@gmail.com>.
Was going to have another look at those tests over the next couple of days.
Jon
On Wed, 21 Nov 2018, 17:53 Roberto Cortez <radcortez@yahoo.com.invalid
wrote:
> Hi Jon,
>
> What it the status of this?
>
> For the remaining failing tests, the issues are related with this:
> https://github.com/eclipse/microprofile-jwt-auth/issues/118 <
> https://github.com/eclipse/microprofile-jwt-auth/issues/118>
>
> I don’t think there is a way to fix it on our side, so se could just
> ignore those specific methods and build a specific test for this with 2
> apps deployment so we can reach out then public key endpoint from the test.
> Then we should be good to go with this!
>
> Cheers,
> Roberto
>
> > On 20 Nov 2018, at 15:28, Jean-Louis Monteiro <jl...@tomitribe.com>
> wrote:
> >
> > Ok, yes I see it.
> > --
> > Jean-Louis Monteiro
> > http://twitter.com/jlouismonteiro
> > http://www.tomitribe.com
> >
> >
> > On Tue, Nov 20, 2018 at 4:11 PM Jonathan Gallimore <
> > jonathan.gallimore@gmail.com> wrote:
> >
> >> The commits are showing for me (at the bottom). Here's the latest one:
> >>
> >>
> https://github.com/apache/tomee/commit/7ce1f8033e239331cfa7843e4e5565ed0aa83345
> >>
> >> On Tue, Nov 20, 2018 at 2:44 PM Jean-Louis Monteiro <
> >> jlmonteiro@tomitribe.com> wrote:
> >>
> >>> Hey Jon,
> >>>
> >>> I clicked on the link and the diff tab does not show any difference.
> >>> Did you push?
> >>> --
> >>> Jean-Louis Monteiro
> >>> http://twitter.com/jlouismonteiro
> >>> http://www.tomitribe.com
> >>>
> >>>
> >>> On Mon, Nov 19, 2018 at 12:36 PM Jonathan Gallimore <
> >>> jonathan.gallimore@gmail.com> wrote:
> >>>
> >>>> I now have the principal injection part of this working - thanks
> Romain
> >>> for
> >>>> your help and explanations. Progress is in my fork here:
> >>>> https://github.com/jgallimore/tomee/tree/jwt-1.1 (changes here:
> >>>>
> >>>>
> >>>
> >>
> https://github.com/apache/tomee/compare/master...jgallimore:jwt-1.1?expand=1
> >>>> ).
> >>>> There are still a couple of TODOs to clean up, and 3 tests to get
> >>> passing.
> >>>> Any feedback is appreciated.
> >>>>
> >>>> Jon
> >>>>
> >>>> On Sat, Nov 3, 2018 at 9:10 AM Jonathan Gallimore <
> >>>> jonathan.gallimore@gmail.com> wrote:
> >>>>
> >>>>> Yep, got it. Thanks for the feedback - makes sense now.
> >>>>>
> >>>>> Cheers
> >>>>>
> >>>>> Jon
> >>>>>
> >>>>> On Fri, 2 Nov 2018, 16:46 Romain Manni-Bucau <rmannibucau@gmail.com
> >>>> wrote:
> >>>>>
> >>>>>> Answered hopefully "long enough" on dev@geronimo so will just do a
> >>>> short
> >>>>>> one here and shout if not enough: ManagedSecurityService in cdi
> >>> package
> >>>> of
> >>>>>> openejb-core must make the getCurrentPrincipal contextual so hidden
> >>>> behind
> >>>>>> a proxy. The proxied API must be Principal and JsonWebToken when
> >>>> available
> >>>>>> (try { add if can load } catch { ignore } works as pattern). The
> >> proxy
> >>>>>> instance can be created once for all app using the container loader
> >> or
> >>>> per
> >>>>>> app using the app loader and avoiding to leak between apps since the
> >>> API
> >>>>>> can use different loaders.
> >>>>>>
> >>>>>> Le ven. 2 nov. 2018 14:44, Jonathan Gallimore <
> >>>>>> jonathan.gallimore@gmail.com>
> >>>>>> a écrit :
> >>>>>>
> >>>>>>> Thanks for the reply, but I am confused by your response. The PR I
> >>>>>>> referenced adds a single test to the geronimo-jwt-auth project (
> >>>>>>> https://github.com/apache/geronimo-jwt-auth/pull/3), based on
> >>>>>>>
> >>>>
> org.eclipse.microprofile.jwt.tck.container.jaxrs.PrincipalInjectionTest
> >>>>>>> from the TCK. It fails at present (hopefully we agree on that - my
> >>>>>> results
> >>>>>>> attached). The geronimo-jwt-auth project doesn't touch TomEE at
> >> all
> >>> -
> >>>> it
> >>>>>>> uses OWB/Meecrowave to run the MicroProfile JWT TCK. I have not
> >>>> modified
> >>>>>>> the project config at all, so it is using the SecurityService code
> >>> you
> >>>>>>> previously posted. If this additional test were part of the
> >>>> MicroProfile
> >>>>>>> JWT TCK (and I'm going to propose it), the Geronimo JWT Auth
> >>>>>> implementation
> >>>>>>> would *not* pass the TCK.
> >>>>>>>
> >>>>>>> I posted this here as I originally found the issue when continuing
> >>>>>>> Roberto's efforts, but this has probably contributed to some
> >>>> confusion.
> >>>>>> I
> >>>>>>> would suggest we continue this over on the Geronimo and OWB lists
> >> to
> >>>>>> avoid
> >>>>>>> further confusion.
> >>>>>>>
> >>>>>>> Jon
> >>>>>>>
> >>>>>>> On Fri, Nov 2, 2018 at 12:46 PM Romain Manni-Bucau <
> >>>>>> rmannibucau@gmail.com>
> >>>>>>> wrote:
> >>>>>>>
> >>>>>>>> Hi
> >>>>>>>>
> >>>>>>>> Yes this is an owb misconfiguration/integration
> >>>>>>>>
> >>>>>>>> Geronimo is fine here so likely tomee owb spi to update as in
> >>>> geronimo
> >>>>>> tck
> >>>>>>>>
> >>>>>>>> Le ven. 2 nov. 2018 10:42, Jonathan Gallimore <
> >>>>>>>> jonathan.gallimore@gmail.com>
> >>>>>>>> a écrit :
> >>>>>>>>
> >>>>>>>>> Thanks for the reply. I am still sure there is some sort of
> >>> issue.
> >>>>>>>> Putting
> >>>>>>>>> TomEE to one side for the moment, I am able to reproduce this
> >> in
> >>>> the
> >>>>>>>>> Geronimo JWT auth library as well. This PR includes a test to
> >>> show
> >>>>>> what
> >>>>>>>> I
> >>>>>>>>> mean: https://github.com/apache/geronimo-jwt-auth/pull/3.
> >>>>>>>>>
> >>>>>>>>> I can confirm that this change:
> >>>>>>>>> https://github.com/apache/openwebbeans/pull/12 enables that
> >> new
> >>>>>> test to
> >>>>>>>>> pass.
> >>>>>>>>>
> >>>>>>>>> In short, if you @Inject JsonWebToken, or individual claims, or
> >>>>>>>>> use @RolesAllowed, I think you're ok, but if you @Inject
> >>> Principal,
> >>>>>> you
> >>>>>>>>> will most likely get the wrong principal because the instance
> >> is
> >>>>>> cache
> >>>>>>>> in a
> >>>>>>>>> field in the org.apache.webbeans.portable.ProviderBasedProducer
> >>>>>> class,
> >>>>>>>> and
> >>>>>>>>> that looks like a security issue.
> >>>>>>>>>
> >>>>>>>>> Jon
> >>>>>>>>>
> >>>>>>>>> On Tue, Oct 30, 2018 at 5:56 AM Romain Manni-Bucau <
> >>>>>>>> rmannibucau@gmail.com>
> >>>>>>>>> wrote:
> >>>>>>>>>
> >>>>>>>>>> Hi Jon,
> >>>>>>>>>>
> >>>>>>>>>> yes and no, idea is to be fast and for all producers it works
> >>>>>> except
> >>>>>>>> the
> >>>>>>>>>> principal which is broken anyway in CDI 1.x so guess this was
> >>> not
> >>>>>>>> fixed
> >>>>>>>>>>
> >>>>>>>>>> in CDI 2 (tomee 8) we can impl it this way:
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>
> >>>>>>>>
> >>>>>>
> >>>>
> >>>
> >>
> https://github.com/apache/geronimo-jwt-auth/blob/master/src/test/java/org/apache/geronimo/microprofile/impl/jwtauth/tck/TckSecurityService.java
> >>>>>>>>>>
> >>>>>>>>>> Romain Manni-Bucau
> >>>>>>>>>> @rmannibucau <https://twitter.com/rmannibucau> | Blog
> >>>>>>>>>> <https://rmannibucau.metawerx.net/> | Old Blog
> >>>>>>>>>> <http://rmannibucau.wordpress.com> | Github <
> >>>>>>>>>> https://github.com/rmannibucau> |
> >>>>>>>>>> LinkedIn <https://www.linkedin.com/in/rmannibucau> | Book
> >>>>>>>>>> <
> >>>>>>>>>>
> >>>>>>>>>
> >>>>>>>>
> >>>>>>
> >>>>
> >>>
> >>
> https://www.packtpub.com/application-development/java-ee-8-high-performance
> >>>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>> Le mar. 30 oct. 2018 à 00:58, Jonathan Gallimore <
> >>>>>>>>>> jonathan.gallimore@gmail.com> a écrit :
> >>>>>>>>>>
> >>>>>>>>>>> Here's a question, probably for Mark or Romain. If I turn
> >> the
> >>>>>> proxy
> >>>>>>>>> *off*
> >>>>>>>>>>> in org.apache.webbeans.component.PrincipalBean, I'm finding
> >>>> that
> >>>>>> I
> >>>>>>>> get
> >>>>>>>>>> the
> >>>>>>>>>>> wrong principal injected sometimes. Specifically, I get the
> >>>>>>>> whatever is
> >>>>>>>>>> on
> >>>>>>>>>>> the proxyInstance field here:
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>
> >>>>>>>>
> >>>>>>
> >>>>
> >>>
> >>
> https://github.com/apache/openwebbeans/blob/trunk/webbeans-impl/src/main/java/org/apache/webbeans/portable/ProviderBasedProducer.java#L51
> >>>>>>>>>>>
> >>>>>>>>>>> Should this line (line 66)
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>
> >>>>>>>>
> >>>>>>
> >>>>
> >>>
> >>
> https://github.com/apache/openwebbeans/blob/trunk/webbeans-impl/src/main/java/org/apache/webbeans/portable/ProviderBasedProducer.java#L66
> >>>>>>>>>>> ,
> >>>>>>>>>>> not simply be:
> >>>>>>>>>>>
> >>>>>>>>>>> return provider.get();
> >>>>>>>>>>>
> >>>>>>>>>>> as opposed to
> >>>>>>>>>>>
> >>>>>>>>>>> proxyInstance = provider.get(); ?
> >>>>>>>>>>>
> >>>>>>>>>>> That way, the proxyInstance field would never get set if
> >>> proxy
> >>>>>> mode
> >>>>>>>> is
> >>>>>>>>>> set
> >>>>>>>>>>> to false. When proxy is true, this seems to work correctly
> >>>>>>>> (although I
> >>>>>>>>>> have
> >>>>>>>>>>> other unrelated issues in TomEE).
> >>>>>>>>>>>
> >>>>>>>>>>> I can probably work around this some other way, but it
> >> seems
> >>> to
> >>>>>> me
> >>>>>>>> like
> >>>>>>>>>>> that behaviour isn't quite right.
> >>>>>>>>>>>
> >>>>>>>>>>> Trying to think of a way to test it - I can probably come
> >> up
> >>>> with
> >>>>>>>>>>> something, but I'd appreciate some pointers. Happy to shift
> >>>> this
> >>>>>> to
> >>>>>>>>>>> openwebbeans-dev, and submit a PR. Replying here initially
> >>> as I
> >>>>>> ran
> >>>>>>>>> into
> >>>>>>>>>>> this while hacking on the JWT code.
> >>>>>>>>>>>
> >>>>>>>>>>> Jon
> >>>>>>>>>>>
> >>>>>>>>>>> On Wed, Oct 17, 2018 at 12:41 AM Roberto Cortez
> >>>>>>>>>>> <ra...@yahoo.com.invalid>
> >>>>>>>>>>> wrote:
> >>>>>>>>>>>
> >>>>>>>>>>>> Please, go ahead. Let me know if need anything. Thanks!
> >>>>>>>>>>>>
> >>>>>>>>>>>>> On 16 Oct 2018, at 21:53, Jonathan Gallimore <
> >>>>>>>>>>>> jonathan.gallimore@gmail.com> wrote:
> >>>>>>>>>>>>>
> >>>>>>>>>>>>> Any objection if I pick this up and have a go at the
> >> last
> >>>>>>>> tests, or
> >>>>>>>>>> is
> >>>>>>>>>>>>> someone already working on this?
> >>>>>>>>>>>>>
> >>>>>>>>>>>>> On Thu, Sep 27, 2018 at 5:44 PM Romain Manni-Bucau <
> >>>>>>>>>>>> rmannibucau@gmail.com>
> >>>>>>>>>>>>> wrote:
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>> Yep this feature. Then it must works since we support
> >>> user
> >>>>>>>>> principal
> >>>>>>>>>>> if
> >>>>>>>>>>>> the
> >>>>>>>>>>>>>> jwt filter is corretly placed in the filter chain and
> >> we
> >>>>>> must
> >>>>>>>>>> inherit
> >>>>>>>>>>>> from
> >>>>>>>>>>>>>> the request principal.
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>> Le jeu. 27 sept. 2018 18:37, Roberto Cortez
> >>>>>>>>>>> <radcortez@yahoo.com.invalid
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>> a
> >>>>>>>>>>>>>> écrit :
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>> I guess you are referring to this, to remove the
> >> proxy?
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>
> >>>>>>>>
> >>>>>>
> >>>>
> >>>
> >>
> https://github.com/apache/openwebbeans/commit/a21a949fb19247dcc39ee89292a1554b2cf1388e
> >>>>>>>>>>>>>>> <
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>
> >>>>>>>>
> >>>>>>
> >>>>
> >>>
> >>
> https://github.com/apache/openwebbeans/commit/a21a949fb19247dcc39ee89292a1554b2cf1388e
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>> Yes, this one step.
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>> By default, we do inject the generic Principal of
> >>> Tomcat.
> >>>>>> We
> >>>>>>>>>> probably
> >>>>>>>>>>>>>> need
> >>>>>>>>>>>>>>> to check first about the existence of a JWT Principal
> >>> and
> >>>>>> then
> >>>>>>>>>>> fallback
> >>>>>>>>>>>>>> to
> >>>>>>>>>>>>>>> the Tomcat one. I think I know how to do it, I was
> >> just
> >>>>>>>> trying to
> >>>>>>>>>>>> broaden
> >>>>>>>>>>>>>>> up the conversation about general integration with EE
> >>>>>>>> security.
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>> Cheers,
> >>>>>>>>>>>>>>> Roberto
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>> On 26 Sep 2018, at 07:21, Romain Manni-Bucau <
> >>>>>>>>>> rmannibucau@gmail.com
> >>>>>>>>>>>>
> >>>>>>>>>>>>>>> wrote:
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>> OWB enable to do it - we did it in geronimo impl to
> >>> pass
> >>>>>> tck
> >>>>>>>> of
> >>>>>>>>>> jwt
> >>>>>>>>>>>>>> auth
> >>>>>>>>>>>>>>>> spec.
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>> Le mer. 26 sept. 2018 03:28, Roberto Cortez
> >>>>>>>>>>>>>> <ra...@yahoo.com.invalid>
> >>>>>>>>>>>>>>> a
> >>>>>>>>>>>>>>>> écrit :
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>> Hi,
> >>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>> I’ve done some work to push our MP JWT
> >> implementation
> >>>>>> from
> >>>>>>>> 1.0
> >>>>>>>>> to
> >>>>>>>>>>>> 1.1.
> >>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>> You can check it here:
> >>>>>>>>>>>>>>>>> https://github.com/apache/tomee/pull/173 <
> >>>>>>>>>>>>>>>>> https://github.com/apache/tomee/pull/173>
> >>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>> There are still a couple of tests in the TCK that I
> >>>> have
> >>>>>> to
> >>>>>>>> fix
> >>>>>>>>>>> and a
> >>>>>>>>>>>>>>> few
> >>>>>>>>>>>>>>>>> things that I would like to improve, but I think
> >> the
> >>>>>>>> majority
> >>>>>>>>> of
> >>>>>>>>>>> the
> >>>>>>>>>>>>>>> work
> >>>>>>>>>>>>>>>>> is done.
> >>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>> Some time ago, there was a discussion in the list
> >>> about
> >>>>>> how
> >>>>>>>> to
> >>>>>>>>>>>>>> integrate
> >>>>>>>>>>>>>>>>> MP JWT with EE security:
> >>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>
> >>>>>>>>
> >>>>>>
> >>>>
> >>>
> >>
> http://tomee-openejb.979440.n4.nabble.com/Implementing-Microprofile-JWT-td4683212i40.html
> >>>>>>>>>>>>>>>>> <
> >>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>
> >>>>>>>>
> >>>>>>
> >>>>
> >>>
> >>
> http://tomee-openejb.979440.n4.nabble.com/Implementing-Microprofile-JWT-td4683212i40.html
> >>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>> I believe we need to revisit that conversation and
> >>>> figure
> >>>>>>>> out
> >>>>>>>>> how
> >>>>>>>>>>> to
> >>>>>>>>>>>>>>> move
> >>>>>>>>>>>>>>>>> forward.
> >>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>> Right now for instance, we don’t support injecting
> >> a
> >>>> JWT
> >>>>>>>>>> Principal
> >>>>>>>>>>>>>> since
> >>>>>>>>>>>>>>>>> it clashes with the predefined by CDI. Most likely,
> >>> we
> >>>>>> would
> >>>>>>>>> need
> >>>>>>>>>>> to
> >>>>>>>>>>>>>>> plugin
> >>>>>>>>>>>>>>>>> the JWT Principal lookup in TomcatSecurityService.
> >>> I’m
> >>>>>> not
> >>>>>>>> sure
> >>>>>>>>>> if
> >>>>>>>>>>> we
> >>>>>>>>>>>>>>> want
> >>>>>>>>>>>>>>>>> to do it in that way, or if we want to think in
> >>>> something
> >>>>>>>> else.
> >>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>> Cheers,
> >>>>>>>>>>>>>>>>> Roberto
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>
> >>>>>>>>
> >>>>>>>
> >>>>>>
> >>>>>
> >>>>
> >>>
> >>
>
>
Re: MicroProfile JWT 1.1
Posted by Roberto Cortez <ra...@yahoo.com.INVALID>.
Hi Jon,
What it the status of this?
For the remaining failing tests, the issues are related with this:
https://github.com/eclipse/microprofile-jwt-auth/issues/118 <https://github.com/eclipse/microprofile-jwt-auth/issues/118>
I don’t think there is a way to fix it on our side, so se could just ignore those specific methods and build a specific test for this with 2 apps deployment so we can reach out then public key endpoint from the test. Then we should be good to go with this!
Cheers,
Roberto
> On 20 Nov 2018, at 15:28, Jean-Louis Monteiro <jl...@tomitribe.com> wrote:
>
> Ok, yes I see it.
> --
> Jean-Louis Monteiro
> http://twitter.com/jlouismonteiro
> http://www.tomitribe.com
>
>
> On Tue, Nov 20, 2018 at 4:11 PM Jonathan Gallimore <
> jonathan.gallimore@gmail.com> wrote:
>
>> The commits are showing for me (at the bottom). Here's the latest one:
>>
>> https://github.com/apache/tomee/commit/7ce1f8033e239331cfa7843e4e5565ed0aa83345
>>
>> On Tue, Nov 20, 2018 at 2:44 PM Jean-Louis Monteiro <
>> jlmonteiro@tomitribe.com> wrote:
>>
>>> Hey Jon,
>>>
>>> I clicked on the link and the diff tab does not show any difference.
>>> Did you push?
>>> --
>>> Jean-Louis Monteiro
>>> http://twitter.com/jlouismonteiro
>>> http://www.tomitribe.com
>>>
>>>
>>> On Mon, Nov 19, 2018 at 12:36 PM Jonathan Gallimore <
>>> jonathan.gallimore@gmail.com> wrote:
>>>
>>>> I now have the principal injection part of this working - thanks Romain
>>> for
>>>> your help and explanations. Progress is in my fork here:
>>>> https://github.com/jgallimore/tomee/tree/jwt-1.1 (changes here:
>>>>
>>>>
>>>
>> https://github.com/apache/tomee/compare/master...jgallimore:jwt-1.1?expand=1
>>>> ).
>>>> There are still a couple of TODOs to clean up, and 3 tests to get
>>> passing.
>>>> Any feedback is appreciated.
>>>>
>>>> Jon
>>>>
>>>> On Sat, Nov 3, 2018 at 9:10 AM Jonathan Gallimore <
>>>> jonathan.gallimore@gmail.com> wrote:
>>>>
>>>>> Yep, got it. Thanks for the feedback - makes sense now.
>>>>>
>>>>> Cheers
>>>>>
>>>>> Jon
>>>>>
>>>>> On Fri, 2 Nov 2018, 16:46 Romain Manni-Bucau <rmannibucau@gmail.com
>>>> wrote:
>>>>>
>>>>>> Answered hopefully "long enough" on dev@geronimo so will just do a
>>>> short
>>>>>> one here and shout if not enough: ManagedSecurityService in cdi
>>> package
>>>> of
>>>>>> openejb-core must make the getCurrentPrincipal contextual so hidden
>>>> behind
>>>>>> a proxy. The proxied API must be Principal and JsonWebToken when
>>>> available
>>>>>> (try { add if can load } catch { ignore } works as pattern). The
>> proxy
>>>>>> instance can be created once for all app using the container loader
>> or
>>>> per
>>>>>> app using the app loader and avoiding to leak between apps since the
>>> API
>>>>>> can use different loaders.
>>>>>>
>>>>>> Le ven. 2 nov. 2018 14:44, Jonathan Gallimore <
>>>>>> jonathan.gallimore@gmail.com>
>>>>>> a écrit :
>>>>>>
>>>>>>> Thanks for the reply, but I am confused by your response. The PR I
>>>>>>> referenced adds a single test to the geronimo-jwt-auth project (
>>>>>>> https://github.com/apache/geronimo-jwt-auth/pull/3), based on
>>>>>>>
>>>> org.eclipse.microprofile.jwt.tck.container.jaxrs.PrincipalInjectionTest
>>>>>>> from the TCK. It fails at present (hopefully we agree on that - my
>>>>>> results
>>>>>>> attached). The geronimo-jwt-auth project doesn't touch TomEE at
>> all
>>> -
>>>> it
>>>>>>> uses OWB/Meecrowave to run the MicroProfile JWT TCK. I have not
>>>> modified
>>>>>>> the project config at all, so it is using the SecurityService code
>>> you
>>>>>>> previously posted. If this additional test were part of the
>>>> MicroProfile
>>>>>>> JWT TCK (and I'm going to propose it), the Geronimo JWT Auth
>>>>>> implementation
>>>>>>> would *not* pass the TCK.
>>>>>>>
>>>>>>> I posted this here as I originally found the issue when continuing
>>>>>>> Roberto's efforts, but this has probably contributed to some
>>>> confusion.
>>>>>> I
>>>>>>> would suggest we continue this over on the Geronimo and OWB lists
>> to
>>>>>> avoid
>>>>>>> further confusion.
>>>>>>>
>>>>>>> Jon
>>>>>>>
>>>>>>> On Fri, Nov 2, 2018 at 12:46 PM Romain Manni-Bucau <
>>>>>> rmannibucau@gmail.com>
>>>>>>> wrote:
>>>>>>>
>>>>>>>> Hi
>>>>>>>>
>>>>>>>> Yes this is an owb misconfiguration/integration
>>>>>>>>
>>>>>>>> Geronimo is fine here so likely tomee owb spi to update as in
>>>> geronimo
>>>>>> tck
>>>>>>>>
>>>>>>>> Le ven. 2 nov. 2018 10:42, Jonathan Gallimore <
>>>>>>>> jonathan.gallimore@gmail.com>
>>>>>>>> a écrit :
>>>>>>>>
>>>>>>>>> Thanks for the reply. I am still sure there is some sort of
>>> issue.
>>>>>>>> Putting
>>>>>>>>> TomEE to one side for the moment, I am able to reproduce this
>> in
>>>> the
>>>>>>>>> Geronimo JWT auth library as well. This PR includes a test to
>>> show
>>>>>> what
>>>>>>>> I
>>>>>>>>> mean: https://github.com/apache/geronimo-jwt-auth/pull/3.
>>>>>>>>>
>>>>>>>>> I can confirm that this change:
>>>>>>>>> https://github.com/apache/openwebbeans/pull/12 enables that
>> new
>>>>>> test to
>>>>>>>>> pass.
>>>>>>>>>
>>>>>>>>> In short, if you @Inject JsonWebToken, or individual claims, or
>>>>>>>>> use @RolesAllowed, I think you're ok, but if you @Inject
>>> Principal,
>>>>>> you
>>>>>>>>> will most likely get the wrong principal because the instance
>> is
>>>>>> cache
>>>>>>>> in a
>>>>>>>>> field in the org.apache.webbeans.portable.ProviderBasedProducer
>>>>>> class,
>>>>>>>> and
>>>>>>>>> that looks like a security issue.
>>>>>>>>>
>>>>>>>>> Jon
>>>>>>>>>
>>>>>>>>> On Tue, Oct 30, 2018 at 5:56 AM Romain Manni-Bucau <
>>>>>>>> rmannibucau@gmail.com>
>>>>>>>>> wrote:
>>>>>>>>>
>>>>>>>>>> Hi Jon,
>>>>>>>>>>
>>>>>>>>>> yes and no, idea is to be fast and for all producers it works
>>>>>> except
>>>>>>>> the
>>>>>>>>>> principal which is broken anyway in CDI 1.x so guess this was
>>> not
>>>>>>>> fixed
>>>>>>>>>>
>>>>>>>>>> in CDI 2 (tomee 8) we can impl it this way:
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>
>>>>
>>>
>> https://github.com/apache/geronimo-jwt-auth/blob/master/src/test/java/org/apache/geronimo/microprofile/impl/jwtauth/tck/TckSecurityService.java
>>>>>>>>>>
>>>>>>>>>> Romain Manni-Bucau
>>>>>>>>>> @rmannibucau <https://twitter.com/rmannibucau> | Blog
>>>>>>>>>> <https://rmannibucau.metawerx.net/> | Old Blog
>>>>>>>>>> <http://rmannibucau.wordpress.com> | Github <
>>>>>>>>>> https://github.com/rmannibucau> |
>>>>>>>>>> LinkedIn <https://www.linkedin.com/in/rmannibucau> | Book
>>>>>>>>>> <
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>
>>>>
>>>
>> https://www.packtpub.com/application-development/java-ee-8-high-performance
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Le mar. 30 oct. 2018 à 00:58, Jonathan Gallimore <
>>>>>>>>>> jonathan.gallimore@gmail.com> a écrit :
>>>>>>>>>>
>>>>>>>>>>> Here's a question, probably for Mark or Romain. If I turn
>> the
>>>>>> proxy
>>>>>>>>> *off*
>>>>>>>>>>> in org.apache.webbeans.component.PrincipalBean, I'm finding
>>>> that
>>>>>> I
>>>>>>>> get
>>>>>>>>>> the
>>>>>>>>>>> wrong principal injected sometimes. Specifically, I get the
>>>>>>>> whatever is
>>>>>>>>>> on
>>>>>>>>>>> the proxyInstance field here:
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>
>>>>
>>>
>> https://github.com/apache/openwebbeans/blob/trunk/webbeans-impl/src/main/java/org/apache/webbeans/portable/ProviderBasedProducer.java#L51
>>>>>>>>>>>
>>>>>>>>>>> Should this line (line 66)
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>
>>>>
>>>
>> https://github.com/apache/openwebbeans/blob/trunk/webbeans-impl/src/main/java/org/apache/webbeans/portable/ProviderBasedProducer.java#L66
>>>>>>>>>>> ,
>>>>>>>>>>> not simply be:
>>>>>>>>>>>
>>>>>>>>>>> return provider.get();
>>>>>>>>>>>
>>>>>>>>>>> as opposed to
>>>>>>>>>>>
>>>>>>>>>>> proxyInstance = provider.get(); ?
>>>>>>>>>>>
>>>>>>>>>>> That way, the proxyInstance field would never get set if
>>> proxy
>>>>>> mode
>>>>>>>> is
>>>>>>>>>> set
>>>>>>>>>>> to false. When proxy is true, this seems to work correctly
>>>>>>>> (although I
>>>>>>>>>> have
>>>>>>>>>>> other unrelated issues in TomEE).
>>>>>>>>>>>
>>>>>>>>>>> I can probably work around this some other way, but it
>> seems
>>> to
>>>>>> me
>>>>>>>> like
>>>>>>>>>>> that behaviour isn't quite right.
>>>>>>>>>>>
>>>>>>>>>>> Trying to think of a way to test it - I can probably come
>> up
>>>> with
>>>>>>>>>>> something, but I'd appreciate some pointers. Happy to shift
>>>> this
>>>>>> to
>>>>>>>>>>> openwebbeans-dev, and submit a PR. Replying here initially
>>> as I
>>>>>> ran
>>>>>>>>> into
>>>>>>>>>>> this while hacking on the JWT code.
>>>>>>>>>>>
>>>>>>>>>>> Jon
>>>>>>>>>>>
>>>>>>>>>>> On Wed, Oct 17, 2018 at 12:41 AM Roberto Cortez
>>>>>>>>>>> <ra...@yahoo.com.invalid>
>>>>>>>>>>> wrote:
>>>>>>>>>>>
>>>>>>>>>>>> Please, go ahead. Let me know if need anything. Thanks!
>>>>>>>>>>>>
>>>>>>>>>>>>> On 16 Oct 2018, at 21:53, Jonathan Gallimore <
>>>>>>>>>>>> jonathan.gallimore@gmail.com> wrote:
>>>>>>>>>>>>>
>>>>>>>>>>>>> Any objection if I pick this up and have a go at the
>> last
>>>>>>>> tests, or
>>>>>>>>>> is
>>>>>>>>>>>>> someone already working on this?
>>>>>>>>>>>>>
>>>>>>>>>>>>> On Thu, Sep 27, 2018 at 5:44 PM Romain Manni-Bucau <
>>>>>>>>>>>> rmannibucau@gmail.com>
>>>>>>>>>>>>> wrote:
>>>>>>>>>>>>>
>>>>>>>>>>>>>> Yep this feature. Then it must works since we support
>>> user
>>>>>>>>> principal
>>>>>>>>>>> if
>>>>>>>>>>>> the
>>>>>>>>>>>>>> jwt filter is corretly placed in the filter chain and
>> we
>>>>>> must
>>>>>>>>>> inherit
>>>>>>>>>>>> from
>>>>>>>>>>>>>> the request principal.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Le jeu. 27 sept. 2018 18:37, Roberto Cortez
>>>>>>>>>>> <radcortez@yahoo.com.invalid
>>>>>>>>>>>>>
>>>>>>>>>>>>>> a
>>>>>>>>>>>>>> écrit :
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> I guess you are referring to this, to remove the
>> proxy?
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>
>>>>
>>>
>> https://github.com/apache/openwebbeans/commit/a21a949fb19247dcc39ee89292a1554b2cf1388e
>>>>>>>>>>>>>>> <
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>
>>>>
>>>
>> https://github.com/apache/openwebbeans/commit/a21a949fb19247dcc39ee89292a1554b2cf1388e
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Yes, this one step.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> By default, we do inject the generic Principal of
>>> Tomcat.
>>>>>> We
>>>>>>>>>> probably
>>>>>>>>>>>>>> need
>>>>>>>>>>>>>>> to check first about the existence of a JWT Principal
>>> and
>>>>>> then
>>>>>>>>>>> fallback
>>>>>>>>>>>>>> to
>>>>>>>>>>>>>>> the Tomcat one. I think I know how to do it, I was
>> just
>>>>>>>> trying to
>>>>>>>>>>>> broaden
>>>>>>>>>>>>>>> up the conversation about general integration with EE
>>>>>>>> security.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Cheers,
>>>>>>>>>>>>>>> Roberto
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> On 26 Sep 2018, at 07:21, Romain Manni-Bucau <
>>>>>>>>>> rmannibucau@gmail.com
>>>>>>>>>>>>
>>>>>>>>>>>>>>> wrote:
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> OWB enable to do it - we did it in geronimo impl to
>>> pass
>>>>>> tck
>>>>>>>> of
>>>>>>>>>> jwt
>>>>>>>>>>>>>> auth
>>>>>>>>>>>>>>>> spec.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Le mer. 26 sept. 2018 03:28, Roberto Cortez
>>>>>>>>>>>>>> <ra...@yahoo.com.invalid>
>>>>>>>>>>>>>>> a
>>>>>>>>>>>>>>>> écrit :
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Hi,
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> I’ve done some work to push our MP JWT
>> implementation
>>>>>> from
>>>>>>>> 1.0
>>>>>>>>> to
>>>>>>>>>>>> 1.1.
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> You can check it here:
>>>>>>>>>>>>>>>>> https://github.com/apache/tomee/pull/173 <
>>>>>>>>>>>>>>>>> https://github.com/apache/tomee/pull/173>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> There are still a couple of tests in the TCK that I
>>>> have
>>>>>> to
>>>>>>>> fix
>>>>>>>>>>> and a
>>>>>>>>>>>>>>> few
>>>>>>>>>>>>>>>>> things that I would like to improve, but I think
>> the
>>>>>>>> majority
>>>>>>>>> of
>>>>>>>>>>> the
>>>>>>>>>>>>>>> work
>>>>>>>>>>>>>>>>> is done.
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Some time ago, there was a discussion in the list
>>> about
>>>>>> how
>>>>>>>> to
>>>>>>>>>>>>>> integrate
>>>>>>>>>>>>>>>>> MP JWT with EE security:
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>
>>>>
>>>
>> http://tomee-openejb.979440.n4.nabble.com/Implementing-Microprofile-JWT-td4683212i40.html
>>>>>>>>>>>>>>>>> <
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>
>>>>
>>>
>> http://tomee-openejb.979440.n4.nabble.com/Implementing-Microprofile-JWT-td4683212i40.html
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> I believe we need to revisit that conversation and
>>>> figure
>>>>>>>> out
>>>>>>>>> how
>>>>>>>>>>> to
>>>>>>>>>>>>>>> move
>>>>>>>>>>>>>>>>> forward.
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Right now for instance, we don’t support injecting
>> a
>>>> JWT
>>>>>>>>>> Principal
>>>>>>>>>>>>>> since
>>>>>>>>>>>>>>>>> it clashes with the predefined by CDI. Most likely,
>>> we
>>>>>> would
>>>>>>>>> need
>>>>>>>>>>> to
>>>>>>>>>>>>>>> plugin
>>>>>>>>>>>>>>>>> the JWT Principal lookup in TomcatSecurityService.
>>> I’m
>>>>>> not
>>>>>>>> sure
>>>>>>>>>> if
>>>>>>>>>>> we
>>>>>>>>>>>>>>> want
>>>>>>>>>>>>>>>>> to do it in that way, or if we want to think in
>>>> something
>>>>>>>> else.
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Cheers,
>>>>>>>>>>>>>>>>> Roberto
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
Re: MicroProfile JWT 1.1
Posted by Jean-Louis Monteiro <jl...@tomitribe.com>.
Ok, yes I see it.
--
Jean-Louis Monteiro
http://twitter.com/jlouismonteiro
http://www.tomitribe.com
On Tue, Nov 20, 2018 at 4:11 PM Jonathan Gallimore <
jonathan.gallimore@gmail.com> wrote:
> The commits are showing for me (at the bottom). Here's the latest one:
>
> https://github.com/apache/tomee/commit/7ce1f8033e239331cfa7843e4e5565ed0aa83345
>
> On Tue, Nov 20, 2018 at 2:44 PM Jean-Louis Monteiro <
> jlmonteiro@tomitribe.com> wrote:
>
> > Hey Jon,
> >
> > I clicked on the link and the diff tab does not show any difference.
> > Did you push?
> > --
> > Jean-Louis Monteiro
> > http://twitter.com/jlouismonteiro
> > http://www.tomitribe.com
> >
> >
> > On Mon, Nov 19, 2018 at 12:36 PM Jonathan Gallimore <
> > jonathan.gallimore@gmail.com> wrote:
> >
> > > I now have the principal injection part of this working - thanks Romain
> > for
> > > your help and explanations. Progress is in my fork here:
> > > https://github.com/jgallimore/tomee/tree/jwt-1.1 (changes here:
> > >
> > >
> >
> https://github.com/apache/tomee/compare/master...jgallimore:jwt-1.1?expand=1
> > > ).
> > > There are still a couple of TODOs to clean up, and 3 tests to get
> > passing.
> > > Any feedback is appreciated.
> > >
> > > Jon
> > >
> > > On Sat, Nov 3, 2018 at 9:10 AM Jonathan Gallimore <
> > > jonathan.gallimore@gmail.com> wrote:
> > >
> > > > Yep, got it. Thanks for the feedback - makes sense now.
> > > >
> > > > Cheers
> > > >
> > > > Jon
> > > >
> > > > On Fri, 2 Nov 2018, 16:46 Romain Manni-Bucau <rmannibucau@gmail.com
> > > wrote:
> > > >
> > > >> Answered hopefully "long enough" on dev@geronimo so will just do a
> > > short
> > > >> one here and shout if not enough: ManagedSecurityService in cdi
> > package
> > > of
> > > >> openejb-core must make the getCurrentPrincipal contextual so hidden
> > > behind
> > > >> a proxy. The proxied API must be Principal and JsonWebToken when
> > > available
> > > >> (try { add if can load } catch { ignore } works as pattern). The
> proxy
> > > >> instance can be created once for all app using the container loader
> or
> > > per
> > > >> app using the app loader and avoiding to leak between apps since the
> > API
> > > >> can use different loaders.
> > > >>
> > > >> Le ven. 2 nov. 2018 14:44, Jonathan Gallimore <
> > > >> jonathan.gallimore@gmail.com>
> > > >> a écrit :
> > > >>
> > > >> > Thanks for the reply, but I am confused by your response. The PR I
> > > >> > referenced adds a single test to the geronimo-jwt-auth project (
> > > >> > https://github.com/apache/geronimo-jwt-auth/pull/3), based on
> > > >> >
> > > org.eclipse.microprofile.jwt.tck.container.jaxrs.PrincipalInjectionTest
> > > >> > from the TCK. It fails at present (hopefully we agree on that - my
> > > >> results
> > > >> > attached). The geronimo-jwt-auth project doesn't touch TomEE at
> all
> > -
> > > it
> > > >> > uses OWB/Meecrowave to run the MicroProfile JWT TCK. I have not
> > > modified
> > > >> > the project config at all, so it is using the SecurityService code
> > you
> > > >> > previously posted. If this additional test were part of the
> > > MicroProfile
> > > >> > JWT TCK (and I'm going to propose it), the Geronimo JWT Auth
> > > >> implementation
> > > >> > would *not* pass the TCK.
> > > >> >
> > > >> > I posted this here as I originally found the issue when continuing
> > > >> > Roberto's efforts, but this has probably contributed to some
> > > confusion.
> > > >> I
> > > >> > would suggest we continue this over on the Geronimo and OWB lists
> to
> > > >> avoid
> > > >> > further confusion.
> > > >> >
> > > >> > Jon
> > > >> >
> > > >> > On Fri, Nov 2, 2018 at 12:46 PM Romain Manni-Bucau <
> > > >> rmannibucau@gmail.com>
> > > >> > wrote:
> > > >> >
> > > >> >> Hi
> > > >> >>
> > > >> >> Yes this is an owb misconfiguration/integration
> > > >> >>
> > > >> >> Geronimo is fine here so likely tomee owb spi to update as in
> > > geronimo
> > > >> tck
> > > >> >>
> > > >> >> Le ven. 2 nov. 2018 10:42, Jonathan Gallimore <
> > > >> >> jonathan.gallimore@gmail.com>
> > > >> >> a écrit :
> > > >> >>
> > > >> >> > Thanks for the reply. I am still sure there is some sort of
> > issue.
> > > >> >> Putting
> > > >> >> > TomEE to one side for the moment, I am able to reproduce this
> in
> > > the
> > > >> >> > Geronimo JWT auth library as well. This PR includes a test to
> > show
> > > >> what
> > > >> >> I
> > > >> >> > mean: https://github.com/apache/geronimo-jwt-auth/pull/3.
> > > >> >> >
> > > >> >> > I can confirm that this change:
> > > >> >> > https://github.com/apache/openwebbeans/pull/12 enables that
> new
> > > >> test to
> > > >> >> > pass.
> > > >> >> >
> > > >> >> > In short, if you @Inject JsonWebToken, or individual claims, or
> > > >> >> > use @RolesAllowed, I think you're ok, but if you @Inject
> > Principal,
> > > >> you
> > > >> >> > will most likely get the wrong principal because the instance
> is
> > > >> cache
> > > >> >> in a
> > > >> >> > field in the org.apache.webbeans.portable.ProviderBasedProducer
> > > >> class,
> > > >> >> and
> > > >> >> > that looks like a security issue.
> > > >> >> >
> > > >> >> > Jon
> > > >> >> >
> > > >> >> > On Tue, Oct 30, 2018 at 5:56 AM Romain Manni-Bucau <
> > > >> >> rmannibucau@gmail.com>
> > > >> >> > wrote:
> > > >> >> >
> > > >> >> > > Hi Jon,
> > > >> >> > >
> > > >> >> > > yes and no, idea is to be fast and for all producers it works
> > > >> except
> > > >> >> the
> > > >> >> > > principal which is broken anyway in CDI 1.x so guess this was
> > not
> > > >> >> fixed
> > > >> >> > >
> > > >> >> > > in CDI 2 (tomee 8) we can impl it this way:
> > > >> >> > >
> > > >> >> > >
> > > >> >> >
> > > >> >>
> > > >>
> > >
> >
> https://github.com/apache/geronimo-jwt-auth/blob/master/src/test/java/org/apache/geronimo/microprofile/impl/jwtauth/tck/TckSecurityService.java
> > > >> >> > >
> > > >> >> > > Romain Manni-Bucau
> > > >> >> > > @rmannibucau <https://twitter.com/rmannibucau> | Blog
> > > >> >> > > <https://rmannibucau.metawerx.net/> | Old Blog
> > > >> >> > > <http://rmannibucau.wordpress.com> | Github <
> > > >> >> > > https://github.com/rmannibucau> |
> > > >> >> > > LinkedIn <https://www.linkedin.com/in/rmannibucau> | Book
> > > >> >> > > <
> > > >> >> > >
> > > >> >> >
> > > >> >>
> > > >>
> > >
> >
> https://www.packtpub.com/application-development/java-ee-8-high-performance
> > > >> >> > > >
> > > >> >> > >
> > > >> >> > >
> > > >> >> > > Le mar. 30 oct. 2018 à 00:58, Jonathan Gallimore <
> > > >> >> > > jonathan.gallimore@gmail.com> a écrit :
> > > >> >> > >
> > > >> >> > > > Here's a question, probably for Mark or Romain. If I turn
> the
> > > >> proxy
> > > >> >> > *off*
> > > >> >> > > > in org.apache.webbeans.component.PrincipalBean, I'm finding
> > > that
> > > >> I
> > > >> >> get
> > > >> >> > > the
> > > >> >> > > > wrong principal injected sometimes. Specifically, I get the
> > > >> >> whatever is
> > > >> >> > > on
> > > >> >> > > > the proxyInstance field here:
> > > >> >> > > >
> > > >> >> > > >
> > > >> >> > >
> > > >> >> >
> > > >> >>
> > > >>
> > >
> >
> https://github.com/apache/openwebbeans/blob/trunk/webbeans-impl/src/main/java/org/apache/webbeans/portable/ProviderBasedProducer.java#L51
> > > >> >> > > >
> > > >> >> > > > Should this line (line 66)
> > > >> >> > > >
> > > >> >> > > >
> > > >> >> > >
> > > >> >> >
> > > >> >>
> > > >>
> > >
> >
> https://github.com/apache/openwebbeans/blob/trunk/webbeans-impl/src/main/java/org/apache/webbeans/portable/ProviderBasedProducer.java#L66
> > > >> >> > > > ,
> > > >> >> > > > not simply be:
> > > >> >> > > >
> > > >> >> > > > return provider.get();
> > > >> >> > > >
> > > >> >> > > > as opposed to
> > > >> >> > > >
> > > >> >> > > > proxyInstance = provider.get(); ?
> > > >> >> > > >
> > > >> >> > > > That way, the proxyInstance field would never get set if
> > proxy
> > > >> mode
> > > >> >> is
> > > >> >> > > set
> > > >> >> > > > to false. When proxy is true, this seems to work correctly
> > > >> >> (although I
> > > >> >> > > have
> > > >> >> > > > other unrelated issues in TomEE).
> > > >> >> > > >
> > > >> >> > > > I can probably work around this some other way, but it
> seems
> > to
> > > >> me
> > > >> >> like
> > > >> >> > > > that behaviour isn't quite right.
> > > >> >> > > >
> > > >> >> > > > Trying to think of a way to test it - I can probably come
> up
> > > with
> > > >> >> > > > something, but I'd appreciate some pointers. Happy to shift
> > > this
> > > >> to
> > > >> >> > > > openwebbeans-dev, and submit a PR. Replying here initially
> > as I
> > > >> ran
> > > >> >> > into
> > > >> >> > > > this while hacking on the JWT code.
> > > >> >> > > >
> > > >> >> > > > Jon
> > > >> >> > > >
> > > >> >> > > > On Wed, Oct 17, 2018 at 12:41 AM Roberto Cortez
> > > >> >> > > > <ra...@yahoo.com.invalid>
> > > >> >> > > > wrote:
> > > >> >> > > >
> > > >> >> > > > > Please, go ahead. Let me know if need anything. Thanks!
> > > >> >> > > > >
> > > >> >> > > > > > On 16 Oct 2018, at 21:53, Jonathan Gallimore <
> > > >> >> > > > > jonathan.gallimore@gmail.com> wrote:
> > > >> >> > > > > >
> > > >> >> > > > > > Any objection if I pick this up and have a go at the
> last
> > > >> >> tests, or
> > > >> >> > > is
> > > >> >> > > > > > someone already working on this?
> > > >> >> > > > > >
> > > >> >> > > > > > On Thu, Sep 27, 2018 at 5:44 PM Romain Manni-Bucau <
> > > >> >> > > > > rmannibucau@gmail.com>
> > > >> >> > > > > > wrote:
> > > >> >> > > > > >
> > > >> >> > > > > >> Yep this feature. Then it must works since we support
> > user
> > > >> >> > principal
> > > >> >> > > > if
> > > >> >> > > > > the
> > > >> >> > > > > >> jwt filter is corretly placed in the filter chain and
> we
> > > >> must
> > > >> >> > > inherit
> > > >> >> > > > > from
> > > >> >> > > > > >> the request principal.
> > > >> >> > > > > >>
> > > >> >> > > > > >> Le jeu. 27 sept. 2018 18:37, Roberto Cortez
> > > >> >> > > > <radcortez@yahoo.com.invalid
> > > >> >> > > > > >
> > > >> >> > > > > >> a
> > > >> >> > > > > >> écrit :
> > > >> >> > > > > >>
> > > >> >> > > > > >>> I guess you are referring to this, to remove the
> proxy?
> > > >> >> > > > > >>>
> > > >> >> > > > > >>>
> > > >> >> > > > > >>
> > > >> >> > > > >
> > > >> >> > > >
> > > >> >> > >
> > > >> >> >
> > > >> >>
> > > >>
> > >
> >
> https://github.com/apache/openwebbeans/commit/a21a949fb19247dcc39ee89292a1554b2cf1388e
> > > >> >> > > > > >>> <
> > > >> >> > > > > >>>
> > > >> >> > > > > >>
> > > >> >> > > > >
> > > >> >> > > >
> > > >> >> > >
> > > >> >> >
> > > >> >>
> > > >>
> > >
> >
> https://github.com/apache/openwebbeans/commit/a21a949fb19247dcc39ee89292a1554b2cf1388e
> > > >> >> > > > > >>>>
> > > >> >> > > > > >>>
> > > >> >> > > > > >>> Yes, this one step.
> > > >> >> > > > > >>>
> > > >> >> > > > > >>> By default, we do inject the generic Principal of
> > Tomcat.
> > > >> We
> > > >> >> > > probably
> > > >> >> > > > > >> need
> > > >> >> > > > > >>> to check first about the existence of a JWT Principal
> > and
> > > >> then
> > > >> >> > > > fallback
> > > >> >> > > > > >> to
> > > >> >> > > > > >>> the Tomcat one. I think I know how to do it, I was
> just
> > > >> >> trying to
> > > >> >> > > > > broaden
> > > >> >> > > > > >>> up the conversation about general integration with EE
> > > >> >> security.
> > > >> >> > > > > >>>
> > > >> >> > > > > >>> Cheers,
> > > >> >> > > > > >>> Roberto
> > > >> >> > > > > >>>
> > > >> >> > > > > >>>> On 26 Sep 2018, at 07:21, Romain Manni-Bucau <
> > > >> >> > > rmannibucau@gmail.com
> > > >> >> > > > >
> > > >> >> > > > > >>> wrote:
> > > >> >> > > > > >>>>
> > > >> >> > > > > >>>> OWB enable to do it - we did it in geronimo impl to
> > pass
> > > >> tck
> > > >> >> of
> > > >> >> > > jwt
> > > >> >> > > > > >> auth
> > > >> >> > > > > >>>> spec.
> > > >> >> > > > > >>>>
> > > >> >> > > > > >>>> Le mer. 26 sept. 2018 03:28, Roberto Cortez
> > > >> >> > > > > >> <ra...@yahoo.com.invalid>
> > > >> >> > > > > >>> a
> > > >> >> > > > > >>>> écrit :
> > > >> >> > > > > >>>>
> > > >> >> > > > > >>>>> Hi,
> > > >> >> > > > > >>>>>
> > > >> >> > > > > >>>>> I’ve done some work to push our MP JWT
> implementation
> > > >> from
> > > >> >> 1.0
> > > >> >> > to
> > > >> >> > > > > 1.1.
> > > >> >> > > > > >>>>>
> > > >> >> > > > > >>>>> You can check it here:
> > > >> >> > > > > >>>>> https://github.com/apache/tomee/pull/173 <
> > > >> >> > > > > >>>>> https://github.com/apache/tomee/pull/173>
> > > >> >> > > > > >>>>>
> > > >> >> > > > > >>>>> There are still a couple of tests in the TCK that I
> > > have
> > > >> to
> > > >> >> fix
> > > >> >> > > > and a
> > > >> >> > > > > >>> few
> > > >> >> > > > > >>>>> things that I would like to improve, but I think
> the
> > > >> >> majority
> > > >> >> > of
> > > >> >> > > > the
> > > >> >> > > > > >>> work
> > > >> >> > > > > >>>>> is done.
> > > >> >> > > > > >>>>>
> > > >> >> > > > > >>>>> Some time ago, there was a discussion in the list
> > about
> > > >> how
> > > >> >> to
> > > >> >> > > > > >> integrate
> > > >> >> > > > > >>>>> MP JWT with EE security:
> > > >> >> > > > > >>>>>
> > > >> >> > > > > >>>>>
> > > >> >> > > > > >>>
> > > >> >> > > > > >>
> > > >> >> > > > >
> > > >> >> > > >
> > > >> >> > >
> > > >> >> >
> > > >> >>
> > > >>
> > >
> >
> http://tomee-openejb.979440.n4.nabble.com/Implementing-Microprofile-JWT-td4683212i40.html
> > > >> >> > > > > >>>>> <
> > > >> >> > > > > >>>>>
> > > >> >> > > > > >>>
> > > >> >> > > > > >>
> > > >> >> > > > >
> > > >> >> > > >
> > > >> >> > >
> > > >> >> >
> > > >> >>
> > > >>
> > >
> >
> http://tomee-openejb.979440.n4.nabble.com/Implementing-Microprofile-JWT-td4683212i40.html
> > > >> >> > > > > >>>>>>
> > > >> >> > > > > >>>>>
> > > >> >> > > > > >>>>> I believe we need to revisit that conversation and
> > > figure
> > > >> >> out
> > > >> >> > how
> > > >> >> > > > to
> > > >> >> > > > > >>> move
> > > >> >> > > > > >>>>> forward.
> > > >> >> > > > > >>>>>
> > > >> >> > > > > >>>>> Right now for instance, we don’t support injecting
> a
> > > JWT
> > > >> >> > > Principal
> > > >> >> > > > > >> since
> > > >> >> > > > > >>>>> it clashes with the predefined by CDI. Most likely,
> > we
> > > >> would
> > > >> >> > need
> > > >> >> > > > to
> > > >> >> > > > > >>> plugin
> > > >> >> > > > > >>>>> the JWT Principal lookup in TomcatSecurityService.
> > I’m
> > > >> not
> > > >> >> sure
> > > >> >> > > if
> > > >> >> > > > we
> > > >> >> > > > > >>> want
> > > >> >> > > > > >>>>> to do it in that way, or if we want to think in
> > > something
> > > >> >> else.
> > > >> >> > > > > >>>>>
> > > >> >> > > > > >>>>> Cheers,
> > > >> >> > > > > >>>>> Roberto
> > > >> >> > > > > >>>
> > > >> >> > > > > >>>
> > > >> >> > > > > >>
> > > >> >> > > > >
> > > >> >> > > > >
> > > >> >> > > >
> > > >> >> > >
> > > >> >> >
> > > >> >>
> > > >> >
> > > >>
> > > >
> > >
> >
>
Re: MicroProfile JWT 1.1
Posted by Jonathan Gallimore <jo...@gmail.com>.
The commits are showing for me (at the bottom). Here's the latest one:
https://github.com/apache/tomee/commit/7ce1f8033e239331cfa7843e4e5565ed0aa83345
On Tue, Nov 20, 2018 at 2:44 PM Jean-Louis Monteiro <
jlmonteiro@tomitribe.com> wrote:
> Hey Jon,
>
> I clicked on the link and the diff tab does not show any difference.
> Did you push?
> --
> Jean-Louis Monteiro
> http://twitter.com/jlouismonteiro
> http://www.tomitribe.com
>
>
> On Mon, Nov 19, 2018 at 12:36 PM Jonathan Gallimore <
> jonathan.gallimore@gmail.com> wrote:
>
> > I now have the principal injection part of this working - thanks Romain
> for
> > your help and explanations. Progress is in my fork here:
> > https://github.com/jgallimore/tomee/tree/jwt-1.1 (changes here:
> >
> >
> https://github.com/apache/tomee/compare/master...jgallimore:jwt-1.1?expand=1
> > ).
> > There are still a couple of TODOs to clean up, and 3 tests to get
> passing.
> > Any feedback is appreciated.
> >
> > Jon
> >
> > On Sat, Nov 3, 2018 at 9:10 AM Jonathan Gallimore <
> > jonathan.gallimore@gmail.com> wrote:
> >
> > > Yep, got it. Thanks for the feedback - makes sense now.
> > >
> > > Cheers
> > >
> > > Jon
> > >
> > > On Fri, 2 Nov 2018, 16:46 Romain Manni-Bucau <rmannibucau@gmail.com
> > wrote:
> > >
> > >> Answered hopefully "long enough" on dev@geronimo so will just do a
> > short
> > >> one here and shout if not enough: ManagedSecurityService in cdi
> package
> > of
> > >> openejb-core must make the getCurrentPrincipal contextual so hidden
> > behind
> > >> a proxy. The proxied API must be Principal and JsonWebToken when
> > available
> > >> (try { add if can load } catch { ignore } works as pattern). The proxy
> > >> instance can be created once for all app using the container loader or
> > per
> > >> app using the app loader and avoiding to leak between apps since the
> API
> > >> can use different loaders.
> > >>
> > >> Le ven. 2 nov. 2018 14:44, Jonathan Gallimore <
> > >> jonathan.gallimore@gmail.com>
> > >> a écrit :
> > >>
> > >> > Thanks for the reply, but I am confused by your response. The PR I
> > >> > referenced adds a single test to the geronimo-jwt-auth project (
> > >> > https://github.com/apache/geronimo-jwt-auth/pull/3), based on
> > >> >
> > org.eclipse.microprofile.jwt.tck.container.jaxrs.PrincipalInjectionTest
> > >> > from the TCK. It fails at present (hopefully we agree on that - my
> > >> results
> > >> > attached). The geronimo-jwt-auth project doesn't touch TomEE at all
> -
> > it
> > >> > uses OWB/Meecrowave to run the MicroProfile JWT TCK. I have not
> > modified
> > >> > the project config at all, so it is using the SecurityService code
> you
> > >> > previously posted. If this additional test were part of the
> > MicroProfile
> > >> > JWT TCK (and I'm going to propose it), the Geronimo JWT Auth
> > >> implementation
> > >> > would *not* pass the TCK.
> > >> >
> > >> > I posted this here as I originally found the issue when continuing
> > >> > Roberto's efforts, but this has probably contributed to some
> > confusion.
> > >> I
> > >> > would suggest we continue this over on the Geronimo and OWB lists to
> > >> avoid
> > >> > further confusion.
> > >> >
> > >> > Jon
> > >> >
> > >> > On Fri, Nov 2, 2018 at 12:46 PM Romain Manni-Bucau <
> > >> rmannibucau@gmail.com>
> > >> > wrote:
> > >> >
> > >> >> Hi
> > >> >>
> > >> >> Yes this is an owb misconfiguration/integration
> > >> >>
> > >> >> Geronimo is fine here so likely tomee owb spi to update as in
> > geronimo
> > >> tck
> > >> >>
> > >> >> Le ven. 2 nov. 2018 10:42, Jonathan Gallimore <
> > >> >> jonathan.gallimore@gmail.com>
> > >> >> a écrit :
> > >> >>
> > >> >> > Thanks for the reply. I am still sure there is some sort of
> issue.
> > >> >> Putting
> > >> >> > TomEE to one side for the moment, I am able to reproduce this in
> > the
> > >> >> > Geronimo JWT auth library as well. This PR includes a test to
> show
> > >> what
> > >> >> I
> > >> >> > mean: https://github.com/apache/geronimo-jwt-auth/pull/3.
> > >> >> >
> > >> >> > I can confirm that this change:
> > >> >> > https://github.com/apache/openwebbeans/pull/12 enables that new
> > >> test to
> > >> >> > pass.
> > >> >> >
> > >> >> > In short, if you @Inject JsonWebToken, or individual claims, or
> > >> >> > use @RolesAllowed, I think you're ok, but if you @Inject
> Principal,
> > >> you
> > >> >> > will most likely get the wrong principal because the instance is
> > >> cache
> > >> >> in a
> > >> >> > field in the org.apache.webbeans.portable.ProviderBasedProducer
> > >> class,
> > >> >> and
> > >> >> > that looks like a security issue.
> > >> >> >
> > >> >> > Jon
> > >> >> >
> > >> >> > On Tue, Oct 30, 2018 at 5:56 AM Romain Manni-Bucau <
> > >> >> rmannibucau@gmail.com>
> > >> >> > wrote:
> > >> >> >
> > >> >> > > Hi Jon,
> > >> >> > >
> > >> >> > > yes and no, idea is to be fast and for all producers it works
> > >> except
> > >> >> the
> > >> >> > > principal which is broken anyway in CDI 1.x so guess this was
> not
> > >> >> fixed
> > >> >> > >
> > >> >> > > in CDI 2 (tomee 8) we can impl it this way:
> > >> >> > >
> > >> >> > >
> > >> >> >
> > >> >>
> > >>
> >
> https://github.com/apache/geronimo-jwt-auth/blob/master/src/test/java/org/apache/geronimo/microprofile/impl/jwtauth/tck/TckSecurityService.java
> > >> >> > >
> > >> >> > > Romain Manni-Bucau
> > >> >> > > @rmannibucau <https://twitter.com/rmannibucau> | Blog
> > >> >> > > <https://rmannibucau.metawerx.net/> | Old Blog
> > >> >> > > <http://rmannibucau.wordpress.com> | Github <
> > >> >> > > https://github.com/rmannibucau> |
> > >> >> > > LinkedIn <https://www.linkedin.com/in/rmannibucau> | Book
> > >> >> > > <
> > >> >> > >
> > >> >> >
> > >> >>
> > >>
> >
> https://www.packtpub.com/application-development/java-ee-8-high-performance
> > >> >> > > >
> > >> >> > >
> > >> >> > >
> > >> >> > > Le mar. 30 oct. 2018 à 00:58, Jonathan Gallimore <
> > >> >> > > jonathan.gallimore@gmail.com> a écrit :
> > >> >> > >
> > >> >> > > > Here's a question, probably for Mark or Romain. If I turn the
> > >> proxy
> > >> >> > *off*
> > >> >> > > > in org.apache.webbeans.component.PrincipalBean, I'm finding
> > that
> > >> I
> > >> >> get
> > >> >> > > the
> > >> >> > > > wrong principal injected sometimes. Specifically, I get the
> > >> >> whatever is
> > >> >> > > on
> > >> >> > > > the proxyInstance field here:
> > >> >> > > >
> > >> >> > > >
> > >> >> > >
> > >> >> >
> > >> >>
> > >>
> >
> https://github.com/apache/openwebbeans/blob/trunk/webbeans-impl/src/main/java/org/apache/webbeans/portable/ProviderBasedProducer.java#L51
> > >> >> > > >
> > >> >> > > > Should this line (line 66)
> > >> >> > > >
> > >> >> > > >
> > >> >> > >
> > >> >> >
> > >> >>
> > >>
> >
> https://github.com/apache/openwebbeans/blob/trunk/webbeans-impl/src/main/java/org/apache/webbeans/portable/ProviderBasedProducer.java#L66
> > >> >> > > > ,
> > >> >> > > > not simply be:
> > >> >> > > >
> > >> >> > > > return provider.get();
> > >> >> > > >
> > >> >> > > > as opposed to
> > >> >> > > >
> > >> >> > > > proxyInstance = provider.get(); ?
> > >> >> > > >
> > >> >> > > > That way, the proxyInstance field would never get set if
> proxy
> > >> mode
> > >> >> is
> > >> >> > > set
> > >> >> > > > to false. When proxy is true, this seems to work correctly
> > >> >> (although I
> > >> >> > > have
> > >> >> > > > other unrelated issues in TomEE).
> > >> >> > > >
> > >> >> > > > I can probably work around this some other way, but it seems
> to
> > >> me
> > >> >> like
> > >> >> > > > that behaviour isn't quite right.
> > >> >> > > >
> > >> >> > > > Trying to think of a way to test it - I can probably come up
> > with
> > >> >> > > > something, but I'd appreciate some pointers. Happy to shift
> > this
> > >> to
> > >> >> > > > openwebbeans-dev, and submit a PR. Replying here initially
> as I
> > >> ran
> > >> >> > into
> > >> >> > > > this while hacking on the JWT code.
> > >> >> > > >
> > >> >> > > > Jon
> > >> >> > > >
> > >> >> > > > On Wed, Oct 17, 2018 at 12:41 AM Roberto Cortez
> > >> >> > > > <ra...@yahoo.com.invalid>
> > >> >> > > > wrote:
> > >> >> > > >
> > >> >> > > > > Please, go ahead. Let me know if need anything. Thanks!
> > >> >> > > > >
> > >> >> > > > > > On 16 Oct 2018, at 21:53, Jonathan Gallimore <
> > >> >> > > > > jonathan.gallimore@gmail.com> wrote:
> > >> >> > > > > >
> > >> >> > > > > > Any objection if I pick this up and have a go at the last
> > >> >> tests, or
> > >> >> > > is
> > >> >> > > > > > someone already working on this?
> > >> >> > > > > >
> > >> >> > > > > > On Thu, Sep 27, 2018 at 5:44 PM Romain Manni-Bucau <
> > >> >> > > > > rmannibucau@gmail.com>
> > >> >> > > > > > wrote:
> > >> >> > > > > >
> > >> >> > > > > >> Yep this feature. Then it must works since we support
> user
> > >> >> > principal
> > >> >> > > > if
> > >> >> > > > > the
> > >> >> > > > > >> jwt filter is corretly placed in the filter chain and we
> > >> must
> > >> >> > > inherit
> > >> >> > > > > from
> > >> >> > > > > >> the request principal.
> > >> >> > > > > >>
> > >> >> > > > > >> Le jeu. 27 sept. 2018 18:37, Roberto Cortez
> > >> >> > > > <radcortez@yahoo.com.invalid
> > >> >> > > > > >
> > >> >> > > > > >> a
> > >> >> > > > > >> écrit :
> > >> >> > > > > >>
> > >> >> > > > > >>> I guess you are referring to this, to remove the proxy?
> > >> >> > > > > >>>
> > >> >> > > > > >>>
> > >> >> > > > > >>
> > >> >> > > > >
> > >> >> > > >
> > >> >> > >
> > >> >> >
> > >> >>
> > >>
> >
> https://github.com/apache/openwebbeans/commit/a21a949fb19247dcc39ee89292a1554b2cf1388e
> > >> >> > > > > >>> <
> > >> >> > > > > >>>
> > >> >> > > > > >>
> > >> >> > > > >
> > >> >> > > >
> > >> >> > >
> > >> >> >
> > >> >>
> > >>
> >
> https://github.com/apache/openwebbeans/commit/a21a949fb19247dcc39ee89292a1554b2cf1388e
> > >> >> > > > > >>>>
> > >> >> > > > > >>>
> > >> >> > > > > >>> Yes, this one step.
> > >> >> > > > > >>>
> > >> >> > > > > >>> By default, we do inject the generic Principal of
> Tomcat.
> > >> We
> > >> >> > > probably
> > >> >> > > > > >> need
> > >> >> > > > > >>> to check first about the existence of a JWT Principal
> and
> > >> then
> > >> >> > > > fallback
> > >> >> > > > > >> to
> > >> >> > > > > >>> the Tomcat one. I think I know how to do it, I was just
> > >> >> trying to
> > >> >> > > > > broaden
> > >> >> > > > > >>> up the conversation about general integration with EE
> > >> >> security.
> > >> >> > > > > >>>
> > >> >> > > > > >>> Cheers,
> > >> >> > > > > >>> Roberto
> > >> >> > > > > >>>
> > >> >> > > > > >>>> On 26 Sep 2018, at 07:21, Romain Manni-Bucau <
> > >> >> > > rmannibucau@gmail.com
> > >> >> > > > >
> > >> >> > > > > >>> wrote:
> > >> >> > > > > >>>>
> > >> >> > > > > >>>> OWB enable to do it - we did it in geronimo impl to
> pass
> > >> tck
> > >> >> of
> > >> >> > > jwt
> > >> >> > > > > >> auth
> > >> >> > > > > >>>> spec.
> > >> >> > > > > >>>>
> > >> >> > > > > >>>> Le mer. 26 sept. 2018 03:28, Roberto Cortez
> > >> >> > > > > >> <ra...@yahoo.com.invalid>
> > >> >> > > > > >>> a
> > >> >> > > > > >>>> écrit :
> > >> >> > > > > >>>>
> > >> >> > > > > >>>>> Hi,
> > >> >> > > > > >>>>>
> > >> >> > > > > >>>>> I’ve done some work to push our MP JWT implementation
> > >> from
> > >> >> 1.0
> > >> >> > to
> > >> >> > > > > 1.1.
> > >> >> > > > > >>>>>
> > >> >> > > > > >>>>> You can check it here:
> > >> >> > > > > >>>>> https://github.com/apache/tomee/pull/173 <
> > >> >> > > > > >>>>> https://github.com/apache/tomee/pull/173>
> > >> >> > > > > >>>>>
> > >> >> > > > > >>>>> There are still a couple of tests in the TCK that I
> > have
> > >> to
> > >> >> fix
> > >> >> > > > and a
> > >> >> > > > > >>> few
> > >> >> > > > > >>>>> things that I would like to improve, but I think the
> > >> >> majority
> > >> >> > of
> > >> >> > > > the
> > >> >> > > > > >>> work
> > >> >> > > > > >>>>> is done.
> > >> >> > > > > >>>>>
> > >> >> > > > > >>>>> Some time ago, there was a discussion in the list
> about
> > >> how
> > >> >> to
> > >> >> > > > > >> integrate
> > >> >> > > > > >>>>> MP JWT with EE security:
> > >> >> > > > > >>>>>
> > >> >> > > > > >>>>>
> > >> >> > > > > >>>
> > >> >> > > > > >>
> > >> >> > > > >
> > >> >> > > >
> > >> >> > >
> > >> >> >
> > >> >>
> > >>
> >
> http://tomee-openejb.979440.n4.nabble.com/Implementing-Microprofile-JWT-td4683212i40.html
> > >> >> > > > > >>>>> <
> > >> >> > > > > >>>>>
> > >> >> > > > > >>>
> > >> >> > > > > >>
> > >> >> > > > >
> > >> >> > > >
> > >> >> > >
> > >> >> >
> > >> >>
> > >>
> >
> http://tomee-openejb.979440.n4.nabble.com/Implementing-Microprofile-JWT-td4683212i40.html
> > >> >> > > > > >>>>>>
> > >> >> > > > > >>>>>
> > >> >> > > > > >>>>> I believe we need to revisit that conversation and
> > figure
> > >> >> out
> > >> >> > how
> > >> >> > > > to
> > >> >> > > > > >>> move
> > >> >> > > > > >>>>> forward.
> > >> >> > > > > >>>>>
> > >> >> > > > > >>>>> Right now for instance, we don’t support injecting a
> > JWT
> > >> >> > > Principal
> > >> >> > > > > >> since
> > >> >> > > > > >>>>> it clashes with the predefined by CDI. Most likely,
> we
> > >> would
> > >> >> > need
> > >> >> > > > to
> > >> >> > > > > >>> plugin
> > >> >> > > > > >>>>> the JWT Principal lookup in TomcatSecurityService.
> I’m
> > >> not
> > >> >> sure
> > >> >> > > if
> > >> >> > > > we
> > >> >> > > > > >>> want
> > >> >> > > > > >>>>> to do it in that way, or if we want to think in
> > something
> > >> >> else.
> > >> >> > > > > >>>>>
> > >> >> > > > > >>>>> Cheers,
> > >> >> > > > > >>>>> Roberto
> > >> >> > > > > >>>
> > >> >> > > > > >>>
> > >> >> > > > > >>
> > >> >> > > > >
> > >> >> > > > >
> > >> >> > > >
> > >> >> > >
> > >> >> >
> > >> >>
> > >> >
> > >>
> > >
> >
>
Re: MicroProfile JWT 1.1
Posted by Jean-Louis Monteiro <jl...@tomitribe.com>.
Hey Jon,
I clicked on the link and the diff tab does not show any difference.
Did you push?
--
Jean-Louis Monteiro
http://twitter.com/jlouismonteiro
http://www.tomitribe.com
On Mon, Nov 19, 2018 at 12:36 PM Jonathan Gallimore <
jonathan.gallimore@gmail.com> wrote:
> I now have the principal injection part of this working - thanks Romain for
> your help and explanations. Progress is in my fork here:
> https://github.com/jgallimore/tomee/tree/jwt-1.1 (changes here:
>
> https://github.com/apache/tomee/compare/master...jgallimore:jwt-1.1?expand=1
> ).
> There are still a couple of TODOs to clean up, and 3 tests to get passing.
> Any feedback is appreciated.
>
> Jon
>
> On Sat, Nov 3, 2018 at 9:10 AM Jonathan Gallimore <
> jonathan.gallimore@gmail.com> wrote:
>
> > Yep, got it. Thanks for the feedback - makes sense now.
> >
> > Cheers
> >
> > Jon
> >
> > On Fri, 2 Nov 2018, 16:46 Romain Manni-Bucau <rmannibucau@gmail.com
> wrote:
> >
> >> Answered hopefully "long enough" on dev@geronimo so will just do a
> short
> >> one here and shout if not enough: ManagedSecurityService in cdi package
> of
> >> openejb-core must make the getCurrentPrincipal contextual so hidden
> behind
> >> a proxy. The proxied API must be Principal and JsonWebToken when
> available
> >> (try { add if can load } catch { ignore } works as pattern). The proxy
> >> instance can be created once for all app using the container loader or
> per
> >> app using the app loader and avoiding to leak between apps since the API
> >> can use different loaders.
> >>
> >> Le ven. 2 nov. 2018 14:44, Jonathan Gallimore <
> >> jonathan.gallimore@gmail.com>
> >> a écrit :
> >>
> >> > Thanks for the reply, but I am confused by your response. The PR I
> >> > referenced adds a single test to the geronimo-jwt-auth project (
> >> > https://github.com/apache/geronimo-jwt-auth/pull/3), based on
> >> >
> org.eclipse.microprofile.jwt.tck.container.jaxrs.PrincipalInjectionTest
> >> > from the TCK. It fails at present (hopefully we agree on that - my
> >> results
> >> > attached). The geronimo-jwt-auth project doesn't touch TomEE at all -
> it
> >> > uses OWB/Meecrowave to run the MicroProfile JWT TCK. I have not
> modified
> >> > the project config at all, so it is using the SecurityService code you
> >> > previously posted. If this additional test were part of the
> MicroProfile
> >> > JWT TCK (and I'm going to propose it), the Geronimo JWT Auth
> >> implementation
> >> > would *not* pass the TCK.
> >> >
> >> > I posted this here as I originally found the issue when continuing
> >> > Roberto's efforts, but this has probably contributed to some
> confusion.
> >> I
> >> > would suggest we continue this over on the Geronimo and OWB lists to
> >> avoid
> >> > further confusion.
> >> >
> >> > Jon
> >> >
> >> > On Fri, Nov 2, 2018 at 12:46 PM Romain Manni-Bucau <
> >> rmannibucau@gmail.com>
> >> > wrote:
> >> >
> >> >> Hi
> >> >>
> >> >> Yes this is an owb misconfiguration/integration
> >> >>
> >> >> Geronimo is fine here so likely tomee owb spi to update as in
> geronimo
> >> tck
> >> >>
> >> >> Le ven. 2 nov. 2018 10:42, Jonathan Gallimore <
> >> >> jonathan.gallimore@gmail.com>
> >> >> a écrit :
> >> >>
> >> >> > Thanks for the reply. I am still sure there is some sort of issue.
> >> >> Putting
> >> >> > TomEE to one side for the moment, I am able to reproduce this in
> the
> >> >> > Geronimo JWT auth library as well. This PR includes a test to show
> >> what
> >> >> I
> >> >> > mean: https://github.com/apache/geronimo-jwt-auth/pull/3.
> >> >> >
> >> >> > I can confirm that this change:
> >> >> > https://github.com/apache/openwebbeans/pull/12 enables that new
> >> test to
> >> >> > pass.
> >> >> >
> >> >> > In short, if you @Inject JsonWebToken, or individual claims, or
> >> >> > use @RolesAllowed, I think you're ok, but if you @Inject Principal,
> >> you
> >> >> > will most likely get the wrong principal because the instance is
> >> cache
> >> >> in a
> >> >> > field in the org.apache.webbeans.portable.ProviderBasedProducer
> >> class,
> >> >> and
> >> >> > that looks like a security issue.
> >> >> >
> >> >> > Jon
> >> >> >
> >> >> > On Tue, Oct 30, 2018 at 5:56 AM Romain Manni-Bucau <
> >> >> rmannibucau@gmail.com>
> >> >> > wrote:
> >> >> >
> >> >> > > Hi Jon,
> >> >> > >
> >> >> > > yes and no, idea is to be fast and for all producers it works
> >> except
> >> >> the
> >> >> > > principal which is broken anyway in CDI 1.x so guess this was not
> >> >> fixed
> >> >> > >
> >> >> > > in CDI 2 (tomee 8) we can impl it this way:
> >> >> > >
> >> >> > >
> >> >> >
> >> >>
> >>
> https://github.com/apache/geronimo-jwt-auth/blob/master/src/test/java/org/apache/geronimo/microprofile/impl/jwtauth/tck/TckSecurityService.java
> >> >> > >
> >> >> > > Romain Manni-Bucau
> >> >> > > @rmannibucau <https://twitter.com/rmannibucau> | Blog
> >> >> > > <https://rmannibucau.metawerx.net/> | Old Blog
> >> >> > > <http://rmannibucau.wordpress.com> | Github <
> >> >> > > https://github.com/rmannibucau> |
> >> >> > > LinkedIn <https://www.linkedin.com/in/rmannibucau> | Book
> >> >> > > <
> >> >> > >
> >> >> >
> >> >>
> >>
> https://www.packtpub.com/application-development/java-ee-8-high-performance
> >> >> > > >
> >> >> > >
> >> >> > >
> >> >> > > Le mar. 30 oct. 2018 à 00:58, Jonathan Gallimore <
> >> >> > > jonathan.gallimore@gmail.com> a écrit :
> >> >> > >
> >> >> > > > Here's a question, probably for Mark or Romain. If I turn the
> >> proxy
> >> >> > *off*
> >> >> > > > in org.apache.webbeans.component.PrincipalBean, I'm finding
> that
> >> I
> >> >> get
> >> >> > > the
> >> >> > > > wrong principal injected sometimes. Specifically, I get the
> >> >> whatever is
> >> >> > > on
> >> >> > > > the proxyInstance field here:
> >> >> > > >
> >> >> > > >
> >> >> > >
> >> >> >
> >> >>
> >>
> https://github.com/apache/openwebbeans/blob/trunk/webbeans-impl/src/main/java/org/apache/webbeans/portable/ProviderBasedProducer.java#L51
> >> >> > > >
> >> >> > > > Should this line (line 66)
> >> >> > > >
> >> >> > > >
> >> >> > >
> >> >> >
> >> >>
> >>
> https://github.com/apache/openwebbeans/blob/trunk/webbeans-impl/src/main/java/org/apache/webbeans/portable/ProviderBasedProducer.java#L66
> >> >> > > > ,
> >> >> > > > not simply be:
> >> >> > > >
> >> >> > > > return provider.get();
> >> >> > > >
> >> >> > > > as opposed to
> >> >> > > >
> >> >> > > > proxyInstance = provider.get(); ?
> >> >> > > >
> >> >> > > > That way, the proxyInstance field would never get set if proxy
> >> mode
> >> >> is
> >> >> > > set
> >> >> > > > to false. When proxy is true, this seems to work correctly
> >> >> (although I
> >> >> > > have
> >> >> > > > other unrelated issues in TomEE).
> >> >> > > >
> >> >> > > > I can probably work around this some other way, but it seems to
> >> me
> >> >> like
> >> >> > > > that behaviour isn't quite right.
> >> >> > > >
> >> >> > > > Trying to think of a way to test it - I can probably come up
> with
> >> >> > > > something, but I'd appreciate some pointers. Happy to shift
> this
> >> to
> >> >> > > > openwebbeans-dev, and submit a PR. Replying here initially as I
> >> ran
> >> >> > into
> >> >> > > > this while hacking on the JWT code.
> >> >> > > >
> >> >> > > > Jon
> >> >> > > >
> >> >> > > > On Wed, Oct 17, 2018 at 12:41 AM Roberto Cortez
> >> >> > > > <ra...@yahoo.com.invalid>
> >> >> > > > wrote:
> >> >> > > >
> >> >> > > > > Please, go ahead. Let me know if need anything. Thanks!
> >> >> > > > >
> >> >> > > > > > On 16 Oct 2018, at 21:53, Jonathan Gallimore <
> >> >> > > > > jonathan.gallimore@gmail.com> wrote:
> >> >> > > > > >
> >> >> > > > > > Any objection if I pick this up and have a go at the last
> >> >> tests, or
> >> >> > > is
> >> >> > > > > > someone already working on this?
> >> >> > > > > >
> >> >> > > > > > On Thu, Sep 27, 2018 at 5:44 PM Romain Manni-Bucau <
> >> >> > > > > rmannibucau@gmail.com>
> >> >> > > > > > wrote:
> >> >> > > > > >
> >> >> > > > > >> Yep this feature. Then it must works since we support user
> >> >> > principal
> >> >> > > > if
> >> >> > > > > the
> >> >> > > > > >> jwt filter is corretly placed in the filter chain and we
> >> must
> >> >> > > inherit
> >> >> > > > > from
> >> >> > > > > >> the request principal.
> >> >> > > > > >>
> >> >> > > > > >> Le jeu. 27 sept. 2018 18:37, Roberto Cortez
> >> >> > > > <radcortez@yahoo.com.invalid
> >> >> > > > > >
> >> >> > > > > >> a
> >> >> > > > > >> écrit :
> >> >> > > > > >>
> >> >> > > > > >>> I guess you are referring to this, to remove the proxy?
> >> >> > > > > >>>
> >> >> > > > > >>>
> >> >> > > > > >>
> >> >> > > > >
> >> >> > > >
> >> >> > >
> >> >> >
> >> >>
> >>
> https://github.com/apache/openwebbeans/commit/a21a949fb19247dcc39ee89292a1554b2cf1388e
> >> >> > > > > >>> <
> >> >> > > > > >>>
> >> >> > > > > >>
> >> >> > > > >
> >> >> > > >
> >> >> > >
> >> >> >
> >> >>
> >>
> https://github.com/apache/openwebbeans/commit/a21a949fb19247dcc39ee89292a1554b2cf1388e
> >> >> > > > > >>>>
> >> >> > > > > >>>
> >> >> > > > > >>> Yes, this one step.
> >> >> > > > > >>>
> >> >> > > > > >>> By default, we do inject the generic Principal of Tomcat.
> >> We
> >> >> > > probably
> >> >> > > > > >> need
> >> >> > > > > >>> to check first about the existence of a JWT Principal and
> >> then
> >> >> > > > fallback
> >> >> > > > > >> to
> >> >> > > > > >>> the Tomcat one. I think I know how to do it, I was just
> >> >> trying to
> >> >> > > > > broaden
> >> >> > > > > >>> up the conversation about general integration with EE
> >> >> security.
> >> >> > > > > >>>
> >> >> > > > > >>> Cheers,
> >> >> > > > > >>> Roberto
> >> >> > > > > >>>
> >> >> > > > > >>>> On 26 Sep 2018, at 07:21, Romain Manni-Bucau <
> >> >> > > rmannibucau@gmail.com
> >> >> > > > >
> >> >> > > > > >>> wrote:
> >> >> > > > > >>>>
> >> >> > > > > >>>> OWB enable to do it - we did it in geronimo impl to pass
> >> tck
> >> >> of
> >> >> > > jwt
> >> >> > > > > >> auth
> >> >> > > > > >>>> spec.
> >> >> > > > > >>>>
> >> >> > > > > >>>> Le mer. 26 sept. 2018 03:28, Roberto Cortez
> >> >> > > > > >> <ra...@yahoo.com.invalid>
> >> >> > > > > >>> a
> >> >> > > > > >>>> écrit :
> >> >> > > > > >>>>
> >> >> > > > > >>>>> Hi,
> >> >> > > > > >>>>>
> >> >> > > > > >>>>> I’ve done some work to push our MP JWT implementation
> >> from
> >> >> 1.0
> >> >> > to
> >> >> > > > > 1.1.
> >> >> > > > > >>>>>
> >> >> > > > > >>>>> You can check it here:
> >> >> > > > > >>>>> https://github.com/apache/tomee/pull/173 <
> >> >> > > > > >>>>> https://github.com/apache/tomee/pull/173>
> >> >> > > > > >>>>>
> >> >> > > > > >>>>> There are still a couple of tests in the TCK that I
> have
> >> to
> >> >> fix
> >> >> > > > and a
> >> >> > > > > >>> few
> >> >> > > > > >>>>> things that I would like to improve, but I think the
> >> >> majority
> >> >> > of
> >> >> > > > the
> >> >> > > > > >>> work
> >> >> > > > > >>>>> is done.
> >> >> > > > > >>>>>
> >> >> > > > > >>>>> Some time ago, there was a discussion in the list about
> >> how
> >> >> to
> >> >> > > > > >> integrate
> >> >> > > > > >>>>> MP JWT with EE security:
> >> >> > > > > >>>>>
> >> >> > > > > >>>>>
> >> >> > > > > >>>
> >> >> > > > > >>
> >> >> > > > >
> >> >> > > >
> >> >> > >
> >> >> >
> >> >>
> >>
> http://tomee-openejb.979440.n4.nabble.com/Implementing-Microprofile-JWT-td4683212i40.html
> >> >> > > > > >>>>> <
> >> >> > > > > >>>>>
> >> >> > > > > >>>
> >> >> > > > > >>
> >> >> > > > >
> >> >> > > >
> >> >> > >
> >> >> >
> >> >>
> >>
> http://tomee-openejb.979440.n4.nabble.com/Implementing-Microprofile-JWT-td4683212i40.html
> >> >> > > > > >>>>>>
> >> >> > > > > >>>>>
> >> >> > > > > >>>>> I believe we need to revisit that conversation and
> figure
> >> >> out
> >> >> > how
> >> >> > > > to
> >> >> > > > > >>> move
> >> >> > > > > >>>>> forward.
> >> >> > > > > >>>>>
> >> >> > > > > >>>>> Right now for instance, we don’t support injecting a
> JWT
> >> >> > > Principal
> >> >> > > > > >> since
> >> >> > > > > >>>>> it clashes with the predefined by CDI. Most likely, we
> >> would
> >> >> > need
> >> >> > > > to
> >> >> > > > > >>> plugin
> >> >> > > > > >>>>> the JWT Principal lookup in TomcatSecurityService. I’m
> >> not
> >> >> sure
> >> >> > > if
> >> >> > > > we
> >> >> > > > > >>> want
> >> >> > > > > >>>>> to do it in that way, or if we want to think in
> something
> >> >> else.
> >> >> > > > > >>>>>
> >> >> > > > > >>>>> Cheers,
> >> >> > > > > >>>>> Roberto
> >> >> > > > > >>>
> >> >> > > > > >>>
> >> >> > > > > >>
> >> >> > > > >
> >> >> > > > >
> >> >> > > >
> >> >> > >
> >> >> >
> >> >>
> >> >
> >>
> >
>
Re: MicroProfile JWT 1.1
Posted by Jonathan Gallimore <jo...@gmail.com>.
I now have the principal injection part of this working - thanks Romain for
your help and explanations. Progress is in my fork here:
https://github.com/jgallimore/tomee/tree/jwt-1.1 (changes here:
https://github.com/apache/tomee/compare/master...jgallimore:jwt-1.1?expand=1).
There are still a couple of TODOs to clean up, and 3 tests to get passing.
Any feedback is appreciated.
Jon
On Sat, Nov 3, 2018 at 9:10 AM Jonathan Gallimore <
jonathan.gallimore@gmail.com> wrote:
> Yep, got it. Thanks for the feedback - makes sense now.
>
> Cheers
>
> Jon
>
> On Fri, 2 Nov 2018, 16:46 Romain Manni-Bucau <rmannibucau@gmail.com wrote:
>
>> Answered hopefully "long enough" on dev@geronimo so will just do a short
>> one here and shout if not enough: ManagedSecurityService in cdi package of
>> openejb-core must make the getCurrentPrincipal contextual so hidden behind
>> a proxy. The proxied API must be Principal and JsonWebToken when available
>> (try { add if can load } catch { ignore } works as pattern). The proxy
>> instance can be created once for all app using the container loader or per
>> app using the app loader and avoiding to leak between apps since the API
>> can use different loaders.
>>
>> Le ven. 2 nov. 2018 14:44, Jonathan Gallimore <
>> jonathan.gallimore@gmail.com>
>> a écrit :
>>
>> > Thanks for the reply, but I am confused by your response. The PR I
>> > referenced adds a single test to the geronimo-jwt-auth project (
>> > https://github.com/apache/geronimo-jwt-auth/pull/3), based on
>> > org.eclipse.microprofile.jwt.tck.container.jaxrs.PrincipalInjectionTest
>> > from the TCK. It fails at present (hopefully we agree on that - my
>> results
>> > attached). The geronimo-jwt-auth project doesn't touch TomEE at all - it
>> > uses OWB/Meecrowave to run the MicroProfile JWT TCK. I have not modified
>> > the project config at all, so it is using the SecurityService code you
>> > previously posted. If this additional test were part of the MicroProfile
>> > JWT TCK (and I'm going to propose it), the Geronimo JWT Auth
>> implementation
>> > would *not* pass the TCK.
>> >
>> > I posted this here as I originally found the issue when continuing
>> > Roberto's efforts, but this has probably contributed to some confusion.
>> I
>> > would suggest we continue this over on the Geronimo and OWB lists to
>> avoid
>> > further confusion.
>> >
>> > Jon
>> >
>> > On Fri, Nov 2, 2018 at 12:46 PM Romain Manni-Bucau <
>> rmannibucau@gmail.com>
>> > wrote:
>> >
>> >> Hi
>> >>
>> >> Yes this is an owb misconfiguration/integration
>> >>
>> >> Geronimo is fine here so likely tomee owb spi to update as in geronimo
>> tck
>> >>
>> >> Le ven. 2 nov. 2018 10:42, Jonathan Gallimore <
>> >> jonathan.gallimore@gmail.com>
>> >> a écrit :
>> >>
>> >> > Thanks for the reply. I am still sure there is some sort of issue.
>> >> Putting
>> >> > TomEE to one side for the moment, I am able to reproduce this in the
>> >> > Geronimo JWT auth library as well. This PR includes a test to show
>> what
>> >> I
>> >> > mean: https://github.com/apache/geronimo-jwt-auth/pull/3.
>> >> >
>> >> > I can confirm that this change:
>> >> > https://github.com/apache/openwebbeans/pull/12 enables that new
>> test to
>> >> > pass.
>> >> >
>> >> > In short, if you @Inject JsonWebToken, or individual claims, or
>> >> > use @RolesAllowed, I think you're ok, but if you @Inject Principal,
>> you
>> >> > will most likely get the wrong principal because the instance is
>> cache
>> >> in a
>> >> > field in the org.apache.webbeans.portable.ProviderBasedProducer
>> class,
>> >> and
>> >> > that looks like a security issue.
>> >> >
>> >> > Jon
>> >> >
>> >> > On Tue, Oct 30, 2018 at 5:56 AM Romain Manni-Bucau <
>> >> rmannibucau@gmail.com>
>> >> > wrote:
>> >> >
>> >> > > Hi Jon,
>> >> > >
>> >> > > yes and no, idea is to be fast and for all producers it works
>> except
>> >> the
>> >> > > principal which is broken anyway in CDI 1.x so guess this was not
>> >> fixed
>> >> > >
>> >> > > in CDI 2 (tomee 8) we can impl it this way:
>> >> > >
>> >> > >
>> >> >
>> >>
>> https://github.com/apache/geronimo-jwt-auth/blob/master/src/test/java/org/apache/geronimo/microprofile/impl/jwtauth/tck/TckSecurityService.java
>> >> > >
>> >> > > Romain Manni-Bucau
>> >> > > @rmannibucau <https://twitter.com/rmannibucau> | Blog
>> >> > > <https://rmannibucau.metawerx.net/> | Old Blog
>> >> > > <http://rmannibucau.wordpress.com> | Github <
>> >> > > https://github.com/rmannibucau> |
>> >> > > LinkedIn <https://www.linkedin.com/in/rmannibucau> | Book
>> >> > > <
>> >> > >
>> >> >
>> >>
>> https://www.packtpub.com/application-development/java-ee-8-high-performance
>> >> > > >
>> >> > >
>> >> > >
>> >> > > Le mar. 30 oct. 2018 à 00:58, Jonathan Gallimore <
>> >> > > jonathan.gallimore@gmail.com> a écrit :
>> >> > >
>> >> > > > Here's a question, probably for Mark or Romain. If I turn the
>> proxy
>> >> > *off*
>> >> > > > in org.apache.webbeans.component.PrincipalBean, I'm finding that
>> I
>> >> get
>> >> > > the
>> >> > > > wrong principal injected sometimes. Specifically, I get the
>> >> whatever is
>> >> > > on
>> >> > > > the proxyInstance field here:
>> >> > > >
>> >> > > >
>> >> > >
>> >> >
>> >>
>> https://github.com/apache/openwebbeans/blob/trunk/webbeans-impl/src/main/java/org/apache/webbeans/portable/ProviderBasedProducer.java#L51
>> >> > > >
>> >> > > > Should this line (line 66)
>> >> > > >
>> >> > > >
>> >> > >
>> >> >
>> >>
>> https://github.com/apache/openwebbeans/blob/trunk/webbeans-impl/src/main/java/org/apache/webbeans/portable/ProviderBasedProducer.java#L66
>> >> > > > ,
>> >> > > > not simply be:
>> >> > > >
>> >> > > > return provider.get();
>> >> > > >
>> >> > > > as opposed to
>> >> > > >
>> >> > > > proxyInstance = provider.get(); ?
>> >> > > >
>> >> > > > That way, the proxyInstance field would never get set if proxy
>> mode
>> >> is
>> >> > > set
>> >> > > > to false. When proxy is true, this seems to work correctly
>> >> (although I
>> >> > > have
>> >> > > > other unrelated issues in TomEE).
>> >> > > >
>> >> > > > I can probably work around this some other way, but it seems to
>> me
>> >> like
>> >> > > > that behaviour isn't quite right.
>> >> > > >
>> >> > > > Trying to think of a way to test it - I can probably come up with
>> >> > > > something, but I'd appreciate some pointers. Happy to shift this
>> to
>> >> > > > openwebbeans-dev, and submit a PR. Replying here initially as I
>> ran
>> >> > into
>> >> > > > this while hacking on the JWT code.
>> >> > > >
>> >> > > > Jon
>> >> > > >
>> >> > > > On Wed, Oct 17, 2018 at 12:41 AM Roberto Cortez
>> >> > > > <ra...@yahoo.com.invalid>
>> >> > > > wrote:
>> >> > > >
>> >> > > > > Please, go ahead. Let me know if need anything. Thanks!
>> >> > > > >
>> >> > > > > > On 16 Oct 2018, at 21:53, Jonathan Gallimore <
>> >> > > > > jonathan.gallimore@gmail.com> wrote:
>> >> > > > > >
>> >> > > > > > Any objection if I pick this up and have a go at the last
>> >> tests, or
>> >> > > is
>> >> > > > > > someone already working on this?
>> >> > > > > >
>> >> > > > > > On Thu, Sep 27, 2018 at 5:44 PM Romain Manni-Bucau <
>> >> > > > > rmannibucau@gmail.com>
>> >> > > > > > wrote:
>> >> > > > > >
>> >> > > > > >> Yep this feature. Then it must works since we support user
>> >> > principal
>> >> > > > if
>> >> > > > > the
>> >> > > > > >> jwt filter is corretly placed in the filter chain and we
>> must
>> >> > > inherit
>> >> > > > > from
>> >> > > > > >> the request principal.
>> >> > > > > >>
>> >> > > > > >> Le jeu. 27 sept. 2018 18:37, Roberto Cortez
>> >> > > > <radcortez@yahoo.com.invalid
>> >> > > > > >
>> >> > > > > >> a
>> >> > > > > >> écrit :
>> >> > > > > >>
>> >> > > > > >>> I guess you are referring to this, to remove the proxy?
>> >> > > > > >>>
>> >> > > > > >>>
>> >> > > > > >>
>> >> > > > >
>> >> > > >
>> >> > >
>> >> >
>> >>
>> https://github.com/apache/openwebbeans/commit/a21a949fb19247dcc39ee89292a1554b2cf1388e
>> >> > > > > >>> <
>> >> > > > > >>>
>> >> > > > > >>
>> >> > > > >
>> >> > > >
>> >> > >
>> >> >
>> >>
>> https://github.com/apache/openwebbeans/commit/a21a949fb19247dcc39ee89292a1554b2cf1388e
>> >> > > > > >>>>
>> >> > > > > >>>
>> >> > > > > >>> Yes, this one step.
>> >> > > > > >>>
>> >> > > > > >>> By default, we do inject the generic Principal of Tomcat.
>> We
>> >> > > probably
>> >> > > > > >> need
>> >> > > > > >>> to check first about the existence of a JWT Principal and
>> then
>> >> > > > fallback
>> >> > > > > >> to
>> >> > > > > >>> the Tomcat one. I think I know how to do it, I was just
>> >> trying to
>> >> > > > > broaden
>> >> > > > > >>> up the conversation about general integration with EE
>> >> security.
>> >> > > > > >>>
>> >> > > > > >>> Cheers,
>> >> > > > > >>> Roberto
>> >> > > > > >>>
>> >> > > > > >>>> On 26 Sep 2018, at 07:21, Romain Manni-Bucau <
>> >> > > rmannibucau@gmail.com
>> >> > > > >
>> >> > > > > >>> wrote:
>> >> > > > > >>>>
>> >> > > > > >>>> OWB enable to do it - we did it in geronimo impl to pass
>> tck
>> >> of
>> >> > > jwt
>> >> > > > > >> auth
>> >> > > > > >>>> spec.
>> >> > > > > >>>>
>> >> > > > > >>>> Le mer. 26 sept. 2018 03:28, Roberto Cortez
>> >> > > > > >> <ra...@yahoo.com.invalid>
>> >> > > > > >>> a
>> >> > > > > >>>> écrit :
>> >> > > > > >>>>
>> >> > > > > >>>>> Hi,
>> >> > > > > >>>>>
>> >> > > > > >>>>> I’ve done some work to push our MP JWT implementation
>> from
>> >> 1.0
>> >> > to
>> >> > > > > 1.1.
>> >> > > > > >>>>>
>> >> > > > > >>>>> You can check it here:
>> >> > > > > >>>>> https://github.com/apache/tomee/pull/173 <
>> >> > > > > >>>>> https://github.com/apache/tomee/pull/173>
>> >> > > > > >>>>>
>> >> > > > > >>>>> There are still a couple of tests in the TCK that I have
>> to
>> >> fix
>> >> > > > and a
>> >> > > > > >>> few
>> >> > > > > >>>>> things that I would like to improve, but I think the
>> >> majority
>> >> > of
>> >> > > > the
>> >> > > > > >>> work
>> >> > > > > >>>>> is done.
>> >> > > > > >>>>>
>> >> > > > > >>>>> Some time ago, there was a discussion in the list about
>> how
>> >> to
>> >> > > > > >> integrate
>> >> > > > > >>>>> MP JWT with EE security:
>> >> > > > > >>>>>
>> >> > > > > >>>>>
>> >> > > > > >>>
>> >> > > > > >>
>> >> > > > >
>> >> > > >
>> >> > >
>> >> >
>> >>
>> http://tomee-openejb.979440.n4.nabble.com/Implementing-Microprofile-JWT-td4683212i40.html
>> >> > > > > >>>>> <
>> >> > > > > >>>>>
>> >> > > > > >>>
>> >> > > > > >>
>> >> > > > >
>> >> > > >
>> >> > >
>> >> >
>> >>
>> http://tomee-openejb.979440.n4.nabble.com/Implementing-Microprofile-JWT-td4683212i40.html
>> >> > > > > >>>>>>
>> >> > > > > >>>>>
>> >> > > > > >>>>> I believe we need to revisit that conversation and figure
>> >> out
>> >> > how
>> >> > > > to
>> >> > > > > >>> move
>> >> > > > > >>>>> forward.
>> >> > > > > >>>>>
>> >> > > > > >>>>> Right now for instance, we don’t support injecting a JWT
>> >> > > Principal
>> >> > > > > >> since
>> >> > > > > >>>>> it clashes with the predefined by CDI. Most likely, we
>> would
>> >> > need
>> >> > > > to
>> >> > > > > >>> plugin
>> >> > > > > >>>>> the JWT Principal lookup in TomcatSecurityService. I’m
>> not
>> >> sure
>> >> > > if
>> >> > > > we
>> >> > > > > >>> want
>> >> > > > > >>>>> to do it in that way, or if we want to think in something
>> >> else.
>> >> > > > > >>>>>
>> >> > > > > >>>>> Cheers,
>> >> > > > > >>>>> Roberto
>> >> > > > > >>>
>> >> > > > > >>>
>> >> > > > > >>
>> >> > > > >
>> >> > > > >
>> >> > > >
>> >> > >
>> >> >
>> >>
>> >
>>
>
Re: MicroProfile JWT 1.1
Posted by Jonathan Gallimore <jo...@gmail.com>.
Yep, got it. Thanks for the feedback - makes sense now.
Cheers
Jon
On Fri, 2 Nov 2018, 16:46 Romain Manni-Bucau <rmannibucau@gmail.com wrote:
> Answered hopefully "long enough" on dev@geronimo so will just do a short
> one here and shout if not enough: ManagedSecurityService in cdi package of
> openejb-core must make the getCurrentPrincipal contextual so hidden behind
> a proxy. The proxied API must be Principal and JsonWebToken when available
> (try { add if can load } catch { ignore } works as pattern). The proxy
> instance can be created once for all app using the container loader or per
> app using the app loader and avoiding to leak between apps since the API
> can use different loaders.
>
> Le ven. 2 nov. 2018 14:44, Jonathan Gallimore <
> jonathan.gallimore@gmail.com>
> a écrit :
>
> > Thanks for the reply, but I am confused by your response. The PR I
> > referenced adds a single test to the geronimo-jwt-auth project (
> > https://github.com/apache/geronimo-jwt-auth/pull/3), based on
> > org.eclipse.microprofile.jwt.tck.container.jaxrs.PrincipalInjectionTest
> > from the TCK. It fails at present (hopefully we agree on that - my
> results
> > attached). The geronimo-jwt-auth project doesn't touch TomEE at all - it
> > uses OWB/Meecrowave to run the MicroProfile JWT TCK. I have not modified
> > the project config at all, so it is using the SecurityService code you
> > previously posted. If this additional test were part of the MicroProfile
> > JWT TCK (and I'm going to propose it), the Geronimo JWT Auth
> implementation
> > would *not* pass the TCK.
> >
> > I posted this here as I originally found the issue when continuing
> > Roberto's efforts, but this has probably contributed to some confusion. I
> > would suggest we continue this over on the Geronimo and OWB lists to
> avoid
> > further confusion.
> >
> > Jon
> >
> > On Fri, Nov 2, 2018 at 12:46 PM Romain Manni-Bucau <
> rmannibucau@gmail.com>
> > wrote:
> >
> >> Hi
> >>
> >> Yes this is an owb misconfiguration/integration
> >>
> >> Geronimo is fine here so likely tomee owb spi to update as in geronimo
> tck
> >>
> >> Le ven. 2 nov. 2018 10:42, Jonathan Gallimore <
> >> jonathan.gallimore@gmail.com>
> >> a écrit :
> >>
> >> > Thanks for the reply. I am still sure there is some sort of issue.
> >> Putting
> >> > TomEE to one side for the moment, I am able to reproduce this in the
> >> > Geronimo JWT auth library as well. This PR includes a test to show
> what
> >> I
> >> > mean: https://github.com/apache/geronimo-jwt-auth/pull/3.
> >> >
> >> > I can confirm that this change:
> >> > https://github.com/apache/openwebbeans/pull/12 enables that new test
> to
> >> > pass.
> >> >
> >> > In short, if you @Inject JsonWebToken, or individual claims, or
> >> > use @RolesAllowed, I think you're ok, but if you @Inject Principal,
> you
> >> > will most likely get the wrong principal because the instance is cache
> >> in a
> >> > field in the org.apache.webbeans.portable.ProviderBasedProducer class,
> >> and
> >> > that looks like a security issue.
> >> >
> >> > Jon
> >> >
> >> > On Tue, Oct 30, 2018 at 5:56 AM Romain Manni-Bucau <
> >> rmannibucau@gmail.com>
> >> > wrote:
> >> >
> >> > > Hi Jon,
> >> > >
> >> > > yes and no, idea is to be fast and for all producers it works except
> >> the
> >> > > principal which is broken anyway in CDI 1.x so guess this was not
> >> fixed
> >> > >
> >> > > in CDI 2 (tomee 8) we can impl it this way:
> >> > >
> >> > >
> >> >
> >>
> https://github.com/apache/geronimo-jwt-auth/blob/master/src/test/java/org/apache/geronimo/microprofile/impl/jwtauth/tck/TckSecurityService.java
> >> > >
> >> > > Romain Manni-Bucau
> >> > > @rmannibucau <https://twitter.com/rmannibucau> | Blog
> >> > > <https://rmannibucau.metawerx.net/> | Old Blog
> >> > > <http://rmannibucau.wordpress.com> | Github <
> >> > > https://github.com/rmannibucau> |
> >> > > LinkedIn <https://www.linkedin.com/in/rmannibucau> | Book
> >> > > <
> >> > >
> >> >
> >>
> https://www.packtpub.com/application-development/java-ee-8-high-performance
> >> > > >
> >> > >
> >> > >
> >> > > Le mar. 30 oct. 2018 à 00:58, Jonathan Gallimore <
> >> > > jonathan.gallimore@gmail.com> a écrit :
> >> > >
> >> > > > Here's a question, probably for Mark or Romain. If I turn the
> proxy
> >> > *off*
> >> > > > in org.apache.webbeans.component.PrincipalBean, I'm finding that I
> >> get
> >> > > the
> >> > > > wrong principal injected sometimes. Specifically, I get the
> >> whatever is
> >> > > on
> >> > > > the proxyInstance field here:
> >> > > >
> >> > > >
> >> > >
> >> >
> >>
> https://github.com/apache/openwebbeans/blob/trunk/webbeans-impl/src/main/java/org/apache/webbeans/portable/ProviderBasedProducer.java#L51
> >> > > >
> >> > > > Should this line (line 66)
> >> > > >
> >> > > >
> >> > >
> >> >
> >>
> https://github.com/apache/openwebbeans/blob/trunk/webbeans-impl/src/main/java/org/apache/webbeans/portable/ProviderBasedProducer.java#L66
> >> > > > ,
> >> > > > not simply be:
> >> > > >
> >> > > > return provider.get();
> >> > > >
> >> > > > as opposed to
> >> > > >
> >> > > > proxyInstance = provider.get(); ?
> >> > > >
> >> > > > That way, the proxyInstance field would never get set if proxy
> mode
> >> is
> >> > > set
> >> > > > to false. When proxy is true, this seems to work correctly
> >> (although I
> >> > > have
> >> > > > other unrelated issues in TomEE).
> >> > > >
> >> > > > I can probably work around this some other way, but it seems to me
> >> like
> >> > > > that behaviour isn't quite right.
> >> > > >
> >> > > > Trying to think of a way to test it - I can probably come up with
> >> > > > something, but I'd appreciate some pointers. Happy to shift this
> to
> >> > > > openwebbeans-dev, and submit a PR. Replying here initially as I
> ran
> >> > into
> >> > > > this while hacking on the JWT code.
> >> > > >
> >> > > > Jon
> >> > > >
> >> > > > On Wed, Oct 17, 2018 at 12:41 AM Roberto Cortez
> >> > > > <ra...@yahoo.com.invalid>
> >> > > > wrote:
> >> > > >
> >> > > > > Please, go ahead. Let me know if need anything. Thanks!
> >> > > > >
> >> > > > > > On 16 Oct 2018, at 21:53, Jonathan Gallimore <
> >> > > > > jonathan.gallimore@gmail.com> wrote:
> >> > > > > >
> >> > > > > > Any objection if I pick this up and have a go at the last
> >> tests, or
> >> > > is
> >> > > > > > someone already working on this?
> >> > > > > >
> >> > > > > > On Thu, Sep 27, 2018 at 5:44 PM Romain Manni-Bucau <
> >> > > > > rmannibucau@gmail.com>
> >> > > > > > wrote:
> >> > > > > >
> >> > > > > >> Yep this feature. Then it must works since we support user
> >> > principal
> >> > > > if
> >> > > > > the
> >> > > > > >> jwt filter is corretly placed in the filter chain and we must
> >> > > inherit
> >> > > > > from
> >> > > > > >> the request principal.
> >> > > > > >>
> >> > > > > >> Le jeu. 27 sept. 2018 18:37, Roberto Cortez
> >> > > > <radcortez@yahoo.com.invalid
> >> > > > > >
> >> > > > > >> a
> >> > > > > >> écrit :
> >> > > > > >>
> >> > > > > >>> I guess you are referring to this, to remove the proxy?
> >> > > > > >>>
> >> > > > > >>>
> >> > > > > >>
> >> > > > >
> >> > > >
> >> > >
> >> >
> >>
> https://github.com/apache/openwebbeans/commit/a21a949fb19247dcc39ee89292a1554b2cf1388e
> >> > > > > >>> <
> >> > > > > >>>
> >> > > > > >>
> >> > > > >
> >> > > >
> >> > >
> >> >
> >>
> https://github.com/apache/openwebbeans/commit/a21a949fb19247dcc39ee89292a1554b2cf1388e
> >> > > > > >>>>
> >> > > > > >>>
> >> > > > > >>> Yes, this one step.
> >> > > > > >>>
> >> > > > > >>> By default, we do inject the generic Principal of Tomcat. We
> >> > > probably
> >> > > > > >> need
> >> > > > > >>> to check first about the existence of a JWT Principal and
> then
> >> > > > fallback
> >> > > > > >> to
> >> > > > > >>> the Tomcat one. I think I know how to do it, I was just
> >> trying to
> >> > > > > broaden
> >> > > > > >>> up the conversation about general integration with EE
> >> security.
> >> > > > > >>>
> >> > > > > >>> Cheers,
> >> > > > > >>> Roberto
> >> > > > > >>>
> >> > > > > >>>> On 26 Sep 2018, at 07:21, Romain Manni-Bucau <
> >> > > rmannibucau@gmail.com
> >> > > > >
> >> > > > > >>> wrote:
> >> > > > > >>>>
> >> > > > > >>>> OWB enable to do it - we did it in geronimo impl to pass
> tck
> >> of
> >> > > jwt
> >> > > > > >> auth
> >> > > > > >>>> spec.
> >> > > > > >>>>
> >> > > > > >>>> Le mer. 26 sept. 2018 03:28, Roberto Cortez
> >> > > > > >> <ra...@yahoo.com.invalid>
> >> > > > > >>> a
> >> > > > > >>>> écrit :
> >> > > > > >>>>
> >> > > > > >>>>> Hi,
> >> > > > > >>>>>
> >> > > > > >>>>> I’ve done some work to push our MP JWT implementation from
> >> 1.0
> >> > to
> >> > > > > 1.1.
> >> > > > > >>>>>
> >> > > > > >>>>> You can check it here:
> >> > > > > >>>>> https://github.com/apache/tomee/pull/173 <
> >> > > > > >>>>> https://github.com/apache/tomee/pull/173>
> >> > > > > >>>>>
> >> > > > > >>>>> There are still a couple of tests in the TCK that I have
> to
> >> fix
> >> > > > and a
> >> > > > > >>> few
> >> > > > > >>>>> things that I would like to improve, but I think the
> >> majority
> >> > of
> >> > > > the
> >> > > > > >>> work
> >> > > > > >>>>> is done.
> >> > > > > >>>>>
> >> > > > > >>>>> Some time ago, there was a discussion in the list about
> how
> >> to
> >> > > > > >> integrate
> >> > > > > >>>>> MP JWT with EE security:
> >> > > > > >>>>>
> >> > > > > >>>>>
> >> > > > > >>>
> >> > > > > >>
> >> > > > >
> >> > > >
> >> > >
> >> >
> >>
> http://tomee-openejb.979440.n4.nabble.com/Implementing-Microprofile-JWT-td4683212i40.html
> >> > > > > >>>>> <
> >> > > > > >>>>>
> >> > > > > >>>
> >> > > > > >>
> >> > > > >
> >> > > >
> >> > >
> >> >
> >>
> http://tomee-openejb.979440.n4.nabble.com/Implementing-Microprofile-JWT-td4683212i40.html
> >> > > > > >>>>>>
> >> > > > > >>>>>
> >> > > > > >>>>> I believe we need to revisit that conversation and figure
> >> out
> >> > how
> >> > > > to
> >> > > > > >>> move
> >> > > > > >>>>> forward.
> >> > > > > >>>>>
> >> > > > > >>>>> Right now for instance, we don’t support injecting a JWT
> >> > > Principal
> >> > > > > >> since
> >> > > > > >>>>> it clashes with the predefined by CDI. Most likely, we
> would
> >> > need
> >> > > > to
> >> > > > > >>> plugin
> >> > > > > >>>>> the JWT Principal lookup in TomcatSecurityService. I’m not
> >> sure
> >> > > if
> >> > > > we
> >> > > > > >>> want
> >> > > > > >>>>> to do it in that way, or if we want to think in something
> >> else.
> >> > > > > >>>>>
> >> > > > > >>>>> Cheers,
> >> > > > > >>>>> Roberto
> >> > > > > >>>
> >> > > > > >>>
> >> > > > > >>
> >> > > > >
> >> > > > >
> >> > > >
> >> > >
> >> >
> >>
> >
>
Re: MicroProfile JWT 1.1
Posted by Romain Manni-Bucau <rm...@gmail.com>.
Answered hopefully "long enough" on dev@geronimo so will just do a short
one here and shout if not enough: ManagedSecurityService in cdi package of
openejb-core must make the getCurrentPrincipal contextual so hidden behind
a proxy. The proxied API must be Principal and JsonWebToken when available
(try { add if can load } catch { ignore } works as pattern). The proxy
instance can be created once for all app using the container loader or per
app using the app loader and avoiding to leak between apps since the API
can use different loaders.
Le ven. 2 nov. 2018 14:44, Jonathan Gallimore <jo...@gmail.com>
a écrit :
> Thanks for the reply, but I am confused by your response. The PR I
> referenced adds a single test to the geronimo-jwt-auth project (
> https://github.com/apache/geronimo-jwt-auth/pull/3), based on
> org.eclipse.microprofile.jwt.tck.container.jaxrs.PrincipalInjectionTest
> from the TCK. It fails at present (hopefully we agree on that - my results
> attached). The geronimo-jwt-auth project doesn't touch TomEE at all - it
> uses OWB/Meecrowave to run the MicroProfile JWT TCK. I have not modified
> the project config at all, so it is using the SecurityService code you
> previously posted. If this additional test were part of the MicroProfile
> JWT TCK (and I'm going to propose it), the Geronimo JWT Auth implementation
> would *not* pass the TCK.
>
> I posted this here as I originally found the issue when continuing
> Roberto's efforts, but this has probably contributed to some confusion. I
> would suggest we continue this over on the Geronimo and OWB lists to avoid
> further confusion.
>
> Jon
>
> On Fri, Nov 2, 2018 at 12:46 PM Romain Manni-Bucau <rm...@gmail.com>
> wrote:
>
>> Hi
>>
>> Yes this is an owb misconfiguration/integration
>>
>> Geronimo is fine here so likely tomee owb spi to update as in geronimo tck
>>
>> Le ven. 2 nov. 2018 10:42, Jonathan Gallimore <
>> jonathan.gallimore@gmail.com>
>> a écrit :
>>
>> > Thanks for the reply. I am still sure there is some sort of issue.
>> Putting
>> > TomEE to one side for the moment, I am able to reproduce this in the
>> > Geronimo JWT auth library as well. This PR includes a test to show what
>> I
>> > mean: https://github.com/apache/geronimo-jwt-auth/pull/3.
>> >
>> > I can confirm that this change:
>> > https://github.com/apache/openwebbeans/pull/12 enables that new test to
>> > pass.
>> >
>> > In short, if you @Inject JsonWebToken, or individual claims, or
>> > use @RolesAllowed, I think you're ok, but if you @Inject Principal, you
>> > will most likely get the wrong principal because the instance is cache
>> in a
>> > field in the org.apache.webbeans.portable.ProviderBasedProducer class,
>> and
>> > that looks like a security issue.
>> >
>> > Jon
>> >
>> > On Tue, Oct 30, 2018 at 5:56 AM Romain Manni-Bucau <
>> rmannibucau@gmail.com>
>> > wrote:
>> >
>> > > Hi Jon,
>> > >
>> > > yes and no, idea is to be fast and for all producers it works except
>> the
>> > > principal which is broken anyway in CDI 1.x so guess this was not
>> fixed
>> > >
>> > > in CDI 2 (tomee 8) we can impl it this way:
>> > >
>> > >
>> >
>> https://github.com/apache/geronimo-jwt-auth/blob/master/src/test/java/org/apache/geronimo/microprofile/impl/jwtauth/tck/TckSecurityService.java
>> > >
>> > > Romain Manni-Bucau
>> > > @rmannibucau <https://twitter.com/rmannibucau> | Blog
>> > > <https://rmannibucau.metawerx.net/> | Old Blog
>> > > <http://rmannibucau.wordpress.com> | Github <
>> > > https://github.com/rmannibucau> |
>> > > LinkedIn <https://www.linkedin.com/in/rmannibucau> | Book
>> > > <
>> > >
>> >
>> https://www.packtpub.com/application-development/java-ee-8-high-performance
>> > > >
>> > >
>> > >
>> > > Le mar. 30 oct. 2018 à 00:58, Jonathan Gallimore <
>> > > jonathan.gallimore@gmail.com> a écrit :
>> > >
>> > > > Here's a question, probably for Mark or Romain. If I turn the proxy
>> > *off*
>> > > > in org.apache.webbeans.component.PrincipalBean, I'm finding that I
>> get
>> > > the
>> > > > wrong principal injected sometimes. Specifically, I get the
>> whatever is
>> > > on
>> > > > the proxyInstance field here:
>> > > >
>> > > >
>> > >
>> >
>> https://github.com/apache/openwebbeans/blob/trunk/webbeans-impl/src/main/java/org/apache/webbeans/portable/ProviderBasedProducer.java#L51
>> > > >
>> > > > Should this line (line 66)
>> > > >
>> > > >
>> > >
>> >
>> https://github.com/apache/openwebbeans/blob/trunk/webbeans-impl/src/main/java/org/apache/webbeans/portable/ProviderBasedProducer.java#L66
>> > > > ,
>> > > > not simply be:
>> > > >
>> > > > return provider.get();
>> > > >
>> > > > as opposed to
>> > > >
>> > > > proxyInstance = provider.get(); ?
>> > > >
>> > > > That way, the proxyInstance field would never get set if proxy mode
>> is
>> > > set
>> > > > to false. When proxy is true, this seems to work correctly
>> (although I
>> > > have
>> > > > other unrelated issues in TomEE).
>> > > >
>> > > > I can probably work around this some other way, but it seems to me
>> like
>> > > > that behaviour isn't quite right.
>> > > >
>> > > > Trying to think of a way to test it - I can probably come up with
>> > > > something, but I'd appreciate some pointers. Happy to shift this to
>> > > > openwebbeans-dev, and submit a PR. Replying here initially as I ran
>> > into
>> > > > this while hacking on the JWT code.
>> > > >
>> > > > Jon
>> > > >
>> > > > On Wed, Oct 17, 2018 at 12:41 AM Roberto Cortez
>> > > > <ra...@yahoo.com.invalid>
>> > > > wrote:
>> > > >
>> > > > > Please, go ahead. Let me know if need anything. Thanks!
>> > > > >
>> > > > > > On 16 Oct 2018, at 21:53, Jonathan Gallimore <
>> > > > > jonathan.gallimore@gmail.com> wrote:
>> > > > > >
>> > > > > > Any objection if I pick this up and have a go at the last
>> tests, or
>> > > is
>> > > > > > someone already working on this?
>> > > > > >
>> > > > > > On Thu, Sep 27, 2018 at 5:44 PM Romain Manni-Bucau <
>> > > > > rmannibucau@gmail.com>
>> > > > > > wrote:
>> > > > > >
>> > > > > >> Yep this feature. Then it must works since we support user
>> > principal
>> > > > if
>> > > > > the
>> > > > > >> jwt filter is corretly placed in the filter chain and we must
>> > > inherit
>> > > > > from
>> > > > > >> the request principal.
>> > > > > >>
>> > > > > >> Le jeu. 27 sept. 2018 18:37, Roberto Cortez
>> > > > <radcortez@yahoo.com.invalid
>> > > > > >
>> > > > > >> a
>> > > > > >> écrit :
>> > > > > >>
>> > > > > >>> I guess you are referring to this, to remove the proxy?
>> > > > > >>>
>> > > > > >>>
>> > > > > >>
>> > > > >
>> > > >
>> > >
>> >
>> https://github.com/apache/openwebbeans/commit/a21a949fb19247dcc39ee89292a1554b2cf1388e
>> > > > > >>> <
>> > > > > >>>
>> > > > > >>
>> > > > >
>> > > >
>> > >
>> >
>> https://github.com/apache/openwebbeans/commit/a21a949fb19247dcc39ee89292a1554b2cf1388e
>> > > > > >>>>
>> > > > > >>>
>> > > > > >>> Yes, this one step.
>> > > > > >>>
>> > > > > >>> By default, we do inject the generic Principal of Tomcat. We
>> > > probably
>> > > > > >> need
>> > > > > >>> to check first about the existence of a JWT Principal and then
>> > > > fallback
>> > > > > >> to
>> > > > > >>> the Tomcat one. I think I know how to do it, I was just
>> trying to
>> > > > > broaden
>> > > > > >>> up the conversation about general integration with EE
>> security.
>> > > > > >>>
>> > > > > >>> Cheers,
>> > > > > >>> Roberto
>> > > > > >>>
>> > > > > >>>> On 26 Sep 2018, at 07:21, Romain Manni-Bucau <
>> > > rmannibucau@gmail.com
>> > > > >
>> > > > > >>> wrote:
>> > > > > >>>>
>> > > > > >>>> OWB enable to do it - we did it in geronimo impl to pass tck
>> of
>> > > jwt
>> > > > > >> auth
>> > > > > >>>> spec.
>> > > > > >>>>
>> > > > > >>>> Le mer. 26 sept. 2018 03:28, Roberto Cortez
>> > > > > >> <ra...@yahoo.com.invalid>
>> > > > > >>> a
>> > > > > >>>> écrit :
>> > > > > >>>>
>> > > > > >>>>> Hi,
>> > > > > >>>>>
>> > > > > >>>>> I’ve done some work to push our MP JWT implementation from
>> 1.0
>> > to
>> > > > > 1.1.
>> > > > > >>>>>
>> > > > > >>>>> You can check it here:
>> > > > > >>>>> https://github.com/apache/tomee/pull/173 <
>> > > > > >>>>> https://github.com/apache/tomee/pull/173>
>> > > > > >>>>>
>> > > > > >>>>> There are still a couple of tests in the TCK that I have to
>> fix
>> > > > and a
>> > > > > >>> few
>> > > > > >>>>> things that I would like to improve, but I think the
>> majority
>> > of
>> > > > the
>> > > > > >>> work
>> > > > > >>>>> is done.
>> > > > > >>>>>
>> > > > > >>>>> Some time ago, there was a discussion in the list about how
>> to
>> > > > > >> integrate
>> > > > > >>>>> MP JWT with EE security:
>> > > > > >>>>>
>> > > > > >>>>>
>> > > > > >>>
>> > > > > >>
>> > > > >
>> > > >
>> > >
>> >
>> http://tomee-openejb.979440.n4.nabble.com/Implementing-Microprofile-JWT-td4683212i40.html
>> > > > > >>>>> <
>> > > > > >>>>>
>> > > > > >>>
>> > > > > >>
>> > > > >
>> > > >
>> > >
>> >
>> http://tomee-openejb.979440.n4.nabble.com/Implementing-Microprofile-JWT-td4683212i40.html
>> > > > > >>>>>>
>> > > > > >>>>>
>> > > > > >>>>> I believe we need to revisit that conversation and figure
>> out
>> > how
>> > > > to
>> > > > > >>> move
>> > > > > >>>>> forward.
>> > > > > >>>>>
>> > > > > >>>>> Right now for instance, we don’t support injecting a JWT
>> > > Principal
>> > > > > >> since
>> > > > > >>>>> it clashes with the predefined by CDI. Most likely, we would
>> > need
>> > > > to
>> > > > > >>> plugin
>> > > > > >>>>> the JWT Principal lookup in TomcatSecurityService. I’m not
>> sure
>> > > if
>> > > > we
>> > > > > >>> want
>> > > > > >>>>> to do it in that way, or if we want to think in something
>> else.
>> > > > > >>>>>
>> > > > > >>>>> Cheers,
>> > > > > >>>>> Roberto
>> > > > > >>>
>> > > > > >>>
>> > > > > >>
>> > > > >
>> > > > >
>> > > >
>> > >
>> >
>>
>
Re: MicroProfile JWT 1.1
Posted by Jonathan Gallimore <jo...@gmail.com>.
Thanks for the reply, but I am confused by your response. The PR I
referenced adds a single test to the geronimo-jwt-auth project (
https://github.com/apache/geronimo-jwt-auth/pull/3), based on
org.eclipse.microprofile.jwt.tck.container.jaxrs.PrincipalInjectionTest
from the TCK. It fails at present (hopefully we agree on that - my results
attached). The geronimo-jwt-auth project doesn't touch TomEE at all - it
uses OWB/Meecrowave to run the MicroProfile JWT TCK. I have not modified
the project config at all, so it is using the SecurityService code you
previously posted. If this additional test were part of the MicroProfile
JWT TCK (and I'm going to propose it), the Geronimo JWT Auth implementation
would *not* pass the TCK.
I posted this here as I originally found the issue when continuing
Roberto's efforts, but this has probably contributed to some confusion. I
would suggest we continue this over on the Geronimo and OWB lists to avoid
further confusion.
Jon
On Fri, Nov 2, 2018 at 12:46 PM Romain Manni-Bucau <rm...@gmail.com>
wrote:
> Hi
>
> Yes this is an owb misconfiguration/integration
>
> Geronimo is fine here so likely tomee owb spi to update as in geronimo tck
>
> Le ven. 2 nov. 2018 10:42, Jonathan Gallimore <
> jonathan.gallimore@gmail.com>
> a écrit :
>
> > Thanks for the reply. I am still sure there is some sort of issue.
> Putting
> > TomEE to one side for the moment, I am able to reproduce this in the
> > Geronimo JWT auth library as well. This PR includes a test to show what I
> > mean: https://github.com/apache/geronimo-jwt-auth/pull/3.
> >
> > I can confirm that this change:
> > https://github.com/apache/openwebbeans/pull/12 enables that new test to
> > pass.
> >
> > In short, if you @Inject JsonWebToken, or individual claims, or
> > use @RolesAllowed, I think you're ok, but if you @Inject Principal, you
> > will most likely get the wrong principal because the instance is cache
> in a
> > field in the org.apache.webbeans.portable.ProviderBasedProducer class,
> and
> > that looks like a security issue.
> >
> > Jon
> >
> > On Tue, Oct 30, 2018 at 5:56 AM Romain Manni-Bucau <
> rmannibucau@gmail.com>
> > wrote:
> >
> > > Hi Jon,
> > >
> > > yes and no, idea is to be fast and for all producers it works except
> the
> > > principal which is broken anyway in CDI 1.x so guess this was not fixed
> > >
> > > in CDI 2 (tomee 8) we can impl it this way:
> > >
> > >
> >
> https://github.com/apache/geronimo-jwt-auth/blob/master/src/test/java/org/apache/geronimo/microprofile/impl/jwtauth/tck/TckSecurityService.java
> > >
> > > Romain Manni-Bucau
> > > @rmannibucau <https://twitter.com/rmannibucau> | Blog
> > > <https://rmannibucau.metawerx.net/> | Old Blog
> > > <http://rmannibucau.wordpress.com> | Github <
> > > https://github.com/rmannibucau> |
> > > LinkedIn <https://www.linkedin.com/in/rmannibucau> | Book
> > > <
> > >
> >
> https://www.packtpub.com/application-development/java-ee-8-high-performance
> > > >
> > >
> > >
> > > Le mar. 30 oct. 2018 à 00:58, Jonathan Gallimore <
> > > jonathan.gallimore@gmail.com> a écrit :
> > >
> > > > Here's a question, probably for Mark or Romain. If I turn the proxy
> > *off*
> > > > in org.apache.webbeans.component.PrincipalBean, I'm finding that I
> get
> > > the
> > > > wrong principal injected sometimes. Specifically, I get the whatever
> is
> > > on
> > > > the proxyInstance field here:
> > > >
> > > >
> > >
> >
> https://github.com/apache/openwebbeans/blob/trunk/webbeans-impl/src/main/java/org/apache/webbeans/portable/ProviderBasedProducer.java#L51
> > > >
> > > > Should this line (line 66)
> > > >
> > > >
> > >
> >
> https://github.com/apache/openwebbeans/blob/trunk/webbeans-impl/src/main/java/org/apache/webbeans/portable/ProviderBasedProducer.java#L66
> > > > ,
> > > > not simply be:
> > > >
> > > > return provider.get();
> > > >
> > > > as opposed to
> > > >
> > > > proxyInstance = provider.get(); ?
> > > >
> > > > That way, the proxyInstance field would never get set if proxy mode
> is
> > > set
> > > > to false. When proxy is true, this seems to work correctly (although
> I
> > > have
> > > > other unrelated issues in TomEE).
> > > >
> > > > I can probably work around this some other way, but it seems to me
> like
> > > > that behaviour isn't quite right.
> > > >
> > > > Trying to think of a way to test it - I can probably come up with
> > > > something, but I'd appreciate some pointers. Happy to shift this to
> > > > openwebbeans-dev, and submit a PR. Replying here initially as I ran
> > into
> > > > this while hacking on the JWT code.
> > > >
> > > > Jon
> > > >
> > > > On Wed, Oct 17, 2018 at 12:41 AM Roberto Cortez
> > > > <ra...@yahoo.com.invalid>
> > > > wrote:
> > > >
> > > > > Please, go ahead. Let me know if need anything. Thanks!
> > > > >
> > > > > > On 16 Oct 2018, at 21:53, Jonathan Gallimore <
> > > > > jonathan.gallimore@gmail.com> wrote:
> > > > > >
> > > > > > Any objection if I pick this up and have a go at the last tests,
> or
> > > is
> > > > > > someone already working on this?
> > > > > >
> > > > > > On Thu, Sep 27, 2018 at 5:44 PM Romain Manni-Bucau <
> > > > > rmannibucau@gmail.com>
> > > > > > wrote:
> > > > > >
> > > > > >> Yep this feature. Then it must works since we support user
> > principal
> > > > if
> > > > > the
> > > > > >> jwt filter is corretly placed in the filter chain and we must
> > > inherit
> > > > > from
> > > > > >> the request principal.
> > > > > >>
> > > > > >> Le jeu. 27 sept. 2018 18:37, Roberto Cortez
> > > > <radcortez@yahoo.com.invalid
> > > > > >
> > > > > >> a
> > > > > >> écrit :
> > > > > >>
> > > > > >>> I guess you are referring to this, to remove the proxy?
> > > > > >>>
> > > > > >>>
> > > > > >>
> > > > >
> > > >
> > >
> >
> https://github.com/apache/openwebbeans/commit/a21a949fb19247dcc39ee89292a1554b2cf1388e
> > > > > >>> <
> > > > > >>>
> > > > > >>
> > > > >
> > > >
> > >
> >
> https://github.com/apache/openwebbeans/commit/a21a949fb19247dcc39ee89292a1554b2cf1388e
> > > > > >>>>
> > > > > >>>
> > > > > >>> Yes, this one step.
> > > > > >>>
> > > > > >>> By default, we do inject the generic Principal of Tomcat. We
> > > probably
> > > > > >> need
> > > > > >>> to check first about the existence of a JWT Principal and then
> > > > fallback
> > > > > >> to
> > > > > >>> the Tomcat one. I think I know how to do it, I was just trying
> to
> > > > > broaden
> > > > > >>> up the conversation about general integration with EE security.
> > > > > >>>
> > > > > >>> Cheers,
> > > > > >>> Roberto
> > > > > >>>
> > > > > >>>> On 26 Sep 2018, at 07:21, Romain Manni-Bucau <
> > > rmannibucau@gmail.com
> > > > >
> > > > > >>> wrote:
> > > > > >>>>
> > > > > >>>> OWB enable to do it - we did it in geronimo impl to pass tck
> of
> > > jwt
> > > > > >> auth
> > > > > >>>> spec.
> > > > > >>>>
> > > > > >>>> Le mer. 26 sept. 2018 03:28, Roberto Cortez
> > > > > >> <ra...@yahoo.com.invalid>
> > > > > >>> a
> > > > > >>>> écrit :
> > > > > >>>>
> > > > > >>>>> Hi,
> > > > > >>>>>
> > > > > >>>>> I’ve done some work to push our MP JWT implementation from
> 1.0
> > to
> > > > > 1.1.
> > > > > >>>>>
> > > > > >>>>> You can check it here:
> > > > > >>>>> https://github.com/apache/tomee/pull/173 <
> > > > > >>>>> https://github.com/apache/tomee/pull/173>
> > > > > >>>>>
> > > > > >>>>> There are still a couple of tests in the TCK that I have to
> fix
> > > > and a
> > > > > >>> few
> > > > > >>>>> things that I would like to improve, but I think the majority
> > of
> > > > the
> > > > > >>> work
> > > > > >>>>> is done.
> > > > > >>>>>
> > > > > >>>>> Some time ago, there was a discussion in the list about how
> to
> > > > > >> integrate
> > > > > >>>>> MP JWT with EE security:
> > > > > >>>>>
> > > > > >>>>>
> > > > > >>>
> > > > > >>
> > > > >
> > > >
> > >
> >
> http://tomee-openejb.979440.n4.nabble.com/Implementing-Microprofile-JWT-td4683212i40.html
> > > > > >>>>> <
> > > > > >>>>>
> > > > > >>>
> > > > > >>
> > > > >
> > > >
> > >
> >
> http://tomee-openejb.979440.n4.nabble.com/Implementing-Microprofile-JWT-td4683212i40.html
> > > > > >>>>>>
> > > > > >>>>>
> > > > > >>>>> I believe we need to revisit that conversation and figure out
> > how
> > > > to
> > > > > >>> move
> > > > > >>>>> forward.
> > > > > >>>>>
> > > > > >>>>> Right now for instance, we don’t support injecting a JWT
> > > Principal
> > > > > >> since
> > > > > >>>>> it clashes with the predefined by CDI. Most likely, we would
> > need
> > > > to
> > > > > >>> plugin
> > > > > >>>>> the JWT Principal lookup in TomcatSecurityService. I’m not
> sure
> > > if
> > > > we
> > > > > >>> want
> > > > > >>>>> to do it in that way, or if we want to think in something
> else.
> > > > > >>>>>
> > > > > >>>>> Cheers,
> > > > > >>>>> Roberto
> > > > > >>>
> > > > > >>>
> > > > > >>
> > > > >
> > > > >
> > > >
> > >
> >
>
Re: MicroProfile JWT 1.1
Posted by Romain Manni-Bucau <rm...@gmail.com>.
Hi
Yes this is an owb misconfiguration/integration
Geronimo is fine here so likely tomee owb spi to update as in geronimo tck
Le ven. 2 nov. 2018 10:42, Jonathan Gallimore <jo...@gmail.com>
a écrit :
> Thanks for the reply. I am still sure there is some sort of issue. Putting
> TomEE to one side for the moment, I am able to reproduce this in the
> Geronimo JWT auth library as well. This PR includes a test to show what I
> mean: https://github.com/apache/geronimo-jwt-auth/pull/3.
>
> I can confirm that this change:
> https://github.com/apache/openwebbeans/pull/12 enables that new test to
> pass.
>
> In short, if you @Inject JsonWebToken, or individual claims, or
> use @RolesAllowed, I think you're ok, but if you @Inject Principal, you
> will most likely get the wrong principal because the instance is cache in a
> field in the org.apache.webbeans.portable.ProviderBasedProducer class, and
> that looks like a security issue.
>
> Jon
>
> On Tue, Oct 30, 2018 at 5:56 AM Romain Manni-Bucau <rm...@gmail.com>
> wrote:
>
> > Hi Jon,
> >
> > yes and no, idea is to be fast and for all producers it works except the
> > principal which is broken anyway in CDI 1.x so guess this was not fixed
> >
> > in CDI 2 (tomee 8) we can impl it this way:
> >
> >
> https://github.com/apache/geronimo-jwt-auth/blob/master/src/test/java/org/apache/geronimo/microprofile/impl/jwtauth/tck/TckSecurityService.java
> >
> > Romain Manni-Bucau
> > @rmannibucau <https://twitter.com/rmannibucau> | Blog
> > <https://rmannibucau.metawerx.net/> | Old Blog
> > <http://rmannibucau.wordpress.com> | Github <
> > https://github.com/rmannibucau> |
> > LinkedIn <https://www.linkedin.com/in/rmannibucau> | Book
> > <
> >
> https://www.packtpub.com/application-development/java-ee-8-high-performance
> > >
> >
> >
> > Le mar. 30 oct. 2018 à 00:58, Jonathan Gallimore <
> > jonathan.gallimore@gmail.com> a écrit :
> >
> > > Here's a question, probably for Mark or Romain. If I turn the proxy
> *off*
> > > in org.apache.webbeans.component.PrincipalBean, I'm finding that I get
> > the
> > > wrong principal injected sometimes. Specifically, I get the whatever is
> > on
> > > the proxyInstance field here:
> > >
> > >
> >
> https://github.com/apache/openwebbeans/blob/trunk/webbeans-impl/src/main/java/org/apache/webbeans/portable/ProviderBasedProducer.java#L51
> > >
> > > Should this line (line 66)
> > >
> > >
> >
> https://github.com/apache/openwebbeans/blob/trunk/webbeans-impl/src/main/java/org/apache/webbeans/portable/ProviderBasedProducer.java#L66
> > > ,
> > > not simply be:
> > >
> > > return provider.get();
> > >
> > > as opposed to
> > >
> > > proxyInstance = provider.get(); ?
> > >
> > > That way, the proxyInstance field would never get set if proxy mode is
> > set
> > > to false. When proxy is true, this seems to work correctly (although I
> > have
> > > other unrelated issues in TomEE).
> > >
> > > I can probably work around this some other way, but it seems to me like
> > > that behaviour isn't quite right.
> > >
> > > Trying to think of a way to test it - I can probably come up with
> > > something, but I'd appreciate some pointers. Happy to shift this to
> > > openwebbeans-dev, and submit a PR. Replying here initially as I ran
> into
> > > this while hacking on the JWT code.
> > >
> > > Jon
> > >
> > > On Wed, Oct 17, 2018 at 12:41 AM Roberto Cortez
> > > <ra...@yahoo.com.invalid>
> > > wrote:
> > >
> > > > Please, go ahead. Let me know if need anything. Thanks!
> > > >
> > > > > On 16 Oct 2018, at 21:53, Jonathan Gallimore <
> > > > jonathan.gallimore@gmail.com> wrote:
> > > > >
> > > > > Any objection if I pick this up and have a go at the last tests, or
> > is
> > > > > someone already working on this?
> > > > >
> > > > > On Thu, Sep 27, 2018 at 5:44 PM Romain Manni-Bucau <
> > > > rmannibucau@gmail.com>
> > > > > wrote:
> > > > >
> > > > >> Yep this feature. Then it must works since we support user
> principal
> > > if
> > > > the
> > > > >> jwt filter is corretly placed in the filter chain and we must
> > inherit
> > > > from
> > > > >> the request principal.
> > > > >>
> > > > >> Le jeu. 27 sept. 2018 18:37, Roberto Cortez
> > > <radcortez@yahoo.com.invalid
> > > > >
> > > > >> a
> > > > >> écrit :
> > > > >>
> > > > >>> I guess you are referring to this, to remove the proxy?
> > > > >>>
> > > > >>>
> > > > >>
> > > >
> > >
> >
> https://github.com/apache/openwebbeans/commit/a21a949fb19247dcc39ee89292a1554b2cf1388e
> > > > >>> <
> > > > >>>
> > > > >>
> > > >
> > >
> >
> https://github.com/apache/openwebbeans/commit/a21a949fb19247dcc39ee89292a1554b2cf1388e
> > > > >>>>
> > > > >>>
> > > > >>> Yes, this one step.
> > > > >>>
> > > > >>> By default, we do inject the generic Principal of Tomcat. We
> > probably
> > > > >> need
> > > > >>> to check first about the existence of a JWT Principal and then
> > > fallback
> > > > >> to
> > > > >>> the Tomcat one. I think I know how to do it, I was just trying to
> > > > broaden
> > > > >>> up the conversation about general integration with EE security.
> > > > >>>
> > > > >>> Cheers,
> > > > >>> Roberto
> > > > >>>
> > > > >>>> On 26 Sep 2018, at 07:21, Romain Manni-Bucau <
> > rmannibucau@gmail.com
> > > >
> > > > >>> wrote:
> > > > >>>>
> > > > >>>> OWB enable to do it - we did it in geronimo impl to pass tck of
> > jwt
> > > > >> auth
> > > > >>>> spec.
> > > > >>>>
> > > > >>>> Le mer. 26 sept. 2018 03:28, Roberto Cortez
> > > > >> <ra...@yahoo.com.invalid>
> > > > >>> a
> > > > >>>> écrit :
> > > > >>>>
> > > > >>>>> Hi,
> > > > >>>>>
> > > > >>>>> I’ve done some work to push our MP JWT implementation from 1.0
> to
> > > > 1.1.
> > > > >>>>>
> > > > >>>>> You can check it here:
> > > > >>>>> https://github.com/apache/tomee/pull/173 <
> > > > >>>>> https://github.com/apache/tomee/pull/173>
> > > > >>>>>
> > > > >>>>> There are still a couple of tests in the TCK that I have to fix
> > > and a
> > > > >>> few
> > > > >>>>> things that I would like to improve, but I think the majority
> of
> > > the
> > > > >>> work
> > > > >>>>> is done.
> > > > >>>>>
> > > > >>>>> Some time ago, there was a discussion in the list about how to
> > > > >> integrate
> > > > >>>>> MP JWT with EE security:
> > > > >>>>>
> > > > >>>>>
> > > > >>>
> > > > >>
> > > >
> > >
> >
> http://tomee-openejb.979440.n4.nabble.com/Implementing-Microprofile-JWT-td4683212i40.html
> > > > >>>>> <
> > > > >>>>>
> > > > >>>
> > > > >>
> > > >
> > >
> >
> http://tomee-openejb.979440.n4.nabble.com/Implementing-Microprofile-JWT-td4683212i40.html
> > > > >>>>>>
> > > > >>>>>
> > > > >>>>> I believe we need to revisit that conversation and figure out
> how
> > > to
> > > > >>> move
> > > > >>>>> forward.
> > > > >>>>>
> > > > >>>>> Right now for instance, we don’t support injecting a JWT
> > Principal
> > > > >> since
> > > > >>>>> it clashes with the predefined by CDI. Most likely, we would
> need
> > > to
> > > > >>> plugin
> > > > >>>>> the JWT Principal lookup in TomcatSecurityService. I’m not sure
> > if
> > > we
> > > > >>> want
> > > > >>>>> to do it in that way, or if we want to think in something else.
> > > > >>>>>
> > > > >>>>> Cheers,
> > > > >>>>> Roberto
> > > > >>>
> > > > >>>
> > > > >>
> > > >
> > > >
> > >
> >
>