You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomee.apache.org by César Hernández Mendoza <ce...@gmail.com> on 2018/11/30 22:44:32 UTC
MP JWT example revisited
Hi,
I'm planning to implement a couple of small improvements on the
MicroProfile JWT example the project already has.
I opened https://issues.apache.org/jira/browse/TOMEE-2304 for this.
I'll keep you updated with the proposal and progress. Ideas, proposal are
more than welcome!
--
Atentamente:
César Hernández Mendoza.
Re: MP JWT example revisited
Posted by Daniel Cunha <da...@apache.org>.
Hey Cesar,
It seems good to go.
I pushed my +1 on the PR.
Em qua, 12 de dez de 2018 2:26 AM, César Hernández Mendoza <
cesarguate@gmail.com escreveu:
> Thank you @Roberto for the comments.
>
> I finish my PR and removed the "WIP" from the PR name, can somebody please
> review it: https://github.com/apache/tomee/pull/233
>
>
>
> El mar., 11 dic. 2018 a las 4:32, Roberto Cortez
> (<ra...@yahoo.com.invalid>) escribió:
>
> > If I remember correctly, you only need one of the roles in RolesAllowed
> to
> > be authorized.
> >
> > > On 11 Dec 2018, at 06:24, César Hernández Mendoza <
> cesarguate@gmail.com>
> > wrote:
> > >
> > > I started to move forward this PR.
> > >
> > > I have one question:
> > > What would be the correct behavior of a request containing a valid
> token
> > > that only hast the Group of Claims "crud" but the REST endpoint is
> > > annotated like this:
> > >
> > > @RolesAllowed({"crud", "read-only"})
> > >
> > >
> > > Should the REST endpoint reply with a 403 because the token used in the
> > > request doesn't have both Group of claims?
> > > or
> > > Should the REST endpoint reply correctly if and only if the Token used
> in
> > > the request contains Any of this two Group of claims?
> > >
> > > After reading: both MP JWT spec and also the section 2.12 of JSR-250 I
> > > think we have a bug that you can easily reproduce in my PR if you use
> > token
> > > type "*2*" instead of "1" in the following test:
> > >
> >
> https://github.com/apache/tomee/pull/233/files#diff-c8b4606595833238670d666da0b95651R80
> > >
> > >
> > >
> > > El lun., 3 dic. 2018 a las 9:22, Bruno Baptista (<br...@gmail.com>)
> > > escribió:
> > >
> > >> Hi César,
> > >>
> > >> Looking forward to review it.
> > >>
> > >> Cheers.
> > >>
> > >> Bruno Baptista
> > >> https://twitter.com/brunobat_
> > >>
> > >>
> > >> On 30/11/18 22:44, César Hernández Mendoza wrote:
> > >>> Hi,
> > >>>
> > >>> I'm planning to implement a couple of small improvements on the
> > >>> MicroProfile JWT example the project already has.
> > >>> I opened https://issues.apache.org/jira/browse/TOMEE-2304 for this.
> > >>>
> > >>> I'll keep you updated with the proposal and progress. Ideas, proposal
> > are
> > >>> more than welcome!
> > >>
> > >
> > >
> > > --
> > > Atentamente:
> > > César Hernández Mendoza.
> >
> >
>
> --
> Atentamente:
> César Hernández Mendoza.
>
Re: MP JWT example revisited
Posted by César Hernández Mendoza <ce...@gmail.com>.
Thank you @Roberto for the comments.
I finish my PR and removed the "WIP" from the PR name, can somebody please
review it: https://github.com/apache/tomee/pull/233
El mar., 11 dic. 2018 a las 4:32, Roberto Cortez
(<ra...@yahoo.com.invalid>) escribió:
> If I remember correctly, you only need one of the roles in RolesAllowed to
> be authorized.
>
> > On 11 Dec 2018, at 06:24, César Hernández Mendoza <ce...@gmail.com>
> wrote:
> >
> > I started to move forward this PR.
> >
> > I have one question:
> > What would be the correct behavior of a request containing a valid token
> > that only hast the Group of Claims "crud" but the REST endpoint is
> > annotated like this:
> >
> > @RolesAllowed({"crud", "read-only"})
> >
> >
> > Should the REST endpoint reply with a 403 because the token used in the
> > request doesn't have both Group of claims?
> > or
> > Should the REST endpoint reply correctly if and only if the Token used in
> > the request contains Any of this two Group of claims?
> >
> > After reading: both MP JWT spec and also the section 2.12 of JSR-250 I
> > think we have a bug that you can easily reproduce in my PR if you use
> token
> > type "*2*" instead of "1" in the following test:
> >
> https://github.com/apache/tomee/pull/233/files#diff-c8b4606595833238670d666da0b95651R80
> >
> >
> >
> > El lun., 3 dic. 2018 a las 9:22, Bruno Baptista (<br...@gmail.com>)
> > escribió:
> >
> >> Hi César,
> >>
> >> Looking forward to review it.
> >>
> >> Cheers.
> >>
> >> Bruno Baptista
> >> https://twitter.com/brunobat_
> >>
> >>
> >> On 30/11/18 22:44, César Hernández Mendoza wrote:
> >>> Hi,
> >>>
> >>> I'm planning to implement a couple of small improvements on the
> >>> MicroProfile JWT example the project already has.
> >>> I opened https://issues.apache.org/jira/browse/TOMEE-2304 for this.
> >>>
> >>> I'll keep you updated with the proposal and progress. Ideas, proposal
> are
> >>> more than welcome!
> >>
> >
> >
> > --
> > Atentamente:
> > César Hernández Mendoza.
>
>
--
Atentamente:
César Hernández Mendoza.
Re: MP JWT example revisited
Posted by Roberto Cortez <ra...@yahoo.com.INVALID>.
If I remember correctly, you only need one of the roles in RolesAllowed to be authorized.
> On 11 Dec 2018, at 06:24, César Hernández Mendoza <ce...@gmail.com> wrote:
>
> I started to move forward this PR.
>
> I have one question:
> What would be the correct behavior of a request containing a valid token
> that only hast the Group of Claims "crud" but the REST endpoint is
> annotated like this:
>
> @RolesAllowed({"crud", "read-only"})
>
>
> Should the REST endpoint reply with a 403 because the token used in the
> request doesn't have both Group of claims?
> or
> Should the REST endpoint reply correctly if and only if the Token used in
> the request contains Any of this two Group of claims?
>
> After reading: both MP JWT spec and also the section 2.12 of JSR-250 I
> think we have a bug that you can easily reproduce in my PR if you use token
> type "*2*" instead of "1" in the following test:
> https://github.com/apache/tomee/pull/233/files#diff-c8b4606595833238670d666da0b95651R80
>
>
>
> El lun., 3 dic. 2018 a las 9:22, Bruno Baptista (<br...@gmail.com>)
> escribió:
>
>> Hi César,
>>
>> Looking forward to review it.
>>
>> Cheers.
>>
>> Bruno Baptista
>> https://twitter.com/brunobat_
>>
>>
>> On 30/11/18 22:44, César Hernández Mendoza wrote:
>>> Hi,
>>>
>>> I'm planning to implement a couple of small improvements on the
>>> MicroProfile JWT example the project already has.
>>> I opened https://issues.apache.org/jira/browse/TOMEE-2304 for this.
>>>
>>> I'll keep you updated with the proposal and progress. Ideas, proposal are
>>> more than welcome!
>>
>
>
> --
> Atentamente:
> César Hernández Mendoza.
Re: MP JWT example revisited
Posted by César Hernández Mendoza <ce...@gmail.com>.
I started to move forward this PR.
I have one question:
What would be the correct behavior of a request containing a valid token
that only hast the Group of Claims "crud" but the REST endpoint is
annotated like this:
@RolesAllowed({"crud", "read-only"})
Should the REST endpoint reply with a 403 because the token used in the
request doesn't have both Group of claims?
or
Should the REST endpoint reply correctly if and only if the Token used in
the request contains Any of this two Group of claims?
After reading: both MP JWT spec and also the section 2.12 of JSR-250 I
think we have a bug that you can easily reproduce in my PR if you use token
type "*2*" instead of "1" in the following test:
https://github.com/apache/tomee/pull/233/files#diff-c8b4606595833238670d666da0b95651R80
El lun., 3 dic. 2018 a las 9:22, Bruno Baptista (<br...@gmail.com>)
escribió:
> Hi César,
>
> Looking forward to review it.
>
> Cheers.
>
> Bruno Baptista
> https://twitter.com/brunobat_
>
>
> On 30/11/18 22:44, César Hernández Mendoza wrote:
> > Hi,
> >
> > I'm planning to implement a couple of small improvements on the
> > MicroProfile JWT example the project already has.
> > I opened https://issues.apache.org/jira/browse/TOMEE-2304 for this.
> >
> > I'll keep you updated with the proposal and progress. Ideas, proposal are
> > more than welcome!
>
--
Atentamente:
César Hernández Mendoza.
Re: MP JWT example revisited
Posted by Bruno Baptista <br...@gmail.com>.
Hi César,
Looking forward to review it.
Cheers.
Bruno Baptista
https://twitter.com/brunobat_
On 30/11/18 22:44, César Hernández Mendoza wrote:
> Hi,
>
> I'm planning to implement a couple of small improvements on the
> MicroProfile JWT example the project already has.
> I opened https://issues.apache.org/jira/browse/TOMEE-2304 for this.
>
> I'll keep you updated with the proposal and progress. Ideas, proposal are
> more than welcome!