You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@ofbiz.apache.org by "Jacques Le Roux (JIRA)" <ji...@apache.org> on 2019/02/02 18:42:00 UTC
[jira] [Commented] (OFBIZ-10814) Error parsing JWT
[ https://issues.apache.org/jira/browse/OFBIZ-10814?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16759138#comment-16759138 ]
Jacques Le Roux commented on OFBIZ-10814:
-----------------------------------------
Hi Michael,
I tested your changes with the trunk, it works. I mean, I can SSO login from a localhost example to content on trunk demo.
All,
While reviewing the code I noticed that in JWTManager::getAuthenticationToken we pass "USERNAME" and "PASSWORD" as parameters in a request. Why do we need that? This method is not use OOTB yet, so just curious
> Error parsing JWT
> -----------------
>
> Key: OFBIZ-10814
> URL: https://issues.apache.org/jira/browse/OFBIZ-10814
> Project: OFBiz
> Issue Type: Bug
> Components: framework
> Affects Versions: Trunk
> Reporter: Michael Brohl
> Assignee: Michael Brohl
> Priority: Major
> Attachments: Apache OFBiz JWT Test.postman_collection.json, OFBIZ-10814_JWT_parsing_error.patch, OFBIZ-10814_JWT_parsing_error_and_refactoring.patch, OFBIZ-10814_JWT_parsing_error_examples.patch
>
>
> I have problems using the Authorization: Bearer header value for requests towards OFBiz. OFBiz has problems parsing externally generated JSON Web Tokens.
> I have generated them using both [1] and [2] using HS512 and the default secret.
> The JWT check fails because of a parsing error:
> {noformat}
> 2019-01-17 16:48:36,233 |jsse-nio-8443-exec-7 |JavaEventHandler |E| Problems Processing Event
> io.jsonwebtoken.MalformedJwtException: Unable to read JSON value: ��z��'G��#�$�uB"�&��r#�$�3S�"
> at io.jsonwebtoken.impl.DefaultJwtParser.readValue(DefaultJwtParser.java:554) ~[jjwt-0.9.1.jar:0.9.1]
> at io.jsonwebtoken.impl.DefaultJwtParser.parse(DefaultJwtParser.java:252) ~[jjwt-0.9.1.jar:0.9.1]
> at io.jsonwebtoken.impl.DefaultJwtParser.parse(DefaultJwtParser.java:481) ~[jjwt-0.9.1.jar:0.9.1]
> at io.jsonwebtoken.impl.DefaultJwtParser.parseClaimsJws(DefaultJwtParser.java:541) ~[jjwt-0.9.1.jar:0.9.1]
> at org.apache.ofbiz.webapp.control.JWTManager.validateToken(JWTManager.java:124) ~[ofbiz.jar:?]
> at org.apache.ofbiz.webapp.control.ExternalLoginKeysManager.jwtValidation(ExternalLoginKeysManager.java:292) ~[ofbiz.jar:?]
> at org.apache.ofbiz.webapp.control.ExternalLoginKeysManager.checkJWTLogin(ExternalLoginKeysManager.java:196) ~[ofbiz.jar:?]
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:1.8.0_152]
> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[?:1.8.0_152]
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:1.8.0_152]
> at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_152]
> at org.apache.ofbiz.webapp.event.JavaEventHandler.invoke(JavaEventHandler.java:86) [ofbiz.jar:?]
> at org.apache.ofbiz.webapp.control.RequestHandler.runEvent(RequestHandler.java:774) [ofbiz.jar:?]
> at org.apache.ofbiz.webapp.control.RequestHandler.doRequest(RequestHandler.java:407) [ofbiz.jar:?]
> at org.apache.ofbiz.webapp.control.ControlServlet.doGet(ControlServlet.java:208) [ofbiz.jar:?]
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:645) [javax.servlet-api-4.0.1.jar:4.0.1]
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:750) [javax.servlet-api-4.0.1.jar:4.0.1]
> at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231) [tomcat-catalina-9.0.13.jar:9.0.13]
> at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [tomcat-catalina-9.0.13.jar:9.0.13]
> at org.apache.ofbiz.webapp.control.ContextFilter.doFilter(ContextFilter.java:191) [ofbiz.jar:?]
> at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) [tomcat-catalina-9.0.13.jar:9.0.13]
> at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [tomcat-catalina-9.0.13.jar:9.0.13]
> at org.apache.ofbiz.webapp.control.ControlFilter.doFilter(ControlFilter.java:156) [ofbiz.jar:?]
> at javax.servlet.http.HttpFilter.doFilter(HttpFilter.java:127) [javax.servlet-api-4.0.1.jar:4.0.1]
> at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) [tomcat-catalina-9.0.13.jar:9.0.13]
> at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [tomcat-catalina-9.0.13.jar:9.0.13]
> at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:199) [tomcat-catalina-9.0.13.jar:9.0.13]
> at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96) [tomcat-catalina-9.0.13.jar:9.0.13]
> at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:490) [tomcat-catalina-9.0.13.jar:9.0.13]
> at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139) [tomcat-catalina-9.0.13.jar:9.0.13]
> at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92) [tomcat-catalina-9.0.13.jar:9.0.13]
> at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74) [tomcat-catalina-9.0.13.jar:9.0.13]
> at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:668) [tomcat-catalina-9.0.13.jar:9.0.13]
> at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343) [tomcat-catalina-9.0.13.jar:9.0.13]
> at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:408) [tomcat-coyote-9.0.13.jar:9.0.13]
> at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66) [tomcat-coyote-9.0.13.jar:9.0.13]
> at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:791) [tomcat-coyote-9.0.13.jar:9.0.13]
> at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1417) [tomcat-coyote-9.0.13.jar:9.0.13]
> at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) [tomcat-coyote-9.0.13.jar:9.0.13]
> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [?:1.8.0_152]
> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [?:1.8.0_152]
> at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) [tomcat-util-9.0.13.jar:9.0.13]
> at java.lang.Thread.run(Thread.java:748) [?:1.8.0_152]
> Caused by: com.fasterxml.jackson.core.JsonParseException: Illegal character ((CTRL-CHAR, code 5)): only regular white space (\r, \n, \t) is allowed between tokens
> at [Source: (String)"��z��'G��#�$�uB"�&��r#�$�3S�""; line: 1, column: 2]
> at com.fasterxml.jackson.core.JsonParser._constructError(JsonParser.java:1804) ~[jackson-core-2.9.6.jar:2.9.6]
> at com.fasterxml.jackson.core.base.ParserMinimalBase._reportError(ParserMinimalBase.java:669) ~[jackson-core-2.9.6.jar:2.9.6]
> at com.fasterxml.jackson.core.base.ParserMinimalBase._throwInvalidSpace(ParserMinimalBase.java:620) ~[jackson-core-2.9.6.jar:2.9.6]
> at com.fasterxml.jackson.core.json.ReaderBasedJsonParser._skipWSOrEnd(ReaderBasedJsonParser.java:2350) ~[jackson-core-2.9.6.jar:2.9.6]
> at com.fasterxml.jackson.core.json.ReaderBasedJsonParser.nextToken(ReaderBasedJsonParser.java:646) ~[jackson-core-2.9.6.jar:2.9.6]
> at com.fasterxml.jackson.databind.ObjectMapper._initForReading(ObjectMapper.java:4141) ~[jackson-databind-2.9.6.jar:2.9.6]
> at com.fasterxml.jackson.databind.ObjectMapper._readMapAndClose(ObjectMapper.java:4000) ~[jackson-databind-2.9.6.jar:2.9.6]
> at com.fasterxml.jackson.databind.ObjectMapper.readValue(ObjectMapper.java:3004) ~[jackson-databind-2.9.6.jar:2.9.6]
> at io.jsonwebtoken.impl.DefaultJwtParser.readValue(DefaultJwtParser.java:552) ~[jjwt-0.9.1.jar:0.9.1]
> ... 42 more
> 2019-01-17 16:48:36,237 |jsse-nio-8443-exec-7 |RequestHandler |E| null
> org.apache.ofbiz.webapp.event.EventHandlerException: Problems processing event: io.jsonwebtoken.MalformedJwtException: Unable to read JSON value: ��z��'G��#�$�uB"�&��r#�$�3S�" (Unable to read JSON value: ��z��'G��#�$�uB"�&��r#�$�3S�")
> at org.apache.ofbiz.webapp.event.JavaEventHandler.invoke(JavaEventHandler.java:94) ~[ofbiz.jar:?]
> at org.apache.ofbiz.webapp.control.RequestHandler.runEvent(RequestHandler.java:774) ~[ofbiz.jar:?]
> at org.apache.ofbiz.webapp.control.RequestHandler.doRequest(RequestHandler.java:407) [ofbiz.jar:?]
> at org.apache.ofbiz.webapp.control.ControlServlet.doGet(ControlServlet.java:208) [ofbiz.jar:?]
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:645) [javax.servlet-api-4.0.1.jar:4.0.1]
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:750) [javax.servlet-api-4.0.1.jar:4.0.1]
> at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231) [tomcat-catalina-9.0.13.jar:9.0.13]
> at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [tomcat-catalina-9.0.13.jar:9.0.13]
> at org.apache.ofbiz.webapp.control.ContextFilter.doFilter(ContextFilter.java:191) [ofbiz.jar:?]
> at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) [tomcat-catalina-9.0.13.jar:9.0.13]
> at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [tomcat-catalina-9.0.13.jar:9.0.13]
> at org.apache.ofbiz.webapp.control.ControlFilter.doFilter(ControlFilter.java:156) [ofbiz.jar:?]
> at javax.servlet.http.HttpFilter.doFilter(HttpFilter.java:127) [javax.servlet-api-4.0.1.jar:4.0.1]
> at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) [tomcat-catalina-9.0.13.jar:9.0.13]
> at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [tomcat-catalina-9.0.13.jar:9.0.13]
> at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:199) [tomcat-catalina-9.0.13.jar:9.0.13]
> at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96) [tomcat-catalina-9.0.13.jar:9.0.13]
> at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:490) [tomcat-catalina-9.0.13.jar:9.0.13]
> at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139) [tomcat-catalina-9.0.13.jar:9.0.13]
> at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92) [tomcat-catalina-9.0.13.jar:9.0.13]
> at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74) [tomcat-catalina-9.0.13.jar:9.0.13]
> at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:668) [tomcat-catalina-9.0.13.jar:9.0.13]
> at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343) [tomcat-catalina-9.0.13.jar:9.0.13]
> at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:408) [tomcat-coyote-9.0.13.jar:9.0.13]
> at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66) [tomcat-coyote-9.0.13.jar:9.0.13]
> at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:791) [tomcat-coyote-9.0.13.jar:9.0.13]
> at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1417) [tomcat-coyote-9.0.13.jar:9.0.13]
> at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) [tomcat-coyote-9.0.13.jar:9.0.13]
> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [?:1.8.0_152]
> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [?:1.8.0_152]
> at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) [tomcat-util-9.0.13.jar:9.0.13]
> at java.lang.Thread.run(Thread.java:748) [?:1.8.0_152]
> Caused by: io.jsonwebtoken.MalformedJwtException: Unable to read JSON value: ��z��'G��#�$�uB"�&��r#�$�3S�"
> at io.jsonwebtoken.impl.DefaultJwtParser.readValue(DefaultJwtParser.java:554) ~[jjwt-0.9.1.jar:0.9.1]
> at io.jsonwebtoken.impl.DefaultJwtParser.parse(DefaultJwtParser.java:252) ~[jjwt-0.9.1.jar:0.9.1]
> at io.jsonwebtoken.impl.DefaultJwtParser.parse(DefaultJwtParser.java:481) ~[jjwt-0.9.1.jar:0.9.1]
> at io.jsonwebtoken.impl.DefaultJwtParser.parseClaimsJws(DefaultJwtParser.java:541) ~[jjwt-0.9.1.jar:0.9.1]
> at org.apache.ofbiz.webapp.control.JWTManager.validateToken(JWTManager.java:124) ~[ofbiz.jar:?]
> at org.apache.ofbiz.webapp.control.ExternalLoginKeysManager.jwtValidation(ExternalLoginKeysManager.java:292) ~[ofbiz.jar:?]
> at org.apache.ofbiz.webapp.control.ExternalLoginKeysManager.checkJWTLogin(ExternalLoginKeysManager.java:196) ~[ofbiz.jar:?]
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:1.8.0_152]
> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[?:1.8.0_152]
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:1.8.0_152]
> at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_152]
> at org.apache.ofbiz.webapp.event.JavaEventHandler.invoke(JavaEventHandler.java:86) ~[ofbiz.jar:?]
> ... 31 more
> Caused by: com.fasterxml.jackson.core.JsonParseException: Illegal character ((CTRL-CHAR, code 5)): only regular white space (\r, \n, \t) is allowed between tokens
> at [Source: (String)"��z��'G��#�$�uB"�&��r#�$�3S�""; line: 1, column: 2]
> at com.fasterxml.jackson.core.JsonParser._constructError(JsonParser.java:1804) ~[jackson-core-2.9.6.jar:2.9.6]
> at com.fasterxml.jackson.core.base.ParserMinimalBase._reportError(ParserMinimalBase.java:669) ~[jackson-core-2.9.6.jar:2.9.6]
> at com.fasterxml.jackson.core.base.ParserMinimalBase._throwInvalidSpace(ParserMinimalBase.java:620) ~[jackson-core-2.9.6.jar:2.9.6]
> at com.fasterxml.jackson.core.json.ReaderBasedJsonParser._skipWSOrEnd(ReaderBasedJsonParser.java:2350) ~[jackson-core-2.9.6.jar:2.9.6]
> at com.fasterxml.jackson.core.json.ReaderBasedJsonParser.nextToken(ReaderBasedJsonParser.java:646) ~[jackson-core-2.9.6.jar:2.9.6]
> at com.fasterxml.jackson.databind.ObjectMapper._initForReading(ObjectMapper.java:4141) ~[jackson-databind-2.9.6.jar:2.9.6]
> at com.fasterxml.jackson.databind.ObjectMapper._readMapAndClose(ObjectMapper.java:4000) ~[jackson-databind-2.9.6.jar:2.9.6]
> at com.fasterxml.jackson.databind.ObjectMapper.readValue(ObjectMapper.java:3004) ~[jackson-databind-2.9.6.jar:2.9.6]
> at io.jsonwebtoken.impl.DefaultJwtParser.readValue(DefaultJwtParser.java:552) ~[jjwt-0.9.1.jar:0.9.1]
> at io.jsonwebtoken.impl.DefaultJwtParser.parse(DefaultJwtParser.java:252) ~[jjwt-0.9.1.jar:0.9.1]
> at io.jsonwebtoken.impl.DefaultJwtParser.parse(DefaultJwtParser.java:481) ~[jjwt-0.9.1.jar:0.9.1]
> at io.jsonwebtoken.impl.DefaultJwtParser.parseClaimsJws(DefaultJwtParser.java:541) ~[jjwt-0.9.1.jar:0.9.1]
> at org.apache.ofbiz.webapp.control.JWTManager.validateToken(JWTManager.java:124) ~[ofbiz.jar:?]
> at org.apache.ofbiz.webapp.control.ExternalLoginKeysManager.jwtValidation(ExternalLoginKeysManager.java:292) ~[ofbiz.jar:?]
> at org.apache.ofbiz.webapp.control.ExternalLoginKeysManager.checkJWTLogin(ExternalLoginKeysManager.java:196) ~[ofbiz.jar:?]
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:1.8.0_152]
> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[?:1.8.0_152]
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:1.8.0_152]
> at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_152]
> at org.apache.ofbiz.webapp.event.JavaEventHandler.invoke(JavaEventHandler.java:86) ~[ofbiz.jar:?]
> ... 31 more{noformat}
> If I create a JWT in [2] and paste it in [1] with a not Base64 encoded secret, the JWT claims are displayed fine so I think they are correct and parsable.
> You can test using
> {noformat}
> eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJpc3MiOiJPbmxpbmUgSldUIEJ1aWxkZXIiLCJpYXQiOjE1NDc3MzkzNDgsImV4cCI6MTU3OTI3NTM0OCwiYXVkIjoid3d3LmV4YW1wbGUuY29tIiwic3ViIjoianJvY2tldEBleGFtcGxlLmNvbSIsIkdpdmVuTmFtZSI6IkpvaG5ueSIsIlN1cm5hbWUiOiJSb2NrZXQiLCJFbWFpbCI6Impyb2NrZXRAZXhhbXBsZS5jb20iLCJSb2xlIjpbIk1hbmFnZXIiLCJQcm9qZWN0IEFkbWluaXN0cmF0b3IiXX0.KTZOnBj_GlZw5btWc8_8xau3pqs685idQGta9WC3WEJzk4AEeOhjyDCbT6AbOsaLcu5uKDHDphdsq9Tiea_Hpg{noformat}
>
> Any ideas what could be wrong?
>
> [1] [https://jwt.io/]
> [2] [http://jwtbuilder.jamiekurtz.com/]
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)