Nonetheless, if the PrincipalBean in OWB really caches the instance then this is just wrong. We need to fix it there as well - regardless whether we found a valid workaround for it or not.
LieGrue, strub > Am 02.11.2018 um 17:43 schrieb Romain Manni-Bucau <rmannibu...@gmail.com>: > > Yes > > I pushed the fix in g-jwt-auth to make it compliant with JWT-AUTH, the side > note being that injecting a JsonWebToken as principal is not CDI compliant > (you get a Principal proxy which is useless and not castable to a > JsonWebToken unless you veto principal instances to replace them with the > jsonwebtoken one which breaks apps in other ways - likely worse?). This is > also why the TCK don't abuse of that injection since it cant really use it > and it works with the bad TckSecurityService impl. > > So long story short the issue is that OWB enforces the built-in beans to be > "application scoped" (ie the provider returns a proxy otherwise the > injections will not be contextual as expected) and default impl is not. On > that aspect tomee ManagedSecurityService#getCurrentPrincipal impl is clearly > wrong. > > side note: in meecrowave we have a config to know what we proxy and return > back always the same proxy which solves that. We can likely push it back in > openwebbeans but only in tomcat integration which is the only OWB impl with > a principal management (which has the same bug btw - likely cause "current" > is about the "current app" and not the "current context" in > "getCurrentPrincipal" which is very misleading and not doc-ed). > > Hope it is clearer now and helps > > Romain Manni-Bucau > @rmannibucau | Blog | Old Blog | Github | LinkedIn | Book > > > Le ven. 2 nov. 2018 à 17:10, jgallimore <jonathan.gallim...@gmail.com> a > écrit : > Is this what you're referring to: > https://github.com/apache/meecrowave/blob/trunk/meecrowave-core/src/main/java/org/apache/meecrowave/openwebbeans/MeecrowaveSecurityService.java > - with the unwrap? > > That would make some sense, but is not catered for in > https://github.com/apache/geronimo-jwt-auth/blob/master/src/test/java/org/apache/geronimo/microprofile/impl/jwtauth/tck/TckSecurityService.java. > > I can update my PR to include something similar, but it seems like a hard > workaround for something that ought not to be a problem in the first place. > > Jon > > > > -- > Sent from: > http://apache-geronimo.328035.n3.nabble.com/Development-f342155.html