> On Feb 14, 2018, at 11:34 AM, Romain Manni-Bucau <[email protected]> > wrote: > > If jsonp it can be @appscoped too technically
I was definitely advocating for that and AppScoped was supported, but it got axed at the finish line the week before the 1.0 spec went final. We decided to cut scope (pun intended) to get something out the door and come back and add this later. > > That part will be a bit tricky, but effectively we need a dependent-scoped > > producer that can find the JWT data in the active request. Perhaps by > > looking in the ThreadContext. > > Cant jaspic work? Not sure to be honest. One place I suspect will be tough is the EJB isCallerInRole checks we do are effectively handled by our JACC code (or was). That code expects we know all the users that exist and their permissions at startup time. During the Assembler phase the JaccPermissionsBuilder will build a permissions object for each role the user has. The JACC provider then becomes effectively an in memory database of permissions objects. This again, goes against the JWT concept as the user and the roles are in the token and there is no state in the server. Not sure how we'll need to handle that or if JASPIC helps. https://github.com/apache/tomee/blob/master/container/openejb-core/src/main/java/org/apache/openejb/assembler/classic/JaccPermissionsBuilder.java > Also a jwt for an ejb without a request > means....something to define ;). That's all defined in chapter 12 ... the spec may or may not have only 10 chapters :) -David
