Here's a question, probably for Mark or Romain. If I turn the proxy *off* in org.apache.webbeans.component.PrincipalBean, I'm finding that I get the wrong principal injected sometimes. Specifically, I get the whatever is on the proxyInstance field here: https://github.com/apache/openwebbeans/blob/trunk/webbeans-impl/src/main/java/org/apache/webbeans/portable/ProviderBasedProducer.java#L51
Should this line (line 66) https://github.com/apache/openwebbeans/blob/trunk/webbeans-impl/src/main/java/org/apache/webbeans/portable/ProviderBasedProducer.java#L66, not simply be: return provider.get(); as opposed to proxyInstance = provider.get(); ? That way, the proxyInstance field would never get set if proxy mode is set to false. When proxy is true, this seems to work correctly (although I have other unrelated issues in TomEE). I can probably work around this some other way, but it seems to me like that behaviour isn't quite right. Trying to think of a way to test it - I can probably come up with something, but I'd appreciate some pointers. Happy to shift this to openwebbeans-dev, and submit a PR. Replying here initially as I ran into this while hacking on the JWT code. Jon On Wed, Oct 17, 2018 at 12:41 AM Roberto Cortez <radcor...@yahoo.com.invalid> wrote: > Please, go ahead. Let me know if need anything. Thanks! > > > On 16 Oct 2018, at 21:53, Jonathan Gallimore < > jonathan.gallim...@gmail.com> wrote: > > > > Any objection if I pick this up and have a go at the last tests, or is > > someone already working on this? > > > > On Thu, Sep 27, 2018 at 5:44 PM Romain Manni-Bucau < > rmannibu...@gmail.com> > > wrote: > > > >> Yep this feature. Then it must works since we support user principal if > the > >> jwt filter is corretly placed in the filter chain and we must inherit > from > >> the request principal. > >> > >> Le jeu. 27 sept. 2018 18:37, Roberto Cortez <radcor...@yahoo.com.invalid > > > >> a > >> écrit : > >> > >>> I guess you are referring to this, to remove the proxy? > >>> > >>> > >> > https://github.com/apache/openwebbeans/commit/a21a949fb19247dcc39ee89292a1554b2cf1388e > >>> < > >>> > >> > https://github.com/apache/openwebbeans/commit/a21a949fb19247dcc39ee89292a1554b2cf1388e > >>>> > >>> > >>> Yes, this one step. > >>> > >>> By default, we do inject the generic Principal of Tomcat. We probably > >> need > >>> to check first about the existence of a JWT Principal and then fallback > >> to > >>> the Tomcat one. I think I know how to do it, I was just trying to > broaden > >>> up the conversation about general integration with EE security. > >>> > >>> Cheers, > >>> Roberto > >>> > >>>> On 26 Sep 2018, at 07:21, Romain Manni-Bucau <rmannibu...@gmail.com> > >>> wrote: > >>>> > >>>> OWB enable to do it - we did it in geronimo impl to pass tck of jwt > >> auth > >>>> spec. > >>>> > >>>> Le mer. 26 sept. 2018 03:28, Roberto Cortez > >> <radcor...@yahoo.com.invalid> > >>> a > >>>> écrit : > >>>> > >>>>> Hi, > >>>>> > >>>>> I’ve done some work to push our MP JWT implementation from 1.0 to > 1.1. > >>>>> > >>>>> You can check it here: > >>>>> https://github.com/apache/tomee/pull/173 < > >>>>> https://github.com/apache/tomee/pull/173> > >>>>> > >>>>> There are still a couple of tests in the TCK that I have to fix and a > >>> few > >>>>> things that I would like to improve, but I think the majority of the > >>> work > >>>>> is done. > >>>>> > >>>>> Some time ago, there was a discussion in the list about how to > >> integrate > >>>>> MP JWT with EE security: > >>>>> > >>>>> > >>> > >> > http://tomee-openejb.979440.n4.nabble.com/Implementing-Microprofile-JWT-td4683212i40.html > >>>>> < > >>>>> > >>> > >> > http://tomee-openejb.979440.n4.nabble.com/Implementing-Microprofile-JWT-td4683212i40.html > >>>>>> > >>>>> > >>>>> I believe we need to revisit that conversation and figure out how to > >>> move > >>>>> forward. > >>>>> > >>>>> Right now for instance, we don’t support injecting a JWT Principal > >> since > >>>>> it clashes with the predefined by CDI. Most likely, we would need to > >>> plugin > >>>>> the JWT Principal lookup in TomcatSecurityService. I’m not sure if we > >>> want > >>>>> to do it in that way, or if we want to think in something else. > >>>>> > >>>>> Cheers, > >>>>> Roberto > >>> > >>> > >> > >
