Hi Jon, What it the status of this?
For the remaining failing tests, the issues are related with this: https://github.com/eclipse/microprofile-jwt-auth/issues/118 <https://github.com/eclipse/microprofile-jwt-auth/issues/118> I don’t think there is a way to fix it on our side, so se could just ignore those specific methods and build a specific test for this with 2 apps deployment so we can reach out then public key endpoint from the test. Then we should be good to go with this! Cheers, Roberto > On 20 Nov 2018, at 15:28, Jean-Louis Monteiro <jlmonte...@tomitribe.com> > wrote: > > Ok, yes I see it. > -- > Jean-Louis Monteiro > http://twitter.com/jlouismonteiro > http://www.tomitribe.com > > > On Tue, Nov 20, 2018 at 4:11 PM Jonathan Gallimore < > jonathan.gallim...@gmail.com> wrote: > >> The commits are showing for me (at the bottom). Here's the latest one: >> >> https://github.com/apache/tomee/commit/7ce1f8033e239331cfa7843e4e5565ed0aa83345 >> >> On Tue, Nov 20, 2018 at 2:44 PM Jean-Louis Monteiro < >> jlmonte...@tomitribe.com> wrote: >> >>> Hey Jon, >>> >>> I clicked on the link and the diff tab does not show any difference. >>> Did you push? >>> -- >>> Jean-Louis Monteiro >>> http://twitter.com/jlouismonteiro >>> http://www.tomitribe.com >>> >>> >>> On Mon, Nov 19, 2018 at 12:36 PM Jonathan Gallimore < >>> jonathan.gallim...@gmail.com> wrote: >>> >>>> I now have the principal injection part of this working - thanks Romain >>> for >>>> your help and explanations. Progress is in my fork here: >>>> https://github.com/jgallimore/tomee/tree/jwt-1.1 (changes here: >>>> >>>> >>> >> https://github.com/apache/tomee/compare/master...jgallimore:jwt-1.1?expand=1 >>>> ). >>>> There are still a couple of TODOs to clean up, and 3 tests to get >>> passing. >>>> Any feedback is appreciated. >>>> >>>> Jon >>>> >>>> On Sat, Nov 3, 2018 at 9:10 AM Jonathan Gallimore < >>>> jonathan.gallim...@gmail.com> wrote: >>>> >>>>> Yep, got it. Thanks for the feedback - makes sense now. >>>>> >>>>> Cheers >>>>> >>>>> Jon >>>>> >>>>> On Fri, 2 Nov 2018, 16:46 Romain Manni-Bucau <rmannibu...@gmail.com >>>> wrote: >>>>> >>>>>> Answered hopefully "long enough" on dev@geronimo so will just do a >>>> short >>>>>> one here and shout if not enough: ManagedSecurityService in cdi >>> package >>>> of >>>>>> openejb-core must make the getCurrentPrincipal contextual so hidden >>>> behind >>>>>> a proxy. The proxied API must be Principal and JsonWebToken when >>>> available >>>>>> (try { add if can load } catch { ignore } works as pattern). The >> proxy >>>>>> instance can be created once for all app using the container loader >> or >>>> per >>>>>> app using the app loader and avoiding to leak between apps since the >>> API >>>>>> can use different loaders. >>>>>> >>>>>> Le ven. 2 nov. 2018 14:44, Jonathan Gallimore < >>>>>> jonathan.gallim...@gmail.com> >>>>>> a écrit : >>>>>> >>>>>>> Thanks for the reply, but I am confused by your response. The PR I >>>>>>> referenced adds a single test to the geronimo-jwt-auth project ( >>>>>>> https://github.com/apache/geronimo-jwt-auth/pull/3), based on >>>>>>> >>>> org.eclipse.microprofile.jwt.tck.container.jaxrs.PrincipalInjectionTest >>>>>>> from the TCK. It fails at present (hopefully we agree on that - my >>>>>> results >>>>>>> attached). The geronimo-jwt-auth project doesn't touch TomEE at >> all >>> - >>>> it >>>>>>> uses OWB/Meecrowave to run the MicroProfile JWT TCK. I have not >>>> modified >>>>>>> the project config at all, so it is using the SecurityService code >>> you >>>>>>> previously posted. If this additional test were part of the >>>> MicroProfile >>>>>>> JWT TCK (and I'm going to propose it), the Geronimo JWT Auth >>>>>> implementation >>>>>>> would *not* pass the TCK. >>>>>>> >>>>>>> I posted this here as I originally found the issue when continuing >>>>>>> Roberto's efforts, but this has probably contributed to some >>>> confusion. >>>>>> I >>>>>>> would suggest we continue this over on the Geronimo and OWB lists >> to >>>>>> avoid >>>>>>> further confusion. >>>>>>> >>>>>>> Jon >>>>>>> >>>>>>> On Fri, Nov 2, 2018 at 12:46 PM Romain Manni-Bucau < >>>>>> rmannibu...@gmail.com> >>>>>>> wrote: >>>>>>> >>>>>>>> Hi >>>>>>>> >>>>>>>> Yes this is an owb misconfiguration/integration >>>>>>>> >>>>>>>> Geronimo is fine here so likely tomee owb spi to update as in >>>> geronimo >>>>>> tck >>>>>>>> >>>>>>>> Le ven. 2 nov. 2018 10:42, Jonathan Gallimore < >>>>>>>> jonathan.gallim...@gmail.com> >>>>>>>> a écrit : >>>>>>>> >>>>>>>>> Thanks for the reply. I am still sure there is some sort of >>> issue. >>>>>>>> Putting >>>>>>>>> TomEE to one side for the moment, I am able to reproduce this >> in >>>> the >>>>>>>>> Geronimo JWT auth library as well. This PR includes a test to >>> show >>>>>> what >>>>>>>> I >>>>>>>>> mean: https://github.com/apache/geronimo-jwt-auth/pull/3. >>>>>>>>> >>>>>>>>> I can confirm that this change: >>>>>>>>> https://github.com/apache/openwebbeans/pull/12 enables that >> new >>>>>> test to >>>>>>>>> pass. >>>>>>>>> >>>>>>>>> In short, if you @Inject JsonWebToken, or individual claims, or >>>>>>>>> use @RolesAllowed, I think you're ok, but if you @Inject >>> Principal, >>>>>> you >>>>>>>>> will most likely get the wrong principal because the instance >> is >>>>>> cache >>>>>>>> in a >>>>>>>>> field in the org.apache.webbeans.portable.ProviderBasedProducer >>>>>> class, >>>>>>>> and >>>>>>>>> that looks like a security issue. >>>>>>>>> >>>>>>>>> Jon >>>>>>>>> >>>>>>>>> On Tue, Oct 30, 2018 at 5:56 AM Romain Manni-Bucau < >>>>>>>> rmannibu...@gmail.com> >>>>>>>>> wrote: >>>>>>>>> >>>>>>>>>> Hi Jon, >>>>>>>>>> >>>>>>>>>> yes and no, idea is to be fast and for all producers it works >>>>>> except >>>>>>>> the >>>>>>>>>> principal which is broken anyway in CDI 1.x so guess this was >>> not >>>>>>>> fixed >>>>>>>>>> >>>>>>>>>> in CDI 2 (tomee 8) we can impl it this way: >>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>> >>>> >>> >> https://github.com/apache/geronimo-jwt-auth/blob/master/src/test/java/org/apache/geronimo/microprofile/impl/jwtauth/tck/TckSecurityService.java >>>>>>>>>> >>>>>>>>>> Romain Manni-Bucau >>>>>>>>>> @rmannibucau <https://twitter.com/rmannibucau> | Blog >>>>>>>>>> <https://rmannibucau.metawerx.net/> | Old Blog >>>>>>>>>> <http://rmannibucau.wordpress.com> | Github < >>>>>>>>>> https://github.com/rmannibucau> | >>>>>>>>>> LinkedIn <https://www.linkedin.com/in/rmannibucau> | Book >>>>>>>>>> < >>>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>> >>>> >>> >> https://www.packtpub.com/application-development/java-ee-8-high-performance >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Le mar. 30 oct. 2018 à 00:58, Jonathan Gallimore < >>>>>>>>>> jonathan.gallim...@gmail.com> a écrit : >>>>>>>>>> >>>>>>>>>>> Here's a question, probably for Mark or Romain. If I turn >> the >>>>>> proxy >>>>>>>>> *off* >>>>>>>>>>> in org.apache.webbeans.component.PrincipalBean, I'm finding >>>> that >>>>>> I >>>>>>>> get >>>>>>>>>> the >>>>>>>>>>> wrong principal injected sometimes. Specifically, I get the >>>>>>>> whatever is >>>>>>>>>> on >>>>>>>>>>> the proxyInstance field here: >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>> >>>> >>> >> https://github.com/apache/openwebbeans/blob/trunk/webbeans-impl/src/main/java/org/apache/webbeans/portable/ProviderBasedProducer.java#L51 >>>>>>>>>>> >>>>>>>>>>> Should this line (line 66) >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>> >>>> >>> >> https://github.com/apache/openwebbeans/blob/trunk/webbeans-impl/src/main/java/org/apache/webbeans/portable/ProviderBasedProducer.java#L66 >>>>>>>>>>> , >>>>>>>>>>> not simply be: >>>>>>>>>>> >>>>>>>>>>> return provider.get(); >>>>>>>>>>> >>>>>>>>>>> as opposed to >>>>>>>>>>> >>>>>>>>>>> proxyInstance = provider.get(); ? >>>>>>>>>>> >>>>>>>>>>> That way, the proxyInstance field would never get set if >>> proxy >>>>>> mode >>>>>>>> is >>>>>>>>>> set >>>>>>>>>>> to false. When proxy is true, this seems to work correctly >>>>>>>> (although I >>>>>>>>>> have >>>>>>>>>>> other unrelated issues in TomEE). >>>>>>>>>>> >>>>>>>>>>> I can probably work around this some other way, but it >> seems >>> to >>>>>> me >>>>>>>> like >>>>>>>>>>> that behaviour isn't quite right. >>>>>>>>>>> >>>>>>>>>>> Trying to think of a way to test it - I can probably come >> up >>>> with >>>>>>>>>>> something, but I'd appreciate some pointers. Happy to shift >>>> this >>>>>> to >>>>>>>>>>> openwebbeans-dev, and submit a PR. Replying here initially >>> as I >>>>>> ran >>>>>>>>> into >>>>>>>>>>> this while hacking on the JWT code. >>>>>>>>>>> >>>>>>>>>>> Jon >>>>>>>>>>> >>>>>>>>>>> On Wed, Oct 17, 2018 at 12:41 AM Roberto Cortez >>>>>>>>>>> <radcor...@yahoo.com.invalid> >>>>>>>>>>> wrote: >>>>>>>>>>> >>>>>>>>>>>> Please, go ahead. Let me know if need anything. Thanks! >>>>>>>>>>>> >>>>>>>>>>>>> On 16 Oct 2018, at 21:53, Jonathan Gallimore < >>>>>>>>>>>> jonathan.gallim...@gmail.com> wrote: >>>>>>>>>>>>> >>>>>>>>>>>>> Any objection if I pick this up and have a go at the >> last >>>>>>>> tests, or >>>>>>>>>> is >>>>>>>>>>>>> someone already working on this? >>>>>>>>>>>>> >>>>>>>>>>>>> On Thu, Sep 27, 2018 at 5:44 PM Romain Manni-Bucau < >>>>>>>>>>>> rmannibu...@gmail.com> >>>>>>>>>>>>> wrote: >>>>>>>>>>>>> >>>>>>>>>>>>>> Yep this feature. Then it must works since we support >>> user >>>>>>>>> principal >>>>>>>>>>> if >>>>>>>>>>>> the >>>>>>>>>>>>>> jwt filter is corretly placed in the filter chain and >> we >>>>>> must >>>>>>>>>> inherit >>>>>>>>>>>> from >>>>>>>>>>>>>> the request principal. >>>>>>>>>>>>>> >>>>>>>>>>>>>> Le jeu. 27 sept. 2018 18:37, Roberto Cortez >>>>>>>>>>> <radcor...@yahoo.com.invalid >>>>>>>>>>>>> >>>>>>>>>>>>>> a >>>>>>>>>>>>>> écrit : >>>>>>>>>>>>>> >>>>>>>>>>>>>>> I guess you are referring to this, to remove the >> proxy? >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>> >>>> >>> >> https://github.com/apache/openwebbeans/commit/a21a949fb19247dcc39ee89292a1554b2cf1388e >>>>>>>>>>>>>>> < >>>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>> >>>> >>> >> https://github.com/apache/openwebbeans/commit/a21a949fb19247dcc39ee89292a1554b2cf1388e >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Yes, this one step. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> By default, we do inject the generic Principal of >>> Tomcat. >>>>>> We >>>>>>>>>> probably >>>>>>>>>>>>>> need >>>>>>>>>>>>>>> to check first about the existence of a JWT Principal >>> and >>>>>> then >>>>>>>>>>> fallback >>>>>>>>>>>>>> to >>>>>>>>>>>>>>> the Tomcat one. I think I know how to do it, I was >> just >>>>>>>> trying to >>>>>>>>>>>> broaden >>>>>>>>>>>>>>> up the conversation about general integration with EE >>>>>>>> security. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Cheers, >>>>>>>>>>>>>>> Roberto >>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> On 26 Sep 2018, at 07:21, Romain Manni-Bucau < >>>>>>>>>> rmannibu...@gmail.com >>>>>>>>>>>> >>>>>>>>>>>>>>> wrote: >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> OWB enable to do it - we did it in geronimo impl to >>> pass >>>>>> tck >>>>>>>> of >>>>>>>>>> jwt >>>>>>>>>>>>>> auth >>>>>>>>>>>>>>>> spec. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Le mer. 26 sept. 2018 03:28, Roberto Cortez >>>>>>>>>>>>>> <radcor...@yahoo.com.invalid> >>>>>>>>>>>>>>> a >>>>>>>>>>>>>>>> écrit : >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Hi, >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> I’ve done some work to push our MP JWT >> implementation >>>>>> from >>>>>>>> 1.0 >>>>>>>>> to >>>>>>>>>>>> 1.1. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> You can check it here: >>>>>>>>>>>>>>>>> https://github.com/apache/tomee/pull/173 < >>>>>>>>>>>>>>>>> https://github.com/apache/tomee/pull/173> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> There are still a couple of tests in the TCK that I >>>> have >>>>>> to >>>>>>>> fix >>>>>>>>>>> and a >>>>>>>>>>>>>>> few >>>>>>>>>>>>>>>>> things that I would like to improve, but I think >> the >>>>>>>> majority >>>>>>>>> of >>>>>>>>>>> the >>>>>>>>>>>>>>> work >>>>>>>>>>>>>>>>> is done. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Some time ago, there was a discussion in the list >>> about >>>>>> how >>>>>>>> to >>>>>>>>>>>>>> integrate >>>>>>>>>>>>>>>>> MP JWT with EE security: >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>> >>>> >>> >> http://tomee-openejb.979440.n4.nabble.com/Implementing-Microprofile-JWT-td4683212i40.html >>>>>>>>>>>>>>>>> < >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>> >>>> >>> >> http://tomee-openejb.979440.n4.nabble.com/Implementing-Microprofile-JWT-td4683212i40.html >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> I believe we need to revisit that conversation and >>>> figure >>>>>>>> out >>>>>>>>> how >>>>>>>>>>> to >>>>>>>>>>>>>>> move >>>>>>>>>>>>>>>>> forward. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Right now for instance, we don’t support injecting >> a >>>> JWT >>>>>>>>>> Principal >>>>>>>>>>>>>> since >>>>>>>>>>>>>>>>> it clashes with the predefined by CDI. Most likely, >>> we >>>>>> would >>>>>>>>> need >>>>>>>>>>> to >>>>>>>>>>>>>>> plugin >>>>>>>>>>>>>>>>> the JWT Principal lookup in TomcatSecurityService. >>> I’m >>>>>> not >>>>>>>> sure >>>>>>>>>> if >>>>>>>>>>> we >>>>>>>>>>>>>>> want >>>>>>>>>>>>>>>>> to do it in that way, or if we want to think in >>>> something >>>>>>>> else. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Cheers, >>>>>>>>>>>>>>>>> Roberto >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>> >>>>>> >>>>> >>>> >>> >>
