Hi Jon, I’ve seen you made some changes in your branch. What is the current status? I would like to start pushing for MP 2.0 specs.
Cheers, Roberto > On 21 Nov 2018, at 17:57, Jonathan Gallimore <[email protected]> > wrote: > > Was going to have another look at those tests over the next couple of days. > > Jon > > On Wed, 21 Nov 2018, 17:53 Roberto Cortez <[email protected] > wrote: > >> Hi Jon, >> >> What it the status of this? >> >> For the remaining failing tests, the issues are related with this: >> https://github.com/eclipse/microprofile-jwt-auth/issues/118 < >> https://github.com/eclipse/microprofile-jwt-auth/issues/118> >> >> I don’t think there is a way to fix it on our side, so se could just >> ignore those specific methods and build a specific test for this with 2 >> apps deployment so we can reach out then public key endpoint from the test. >> Then we should be good to go with this! >> >> Cheers, >> Roberto >> >>> On 20 Nov 2018, at 15:28, Jean-Louis Monteiro <[email protected]> >> wrote: >>> >>> Ok, yes I see it. >>> -- >>> Jean-Louis Monteiro >>> http://twitter.com/jlouismonteiro >>> http://www.tomitribe.com >>> >>> >>> On Tue, Nov 20, 2018 at 4:11 PM Jonathan Gallimore < >>> [email protected]> wrote: >>> >>>> The commits are showing for me (at the bottom). Here's the latest one: >>>> >>>> >> https://github.com/apache/tomee/commit/7ce1f8033e239331cfa7843e4e5565ed0aa83345 >>>> >>>> On Tue, Nov 20, 2018 at 2:44 PM Jean-Louis Monteiro < >>>> [email protected]> wrote: >>>> >>>>> Hey Jon, >>>>> >>>>> I clicked on the link and the diff tab does not show any difference. >>>>> Did you push? >>>>> -- >>>>> Jean-Louis Monteiro >>>>> http://twitter.com/jlouismonteiro >>>>> http://www.tomitribe.com >>>>> >>>>> >>>>> On Mon, Nov 19, 2018 at 12:36 PM Jonathan Gallimore < >>>>> [email protected]> wrote: >>>>> >>>>>> I now have the principal injection part of this working - thanks >> Romain >>>>> for >>>>>> your help and explanations. Progress is in my fork here: >>>>>> https://github.com/jgallimore/tomee/tree/jwt-1.1 (changes here: >>>>>> >>>>>> >>>>> >>>> >> https://github.com/apache/tomee/compare/master...jgallimore:jwt-1.1?expand=1 >>>>>> ). >>>>>> There are still a couple of TODOs to clean up, and 3 tests to get >>>>> passing. >>>>>> Any feedback is appreciated. >>>>>> >>>>>> Jon >>>>>> >>>>>> On Sat, Nov 3, 2018 at 9:10 AM Jonathan Gallimore < >>>>>> [email protected]> wrote: >>>>>> >>>>>>> Yep, got it. Thanks for the feedback - makes sense now. >>>>>>> >>>>>>> Cheers >>>>>>> >>>>>>> Jon >>>>>>> >>>>>>> On Fri, 2 Nov 2018, 16:46 Romain Manni-Bucau <[email protected] >>>>>> wrote: >>>>>>> >>>>>>>> Answered hopefully "long enough" on dev@geronimo so will just do a >>>>>> short >>>>>>>> one here and shout if not enough: ManagedSecurityService in cdi >>>>> package >>>>>> of >>>>>>>> openejb-core must make the getCurrentPrincipal contextual so hidden >>>>>> behind >>>>>>>> a proxy. The proxied API must be Principal and JsonWebToken when >>>>>> available >>>>>>>> (try { add if can load } catch { ignore } works as pattern). The >>>> proxy >>>>>>>> instance can be created once for all app using the container loader >>>> or >>>>>> per >>>>>>>> app using the app loader and avoiding to leak between apps since the >>>>> API >>>>>>>> can use different loaders. >>>>>>>> >>>>>>>> Le ven. 2 nov. 2018 14:44, Jonathan Gallimore < >>>>>>>> [email protected]> >>>>>>>> a écrit : >>>>>>>> >>>>>>>>> Thanks for the reply, but I am confused by your response. The PR I >>>>>>>>> referenced adds a single test to the geronimo-jwt-auth project ( >>>>>>>>> https://github.com/apache/geronimo-jwt-auth/pull/3), based on >>>>>>>>> >>>>>> >> org.eclipse.microprofile.jwt.tck.container.jaxrs.PrincipalInjectionTest >>>>>>>>> from the TCK. It fails at present (hopefully we agree on that - my >>>>>>>> results >>>>>>>>> attached). The geronimo-jwt-auth project doesn't touch TomEE at >>>> all >>>>> - >>>>>> it >>>>>>>>> uses OWB/Meecrowave to run the MicroProfile JWT TCK. I have not >>>>>> modified >>>>>>>>> the project config at all, so it is using the SecurityService code >>>>> you >>>>>>>>> previously posted. If this additional test were part of the >>>>>> MicroProfile >>>>>>>>> JWT TCK (and I'm going to propose it), the Geronimo JWT Auth >>>>>>>> implementation >>>>>>>>> would *not* pass the TCK. >>>>>>>>> >>>>>>>>> I posted this here as I originally found the issue when continuing >>>>>>>>> Roberto's efforts, but this has probably contributed to some >>>>>> confusion. >>>>>>>> I >>>>>>>>> would suggest we continue this over on the Geronimo and OWB lists >>>> to >>>>>>>> avoid >>>>>>>>> further confusion. >>>>>>>>> >>>>>>>>> Jon >>>>>>>>> >>>>>>>>> On Fri, Nov 2, 2018 at 12:46 PM Romain Manni-Bucau < >>>>>>>> [email protected]> >>>>>>>>> wrote: >>>>>>>>> >>>>>>>>>> Hi >>>>>>>>>> >>>>>>>>>> Yes this is an owb misconfiguration/integration >>>>>>>>>> >>>>>>>>>> Geronimo is fine here so likely tomee owb spi to update as in >>>>>> geronimo >>>>>>>> tck >>>>>>>>>> >>>>>>>>>> Le ven. 2 nov. 2018 10:42, Jonathan Gallimore < >>>>>>>>>> [email protected]> >>>>>>>>>> a écrit : >>>>>>>>>> >>>>>>>>>>> Thanks for the reply. I am still sure there is some sort of >>>>> issue. >>>>>>>>>> Putting >>>>>>>>>>> TomEE to one side for the moment, I am able to reproduce this >>>> in >>>>>> the >>>>>>>>>>> Geronimo JWT auth library as well. This PR includes a test to >>>>> show >>>>>>>> what >>>>>>>>>> I >>>>>>>>>>> mean: https://github.com/apache/geronimo-jwt-auth/pull/3. >>>>>>>>>>> >>>>>>>>>>> I can confirm that this change: >>>>>>>>>>> https://github.com/apache/openwebbeans/pull/12 enables that >>>> new >>>>>>>> test to >>>>>>>>>>> pass. >>>>>>>>>>> >>>>>>>>>>> In short, if you @Inject JsonWebToken, or individual claims, or >>>>>>>>>>> use @RolesAllowed, I think you're ok, but if you @Inject >>>>> Principal, >>>>>>>> you >>>>>>>>>>> will most likely get the wrong principal because the instance >>>> is >>>>>>>> cache >>>>>>>>>> in a >>>>>>>>>>> field in the org.apache.webbeans.portable.ProviderBasedProducer >>>>>>>> class, >>>>>>>>>> and >>>>>>>>>>> that looks like a security issue. >>>>>>>>>>> >>>>>>>>>>> Jon >>>>>>>>>>> >>>>>>>>>>> On Tue, Oct 30, 2018 at 5:56 AM Romain Manni-Bucau < >>>>>>>>>> [email protected]> >>>>>>>>>>> wrote: >>>>>>>>>>> >>>>>>>>>>>> Hi Jon, >>>>>>>>>>>> >>>>>>>>>>>> yes and no, idea is to be fast and for all producers it works >>>>>>>> except >>>>>>>>>> the >>>>>>>>>>>> principal which is broken anyway in CDI 1.x so guess this was >>>>> not >>>>>>>>>> fixed >>>>>>>>>>>> >>>>>>>>>>>> in CDI 2 (tomee 8) we can impl it this way: >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> >>>>>>>> >>>>>> >>>>> >>>> >> https://github.com/apache/geronimo-jwt-auth/blob/master/src/test/java/org/apache/geronimo/microprofile/impl/jwtauth/tck/TckSecurityService.java >>>>>>>>>>>> >>>>>>>>>>>> Romain Manni-Bucau >>>>>>>>>>>> @rmannibucau <https://twitter.com/rmannibucau> | Blog >>>>>>>>>>>> <https://rmannibucau.metawerx.net/> | Old Blog >>>>>>>>>>>> <http://rmannibucau.wordpress.com> | Github < >>>>>>>>>>>> https://github.com/rmannibucau> | >>>>>>>>>>>> LinkedIn <https://www.linkedin.com/in/rmannibucau> | Book >>>>>>>>>>>> < >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> >>>>>>>> >>>>>> >>>>> >>>> >> https://www.packtpub.com/application-development/java-ee-8-high-performance >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> Le mar. 30 oct. 2018 à 00:58, Jonathan Gallimore < >>>>>>>>>>>> [email protected]> a écrit : >>>>>>>>>>>> >>>>>>>>>>>>> Here's a question, probably for Mark or Romain. If I turn >>>> the >>>>>>>> proxy >>>>>>>>>>> *off* >>>>>>>>>>>>> in org.apache.webbeans.component.PrincipalBean, I'm finding >>>>>> that >>>>>>>> I >>>>>>>>>> get >>>>>>>>>>>> the >>>>>>>>>>>>> wrong principal injected sometimes. Specifically, I get the >>>>>>>>>> whatever is >>>>>>>>>>>> on >>>>>>>>>>>>> the proxyInstance field here: >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> >>>>>>>> >>>>>> >>>>> >>>> >> https://github.com/apache/openwebbeans/blob/trunk/webbeans-impl/src/main/java/org/apache/webbeans/portable/ProviderBasedProducer.java#L51 >>>>>>>>>>>>> >>>>>>>>>>>>> Should this line (line 66) >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> >>>>>>>> >>>>>> >>>>> >>>> >> https://github.com/apache/openwebbeans/blob/trunk/webbeans-impl/src/main/java/org/apache/webbeans/portable/ProviderBasedProducer.java#L66 >>>>>>>>>>>>> , >>>>>>>>>>>>> not simply be: >>>>>>>>>>>>> >>>>>>>>>>>>> return provider.get(); >>>>>>>>>>>>> >>>>>>>>>>>>> as opposed to >>>>>>>>>>>>> >>>>>>>>>>>>> proxyInstance = provider.get(); ? >>>>>>>>>>>>> >>>>>>>>>>>>> That way, the proxyInstance field would never get set if >>>>> proxy >>>>>>>> mode >>>>>>>>>> is >>>>>>>>>>>> set >>>>>>>>>>>>> to false. When proxy is true, this seems to work correctly >>>>>>>>>> (although I >>>>>>>>>>>> have >>>>>>>>>>>>> other unrelated issues in TomEE). >>>>>>>>>>>>> >>>>>>>>>>>>> I can probably work around this some other way, but it >>>> seems >>>>> to >>>>>>>> me >>>>>>>>>> like >>>>>>>>>>>>> that behaviour isn't quite right. >>>>>>>>>>>>> >>>>>>>>>>>>> Trying to think of a way to test it - I can probably come >>>> up >>>>>> with >>>>>>>>>>>>> something, but I'd appreciate some pointers. Happy to shift >>>>>> this >>>>>>>> to >>>>>>>>>>>>> openwebbeans-dev, and submit a PR. Replying here initially >>>>> as I >>>>>>>> ran >>>>>>>>>>> into >>>>>>>>>>>>> this while hacking on the JWT code. >>>>>>>>>>>>> >>>>>>>>>>>>> Jon >>>>>>>>>>>>> >>>>>>>>>>>>> On Wed, Oct 17, 2018 at 12:41 AM Roberto Cortez >>>>>>>>>>>>> <[email protected]> >>>>>>>>>>>>> wrote: >>>>>>>>>>>>> >>>>>>>>>>>>>> Please, go ahead. Let me know if need anything. Thanks! >>>>>>>>>>>>>> >>>>>>>>>>>>>>> On 16 Oct 2018, at 21:53, Jonathan Gallimore < >>>>>>>>>>>>>> [email protected]> wrote: >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Any objection if I pick this up and have a go at the >>>> last >>>>>>>>>> tests, or >>>>>>>>>>>> is >>>>>>>>>>>>>>> someone already working on this? >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> On Thu, Sep 27, 2018 at 5:44 PM Romain Manni-Bucau < >>>>>>>>>>>>>> [email protected]> >>>>>>>>>>>>>>> wrote: >>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Yep this feature. Then it must works since we support >>>>> user >>>>>>>>>>> principal >>>>>>>>>>>>> if >>>>>>>>>>>>>> the >>>>>>>>>>>>>>>> jwt filter is corretly placed in the filter chain and >>>> we >>>>>>>> must >>>>>>>>>>>> inherit >>>>>>>>>>>>>> from >>>>>>>>>>>>>>>> the request principal. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Le jeu. 27 sept. 2018 18:37, Roberto Cortez >>>>>>>>>>>>> <[email protected] >>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> a >>>>>>>>>>>>>>>> écrit : >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> I guess you are referring to this, to remove the >>>> proxy? >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> >>>>>>>> >>>>>> >>>>> >>>> >> https://github.com/apache/openwebbeans/commit/a21a949fb19247dcc39ee89292a1554b2cf1388e >>>>>>>>>>>>>>>>> < >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> >>>>>>>> >>>>>> >>>>> >>>> >> https://github.com/apache/openwebbeans/commit/a21a949fb19247dcc39ee89292a1554b2cf1388e >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Yes, this one step. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> By default, we do inject the generic Principal of >>>>> Tomcat. >>>>>>>> We >>>>>>>>>>>> probably >>>>>>>>>>>>>>>> need >>>>>>>>>>>>>>>>> to check first about the existence of a JWT Principal >>>>> and >>>>>>>> then >>>>>>>>>>>>> fallback >>>>>>>>>>>>>>>> to >>>>>>>>>>>>>>>>> the Tomcat one. I think I know how to do it, I was >>>> just >>>>>>>>>> trying to >>>>>>>>>>>>>> broaden >>>>>>>>>>>>>>>>> up the conversation about general integration with EE >>>>>>>>>> security. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Cheers, >>>>>>>>>>>>>>>>> Roberto >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> On 26 Sep 2018, at 07:21, Romain Manni-Bucau < >>>>>>>>>>>> [email protected] >>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> wrote: >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> OWB enable to do it - we did it in geronimo impl to >>>>> pass >>>>>>>> tck >>>>>>>>>> of >>>>>>>>>>>> jwt >>>>>>>>>>>>>>>> auth >>>>>>>>>>>>>>>>>> spec. >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> Le mer. 26 sept. 2018 03:28, Roberto Cortez >>>>>>>>>>>>>>>> <[email protected]> >>>>>>>>>>>>>>>>> a >>>>>>>>>>>>>>>>>> écrit : >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> Hi, >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> I’ve done some work to push our MP JWT >>>> implementation >>>>>>>> from >>>>>>>>>> 1.0 >>>>>>>>>>> to >>>>>>>>>>>>>> 1.1. >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> You can check it here: >>>>>>>>>>>>>>>>>>> https://github.com/apache/tomee/pull/173 < >>>>>>>>>>>>>>>>>>> https://github.com/apache/tomee/pull/173> >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> There are still a couple of tests in the TCK that I >>>>>> have >>>>>>>> to >>>>>>>>>> fix >>>>>>>>>>>>> and a >>>>>>>>>>>>>>>>> few >>>>>>>>>>>>>>>>>>> things that I would like to improve, but I think >>>> the >>>>>>>>>> majority >>>>>>>>>>> of >>>>>>>>>>>>> the >>>>>>>>>>>>>>>>> work >>>>>>>>>>>>>>>>>>> is done. >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> Some time ago, there was a discussion in the list >>>>> about >>>>>>>> how >>>>>>>>>> to >>>>>>>>>>>>>>>> integrate >>>>>>>>>>>>>>>>>>> MP JWT with EE security: >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> >>>>>>>> >>>>>> >>>>> >>>> >> http://tomee-openejb.979440.n4.nabble.com/Implementing-Microprofile-JWT-td4683212i40.html >>>>>>>>>>>>>>>>>>> < >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> >>>>>>>> >>>>>> >>>>> >>>> >> http://tomee-openejb.979440.n4.nabble.com/Implementing-Microprofile-JWT-td4683212i40.html >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> I believe we need to revisit that conversation and >>>>>> figure >>>>>>>>>> out >>>>>>>>>>> how >>>>>>>>>>>>> to >>>>>>>>>>>>>>>>> move >>>>>>>>>>>>>>>>>>> forward. >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> Right now for instance, we don’t support injecting >>>> a >>>>>> JWT >>>>>>>>>>>> Principal >>>>>>>>>>>>>>>> since >>>>>>>>>>>>>>>>>>> it clashes with the predefined by CDI. Most likely, >>>>> we >>>>>>>> would >>>>>>>>>>> need >>>>>>>>>>>>> to >>>>>>>>>>>>>>>>> plugin >>>>>>>>>>>>>>>>>>> the JWT Principal lookup in TomcatSecurityService. >>>>> I’m >>>>>>>> not >>>>>>>>>> sure >>>>>>>>>>>> if >>>>>>>>>>>>> we >>>>>>>>>>>>>>>>> want >>>>>>>>>>>>>>>>>>> to do it in that way, or if we want to think in >>>>>> something >>>>>>>>>> else. >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> Cheers, >>>>>>>>>>>>>>>>>>> Roberto >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>> >>>>>> >>>>> >>>> >> >>
