Yes, I would be in favor on commenting these tests, but implement on our tests that set up an endpoint and try to deploy and app to load the key from the endpoint. At least we make sure that the feature is working as supposed.
Do you want to do it, or should I do it? > On 3 Dec 2018, at 16:49, Jonathan Gallimore <jonathan.gallim...@gmail.com> > wrote: > > Interesting. I'd be in favor of commenting those tests out and merging the > PR, if you think the rest of it is in shape. If the spec says there should > be a deployment exception, then that makes sense. The TCK should probably > start its own little embedded http server to supply these keys instead. We > could contribute a PR there for consideration there. > > Jon > > On Mon, Dec 3, 2018 at 4:39 PM Roberto Cortez <radcor...@yahoo.com.invalid> > wrote: > >> Yes, >> >> I think that the current state of the TCK is actually wrong. Look here: >> https://github.com/eclipse/microprofile-jwt-auth/issues/118 < >> https://github.com/eclipse/microprofile-jwt-auth/issues/118> >> >> And also from the spec: >> MicroProfile JWT implementations are required to throw a >> `DeploymentException` when given >> a public key that cannot be parsed using either the standardly supported or >> vendor-specific key formats. >> >> My understanding of this is that the load / parsing of the key is part of >> the application deployment, so if you fail to load the key you should fail >> with DeploymentException. It doesn’t make sense to defer the loading of the >> key when you need it and then fail with the DeploymentException, when the >> application is already deployed. >> >> Now, the issue is a chicken / egg. The TCK test exposes the key to load >> from an endpoint in the actual test app that we are testing. I believe the >> correct behaviour should be to have a separate test app that exposes the >> test keys and then have a separate app to test the behaviour. >> >> I think we can implement our own tests like these and then contribute them >> back / fix the TCK. >> >> Cheers, >> Roberto >> >>> On 3 Dec 2018, at 16:24, Jonathan Gallimore < >> jonathan.gallim...@gmail.com> wrote: >>> >>> Thanks for asking. There are 3 tests I can't get passing. These are the >>> ones where the key is referred to by a HTTP url, which isn't available at >>> deployment time where the keys are actually read. I spent quite a lot of >>> time trying to make this happen later in lifecycle (like on first load, >> or >>> something like that). I ended up getting lost in a complete maze of >>> lambdas. I am stuck and in need of help. I think this class is the issue: >>> >> https://github.com/jgallimore/tomee/blob/jwt-1.1/mp-jwt/src/main/java/org/apache/tomee/microprofile/jwt/config/ConfigurableJWTAuthContextInfo.java >> , >>> and this piece of functionality will probably need some design discussion >>> to enable these tests to pass. >>> >>> I had tried flip the storage to Map<String,Supplier> with a supplier that >>> does a lazy lookup and caches the value. The issue there is the JWKS >> keys, >>> where you appear to get multiple keys in one file. Wrapping the whole >> thing >>> a supplier might work too - you'd effectively then have run that logic on >>> first login, or find something else that can trigger it. >>> >>> Do you have any thoughts? >>> >>> Jon >>> >>> On Mon, Dec 3, 2018 at 3:27 PM Roberto Cortez >> <radcor...@yahoo.com.invalid> >>> wrote: >>> >>>> Hi Jon, >>>> >>>> I’ve seen you made some changes in your branch. What is the current >>>> status? I would like to start pushing for MP 2.0 specs. >>>> >>>> Cheers, >>>> Roberto >>>> >>>>> On 21 Nov 2018, at 17:57, Jonathan Gallimore < >>>> jonathan.gallim...@gmail.com> wrote: >>>>> >>>>> Was going to have another look at those tests over the next couple of >>>> days. >>>>> >>>>> Jon >>>>> >>>>> On Wed, 21 Nov 2018, 17:53 Roberto Cortez <radcor...@yahoo.com.invalid >>>>> wrote: >>>>> >>>>>> Hi Jon, >>>>>> >>>>>> What it the status of this? >>>>>> >>>>>> For the remaining failing tests, the issues are related with this: >>>>>> https://github.com/eclipse/microprofile-jwt-auth/issues/118 < >>>>>> https://github.com/eclipse/microprofile-jwt-auth/issues/118> >>>>>> >>>>>> I don’t think there is a way to fix it on our side, so se could just >>>>>> ignore those specific methods and build a specific test for this with >> 2 >>>>>> apps deployment so we can reach out then public key endpoint from the >>>> test. >>>>>> Then we should be good to go with this! >>>>>> >>>>>> Cheers, >>>>>> Roberto >>>>>> >>>>>>> On 20 Nov 2018, at 15:28, Jean-Louis Monteiro < >>>> jlmonte...@tomitribe.com> >>>>>> wrote: >>>>>>> >>>>>>> Ok, yes I see it. >>>>>>> -- >>>>>>> Jean-Louis Monteiro >>>>>>> http://twitter.com/jlouismonteiro >>>>>>> http://www.tomitribe.com >>>>>>> >>>>>>> >>>>>>> On Tue, Nov 20, 2018 at 4:11 PM Jonathan Gallimore < >>>>>>> jonathan.gallim...@gmail.com> wrote: >>>>>>> >>>>>>>> The commits are showing for me (at the bottom). Here's the latest >> one: >>>>>>>> >>>>>>>> >>>>>> >>>> >> https://github.com/apache/tomee/commit/7ce1f8033e239331cfa7843e4e5565ed0aa83345 >>>>>>>> >>>>>>>> On Tue, Nov 20, 2018 at 2:44 PM Jean-Louis Monteiro < >>>>>>>> jlmonte...@tomitribe.com> wrote: >>>>>>>> >>>>>>>>> Hey Jon, >>>>>>>>> >>>>>>>>> I clicked on the link and the diff tab does not show any >> difference. >>>>>>>>> Did you push? >>>>>>>>> -- >>>>>>>>> Jean-Louis Monteiro >>>>>>>>> http://twitter.com/jlouismonteiro >>>>>>>>> http://www.tomitribe.com >>>>>>>>> >>>>>>>>> >>>>>>>>> On Mon, Nov 19, 2018 at 12:36 PM Jonathan Gallimore < >>>>>>>>> jonathan.gallim...@gmail.com> wrote: >>>>>>>>> >>>>>>>>>> I now have the principal injection part of this working - thanks >>>>>> Romain >>>>>>>>> for >>>>>>>>>> your help and explanations. Progress is in my fork here: >>>>>>>>>> https://github.com/jgallimore/tomee/tree/jwt-1.1 (changes here: >>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>> >>>> >> https://github.com/apache/tomee/compare/master...jgallimore:jwt-1.1?expand=1 >>>>>>>>>> ). >>>>>>>>>> There are still a couple of TODOs to clean up, and 3 tests to get >>>>>>>>> passing. >>>>>>>>>> Any feedback is appreciated. >>>>>>>>>> >>>>>>>>>> Jon >>>>>>>>>> >>>>>>>>>> On Sat, Nov 3, 2018 at 9:10 AM Jonathan Gallimore < >>>>>>>>>> jonathan.gallim...@gmail.com> wrote: >>>>>>>>>> >>>>>>>>>>> Yep, got it. Thanks for the feedback - makes sense now. >>>>>>>>>>> >>>>>>>>>>> Cheers >>>>>>>>>>> >>>>>>>>>>> Jon >>>>>>>>>>> >>>>>>>>>>> On Fri, 2 Nov 2018, 16:46 Romain Manni-Bucau < >>>> rmannibu...@gmail.com >>>>>>>>>> wrote: >>>>>>>>>>> >>>>>>>>>>>> Answered hopefully "long enough" on dev@geronimo so will just >> do >>>> a >>>>>>>>>> short >>>>>>>>>>>> one here and shout if not enough: ManagedSecurityService in cdi >>>>>>>>> package >>>>>>>>>> of >>>>>>>>>>>> openejb-core must make the getCurrentPrincipal contextual so >>>> hidden >>>>>>>>>> behind >>>>>>>>>>>> a proxy. The proxied API must be Principal and JsonWebToken when >>>>>>>>>> available >>>>>>>>>>>> (try { add if can load } catch { ignore } works as pattern). The >>>>>>>> proxy >>>>>>>>>>>> instance can be created once for all app using the container >>>> loader >>>>>>>> or >>>>>>>>>> per >>>>>>>>>>>> app using the app loader and avoiding to leak between apps since >>>> the >>>>>>>>> API >>>>>>>>>>>> can use different loaders. >>>>>>>>>>>> >>>>>>>>>>>> Le ven. 2 nov. 2018 14:44, Jonathan Gallimore < >>>>>>>>>>>> jonathan.gallim...@gmail.com> >>>>>>>>>>>> a écrit : >>>>>>>>>>>> >>>>>>>>>>>>> Thanks for the reply, but I am confused by your response. The >> PR >>>> I >>>>>>>>>>>>> referenced adds a single test to the geronimo-jwt-auth project >> ( >>>>>>>>>>>>> https://github.com/apache/geronimo-jwt-auth/pull/3), based on >>>>>>>>>>>>> >>>>>>>>>> >>>>>> >> org.eclipse.microprofile.jwt.tck.container.jaxrs.PrincipalInjectionTest >>>>>>>>>>>>> from the TCK. It fails at present (hopefully we agree on that - >>>> my >>>>>>>>>>>> results >>>>>>>>>>>>> attached). The geronimo-jwt-auth project doesn't touch TomEE at >>>>>>>> all >>>>>>>>> - >>>>>>>>>> it >>>>>>>>>>>>> uses OWB/Meecrowave to run the MicroProfile JWT TCK. I have not >>>>>>>>>> modified >>>>>>>>>>>>> the project config at all, so it is using the SecurityService >>>> code >>>>>>>>> you >>>>>>>>>>>>> previously posted. If this additional test were part of the >>>>>>>>>> MicroProfile >>>>>>>>>>>>> JWT TCK (and I'm going to propose it), the Geronimo JWT Auth >>>>>>>>>>>> implementation >>>>>>>>>>>>> would *not* pass the TCK. >>>>>>>>>>>>> >>>>>>>>>>>>> I posted this here as I originally found the issue when >>>> continuing >>>>>>>>>>>>> Roberto's efforts, but this has probably contributed to some >>>>>>>>>> confusion. >>>>>>>>>>>> I >>>>>>>>>>>>> would suggest we continue this over on the Geronimo and OWB >> lists >>>>>>>> to >>>>>>>>>>>> avoid >>>>>>>>>>>>> further confusion. >>>>>>>>>>>>> >>>>>>>>>>>>> Jon >>>>>>>>>>>>> >>>>>>>>>>>>> On Fri, Nov 2, 2018 at 12:46 PM Romain Manni-Bucau < >>>>>>>>>>>> rmannibu...@gmail.com> >>>>>>>>>>>>> wrote: >>>>>>>>>>>>> >>>>>>>>>>>>>> Hi >>>>>>>>>>>>>> >>>>>>>>>>>>>> Yes this is an owb misconfiguration/integration >>>>>>>>>>>>>> >>>>>>>>>>>>>> Geronimo is fine here so likely tomee owb spi to update as in >>>>>>>>>> geronimo >>>>>>>>>>>> tck >>>>>>>>>>>>>> >>>>>>>>>>>>>> Le ven. 2 nov. 2018 10:42, Jonathan Gallimore < >>>>>>>>>>>>>> jonathan.gallim...@gmail.com> >>>>>>>>>>>>>> a écrit : >>>>>>>>>>>>>> >>>>>>>>>>>>>>> Thanks for the reply. I am still sure there is some sort of >>>>>>>>> issue. >>>>>>>>>>>>>> Putting >>>>>>>>>>>>>>> TomEE to one side for the moment, I am able to reproduce this >>>>>>>> in >>>>>>>>>> the >>>>>>>>>>>>>>> Geronimo JWT auth library as well. This PR includes a test to >>>>>>>>> show >>>>>>>>>>>> what >>>>>>>>>>>>>> I >>>>>>>>>>>>>>> mean: https://github.com/apache/geronimo-jwt-auth/pull/3. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> I can confirm that this change: >>>>>>>>>>>>>>> https://github.com/apache/openwebbeans/pull/12 enables that >>>>>>>> new >>>>>>>>>>>> test to >>>>>>>>>>>>>>> pass. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> In short, if you @Inject JsonWebToken, or individual claims, >> or >>>>>>>>>>>>>>> use @RolesAllowed, I think you're ok, but if you @Inject >>>>>>>>> Principal, >>>>>>>>>>>> you >>>>>>>>>>>>>>> will most likely get the wrong principal because the instance >>>>>>>> is >>>>>>>>>>>> cache >>>>>>>>>>>>>> in a >>>>>>>>>>>>>>> field in the >> org.apache.webbeans.portable.ProviderBasedProducer >>>>>>>>>>>> class, >>>>>>>>>>>>>> and >>>>>>>>>>>>>>> that looks like a security issue. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Jon >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> On Tue, Oct 30, 2018 at 5:56 AM Romain Manni-Bucau < >>>>>>>>>>>>>> rmannibu...@gmail.com> >>>>>>>>>>>>>>> wrote: >>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Hi Jon, >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> yes and no, idea is to be fast and for all producers it >> works >>>>>>>>>>>> except >>>>>>>>>>>>>> the >>>>>>>>>>>>>>>> principal which is broken anyway in CDI 1.x so guess this >> was >>>>>>>>> not >>>>>>>>>>>>>> fixed >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> in CDI 2 (tomee 8) we can impl it this way: >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>> >>>> >> https://github.com/apache/geronimo-jwt-auth/blob/master/src/test/java/org/apache/geronimo/microprofile/impl/jwtauth/tck/TckSecurityService.java >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Romain Manni-Bucau >>>>>>>>>>>>>>>> @rmannibucau <https://twitter.com/rmannibucau> | Blog >>>>>>>>>>>>>>>> <https://rmannibucau.metawerx.net/> | Old Blog >>>>>>>>>>>>>>>> <http://rmannibucau.wordpress.com> | Github < >>>>>>>>>>>>>>>> https://github.com/rmannibucau> | >>>>>>>>>>>>>>>> LinkedIn <https://www.linkedin.com/in/rmannibucau> | Book >>>>>>>>>>>>>>>> < >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>> >>>> >> https://www.packtpub.com/application-development/java-ee-8-high-performance >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Le mar. 30 oct. 2018 à 00:58, Jonathan Gallimore < >>>>>>>>>>>>>>>> jonathan.gallim...@gmail.com> a écrit : >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Here's a question, probably for Mark or Romain. If I turn >>>>>>>> the >>>>>>>>>>>> proxy >>>>>>>>>>>>>>> *off* >>>>>>>>>>>>>>>>> in org.apache.webbeans.component.PrincipalBean, I'm finding >>>>>>>>>> that >>>>>>>>>>>> I >>>>>>>>>>>>>> get >>>>>>>>>>>>>>>> the >>>>>>>>>>>>>>>>> wrong principal injected sometimes. Specifically, I get the >>>>>>>>>>>>>> whatever is >>>>>>>>>>>>>>>> on >>>>>>>>>>>>>>>>> the proxyInstance field here: >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>> >>>> >> https://github.com/apache/openwebbeans/blob/trunk/webbeans-impl/src/main/java/org/apache/webbeans/portable/ProviderBasedProducer.java#L51 >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Should this line (line 66) >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>> >>>> >> https://github.com/apache/openwebbeans/blob/trunk/webbeans-impl/src/main/java/org/apache/webbeans/portable/ProviderBasedProducer.java#L66 >>>>>>>>>>>>>>>>> , >>>>>>>>>>>>>>>>> not simply be: >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> return provider.get(); >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> as opposed to >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> proxyInstance = provider.get(); ? >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> That way, the proxyInstance field would never get set if >>>>>>>>> proxy >>>>>>>>>>>> mode >>>>>>>>>>>>>> is >>>>>>>>>>>>>>>> set >>>>>>>>>>>>>>>>> to false. When proxy is true, this seems to work correctly >>>>>>>>>>>>>> (although I >>>>>>>>>>>>>>>> have >>>>>>>>>>>>>>>>> other unrelated issues in TomEE). >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> I can probably work around this some other way, but it >>>>>>>> seems >>>>>>>>> to >>>>>>>>>>>> me >>>>>>>>>>>>>> like >>>>>>>>>>>>>>>>> that behaviour isn't quite right. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Trying to think of a way to test it - I can probably come >>>>>>>> up >>>>>>>>>> with >>>>>>>>>>>>>>>>> something, but I'd appreciate some pointers. Happy to shift >>>>>>>>>> this >>>>>>>>>>>> to >>>>>>>>>>>>>>>>> openwebbeans-dev, and submit a PR. Replying here initially >>>>>>>>> as I >>>>>>>>>>>> ran >>>>>>>>>>>>>>> into >>>>>>>>>>>>>>>>> this while hacking on the JWT code. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Jon >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> On Wed, Oct 17, 2018 at 12:41 AM Roberto Cortez >>>>>>>>>>>>>>>>> <radcor...@yahoo.com.invalid> >>>>>>>>>>>>>>>>> wrote: >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> Please, go ahead. Let me know if need anything. Thanks! >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> On 16 Oct 2018, at 21:53, Jonathan Gallimore < >>>>>>>>>>>>>>>>>> jonathan.gallim...@gmail.com> wrote: >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> Any objection if I pick this up and have a go at the >>>>>>>> last >>>>>>>>>>>>>> tests, or >>>>>>>>>>>>>>>> is >>>>>>>>>>>>>>>>>>> someone already working on this? >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> On Thu, Sep 27, 2018 at 5:44 PM Romain Manni-Bucau < >>>>>>>>>>>>>>>>>> rmannibu...@gmail.com> >>>>>>>>>>>>>>>>>>> wrote: >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> Yep this feature. Then it must works since we support >>>>>>>>> user >>>>>>>>>>>>>>> principal >>>>>>>>>>>>>>>>> if >>>>>>>>>>>>>>>>>> the >>>>>>>>>>>>>>>>>>>> jwt filter is corretly placed in the filter chain and >>>>>>>> we >>>>>>>>>>>> must >>>>>>>>>>>>>>>> inherit >>>>>>>>>>>>>>>>>> from >>>>>>>>>>>>>>>>>>>> the request principal. >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> Le jeu. 27 sept. 2018 18:37, Roberto Cortez >>>>>>>>>>>>>>>>> <radcor...@yahoo.com.invalid >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> a >>>>>>>>>>>>>>>>>>>> écrit : >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> I guess you are referring to this, to remove the >>>>>>>> proxy? >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>> >>>> >> https://github.com/apache/openwebbeans/commit/a21a949fb19247dcc39ee89292a1554b2cf1388e >>>>>>>>>>>>>>>>>>>>> < >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>> >>>> >> https://github.com/apache/openwebbeans/commit/a21a949fb19247dcc39ee89292a1554b2cf1388e >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> Yes, this one step. >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> By default, we do inject the generic Principal of >>>>>>>>> Tomcat. >>>>>>>>>>>> We >>>>>>>>>>>>>>>> probably >>>>>>>>>>>>>>>>>>>> need >>>>>>>>>>>>>>>>>>>>> to check first about the existence of a JWT Principal >>>>>>>>> and >>>>>>>>>>>> then >>>>>>>>>>>>>>>>> fallback >>>>>>>>>>>>>>>>>>>> to >>>>>>>>>>>>>>>>>>>>> the Tomcat one. I think I know how to do it, I was >>>>>>>> just >>>>>>>>>>>>>> trying to >>>>>>>>>>>>>>>>>> broaden >>>>>>>>>>>>>>>>>>>>> up the conversation about general integration with EE >>>>>>>>>>>>>> security. >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> Cheers, >>>>>>>>>>>>>>>>>>>>> Roberto >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> On 26 Sep 2018, at 07:21, Romain Manni-Bucau < >>>>>>>>>>>>>>>> rmannibu...@gmail.com >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> wrote: >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> OWB enable to do it - we did it in geronimo impl to >>>>>>>>> pass >>>>>>>>>>>> tck >>>>>>>>>>>>>> of >>>>>>>>>>>>>>>> jwt >>>>>>>>>>>>>>>>>>>> auth >>>>>>>>>>>>>>>>>>>>>> spec. >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> Le mer. 26 sept. 2018 03:28, Roberto Cortez >>>>>>>>>>>>>>>>>>>> <radcor...@yahoo.com.invalid> >>>>>>>>>>>>>>>>>>>>> a >>>>>>>>>>>>>>>>>>>>>> écrit : >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> Hi, >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> I’ve done some work to push our MP JWT >>>>>>>> implementation >>>>>>>>>>>> from >>>>>>>>>>>>>> 1.0 >>>>>>>>>>>>>>> to >>>>>>>>>>>>>>>>>> 1.1. >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> You can check it here: >>>>>>>>>>>>>>>>>>>>>>> https://github.com/apache/tomee/pull/173 < >>>>>>>>>>>>>>>>>>>>>>> https://github.com/apache/tomee/pull/173> >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> There are still a couple of tests in the TCK that I >>>>>>>>>> have >>>>>>>>>>>> to >>>>>>>>>>>>>> fix >>>>>>>>>>>>>>>>> and a >>>>>>>>>>>>>>>>>>>>> few >>>>>>>>>>>>>>>>>>>>>>> things that I would like to improve, but I think >>>>>>>> the >>>>>>>>>>>>>> majority >>>>>>>>>>>>>>> of >>>>>>>>>>>>>>>>> the >>>>>>>>>>>>>>>>>>>>> work >>>>>>>>>>>>>>>>>>>>>>> is done. >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> Some time ago, there was a discussion in the list >>>>>>>>> about >>>>>>>>>>>> how >>>>>>>>>>>>>> to >>>>>>>>>>>>>>>>>>>> integrate >>>>>>>>>>>>>>>>>>>>>>> MP JWT with EE security: >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>> >>>> >> http://tomee-openejb.979440.n4.nabble.com/Implementing-Microprofile-JWT-td4683212i40.html >>>>>>>>>>>>>>>>>>>>>>> < >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>> >>>> >> http://tomee-openejb.979440.n4.nabble.com/Implementing-Microprofile-JWT-td4683212i40.html >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> I believe we need to revisit that conversation and >>>>>>>>>> figure >>>>>>>>>>>>>> out >>>>>>>>>>>>>>> how >>>>>>>>>>>>>>>>> to >>>>>>>>>>>>>>>>>>>>> move >>>>>>>>>>>>>>>>>>>>>>> forward. >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> Right now for instance, we don’t support injecting >>>>>>>> a >>>>>>>>>> JWT >>>>>>>>>>>>>>>> Principal >>>>>>>>>>>>>>>>>>>> since >>>>>>>>>>>>>>>>>>>>>>> it clashes with the predefined by CDI. Most likely, >>>>>>>>> we >>>>>>>>>>>> would >>>>>>>>>>>>>>> need >>>>>>>>>>>>>>>>> to >>>>>>>>>>>>>>>>>>>>> plugin >>>>>>>>>>>>>>>>>>>>>>> the JWT Principal lookup in TomcatSecurityService. >>>>>>>>> I’m >>>>>>>>>>>> not >>>>>>>>>>>>>> sure >>>>>>>>>>>>>>>> if >>>>>>>>>>>>>>>>> we >>>>>>>>>>>>>>>>>>>>> want >>>>>>>>>>>>>>>>>>>>>>> to do it in that way, or if we want to think in >>>>>>>>>> something >>>>>>>>>>>>>> else. >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> Cheers, >>>>>>>>>>>>>>>>>>>>>>> Roberto >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>> >>>>>> >>>> >>>> >> >>
