If you have the cycles, it would be great if you could do it. Cheers!
Jon On Mon, Dec 3, 2018 at 5:06 PM Roberto Cortez <radcor...@yahoo.com.invalid> wrote: > Yes, I would be in favor on commenting these tests, but implement on our > tests that set up an endpoint and try to deploy and app to load the key > from the endpoint. At least we make sure that the feature is working as > supposed. > > Do you want to do it, or should I do it? > > > On 3 Dec 2018, at 16:49, Jonathan Gallimore < > jonathan.gallim...@gmail.com> wrote: > > > > Interesting. I'd be in favor of commenting those tests out and merging > the > > PR, if you think the rest of it is in shape. If the spec says there > should > > be a deployment exception, then that makes sense. The TCK should probably > > start its own little embedded http server to supply these keys instead. > We > > could contribute a PR there for consideration there. > > > > Jon > > > > On Mon, Dec 3, 2018 at 4:39 PM Roberto Cortez > <radcor...@yahoo.com.invalid> > > wrote: > > > >> Yes, > >> > >> I think that the current state of the TCK is actually wrong. Look here: > >> https://github.com/eclipse/microprofile-jwt-auth/issues/118 < > >> https://github.com/eclipse/microprofile-jwt-auth/issues/118> > >> > >> And also from the spec: > >> MicroProfile JWT implementations are required to throw a > >> `DeploymentException` when given > >> a public key that cannot be parsed using either the standardly > supported or > >> vendor-specific key formats. > >> > >> My understanding of this is that the load / parsing of the key is part > of > >> the application deployment, so if you fail to load the key you should > fail > >> with DeploymentException. It doesn’t make sense to defer the loading of > the > >> key when you need it and then fail with the DeploymentException, when > the > >> application is already deployed. > >> > >> Now, the issue is a chicken / egg. The TCK test exposes the key to load > >> from an endpoint in the actual test app that we are testing. I believe > the > >> correct behaviour should be to have a separate test app that exposes the > >> test keys and then have a separate app to test the behaviour. > >> > >> I think we can implement our own tests like these and then contribute > them > >> back / fix the TCK. > >> > >> Cheers, > >> Roberto > >> > >>> On 3 Dec 2018, at 16:24, Jonathan Gallimore < > >> jonathan.gallim...@gmail.com> wrote: > >>> > >>> Thanks for asking. There are 3 tests I can't get passing. These are the > >>> ones where the key is referred to by a HTTP url, which isn't available > at > >>> deployment time where the keys are actually read. I spent quite a lot > of > >>> time trying to make this happen later in lifecycle (like on first load, > >> or > >>> something like that). I ended up getting lost in a complete maze of > >>> lambdas. I am stuck and in need of help. I think this class is the > issue: > >>> > >> > https://github.com/jgallimore/tomee/blob/jwt-1.1/mp-jwt/src/main/java/org/apache/tomee/microprofile/jwt/config/ConfigurableJWTAuthContextInfo.java > >> , > >>> and this piece of functionality will probably need some design > discussion > >>> to enable these tests to pass. > >>> > >>> I had tried flip the storage to Map<String,Supplier> with a supplier > that > >>> does a lazy lookup and caches the value. The issue there is the JWKS > >> keys, > >>> where you appear to get multiple keys in one file. Wrapping the whole > >> thing > >>> a supplier might work too - you'd effectively then have run that logic > on > >>> first login, or find something else that can trigger it. > >>> > >>> Do you have any thoughts? > >>> > >>> Jon > >>> > >>> On Mon, Dec 3, 2018 at 3:27 PM Roberto Cortez > >> <radcor...@yahoo.com.invalid> > >>> wrote: > >>> > >>>> Hi Jon, > >>>> > >>>> I’ve seen you made some changes in your branch. What is the current > >>>> status? I would like to start pushing for MP 2.0 specs. > >>>> > >>>> Cheers, > >>>> Roberto > >>>> > >>>>> On 21 Nov 2018, at 17:57, Jonathan Gallimore < > >>>> jonathan.gallim...@gmail.com> wrote: > >>>>> > >>>>> Was going to have another look at those tests over the next couple of > >>>> days. > >>>>> > >>>>> Jon > >>>>> > >>>>> On Wed, 21 Nov 2018, 17:53 Roberto Cortez > <radcor...@yahoo.com.invalid > >>>>> wrote: > >>>>> > >>>>>> Hi Jon, > >>>>>> > >>>>>> What it the status of this? > >>>>>> > >>>>>> For the remaining failing tests, the issues are related with this: > >>>>>> https://github.com/eclipse/microprofile-jwt-auth/issues/118 < > >>>>>> https://github.com/eclipse/microprofile-jwt-auth/issues/118> > >>>>>> > >>>>>> I don’t think there is a way to fix it on our side, so se could just > >>>>>> ignore those specific methods and build a specific test for this > with > >> 2 > >>>>>> apps deployment so we can reach out then public key endpoint from > the > >>>> test. > >>>>>> Then we should be good to go with this! > >>>>>> > >>>>>> Cheers, > >>>>>> Roberto > >>>>>> > >>>>>>> On 20 Nov 2018, at 15:28, Jean-Louis Monteiro < > >>>> jlmonte...@tomitribe.com> > >>>>>> wrote: > >>>>>>> > >>>>>>> Ok, yes I see it. > >>>>>>> -- > >>>>>>> Jean-Louis Monteiro > >>>>>>> http://twitter.com/jlouismonteiro > >>>>>>> http://www.tomitribe.com > >>>>>>> > >>>>>>> > >>>>>>> On Tue, Nov 20, 2018 at 4:11 PM Jonathan Gallimore < > >>>>>>> jonathan.gallim...@gmail.com> wrote: > >>>>>>> > >>>>>>>> The commits are showing for me (at the bottom). Here's the latest > >> one: > >>>>>>>> > >>>>>>>> > >>>>>> > >>>> > >> > https://github.com/apache/tomee/commit/7ce1f8033e239331cfa7843e4e5565ed0aa83345 > >>>>>>>> > >>>>>>>> On Tue, Nov 20, 2018 at 2:44 PM Jean-Louis Monteiro < > >>>>>>>> jlmonte...@tomitribe.com> wrote: > >>>>>>>> > >>>>>>>>> Hey Jon, > >>>>>>>>> > >>>>>>>>> I clicked on the link and the diff tab does not show any > >> difference. > >>>>>>>>> Did you push? > >>>>>>>>> -- > >>>>>>>>> Jean-Louis Monteiro > >>>>>>>>> http://twitter.com/jlouismonteiro > >>>>>>>>> http://www.tomitribe.com > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> On Mon, Nov 19, 2018 at 12:36 PM Jonathan Gallimore < > >>>>>>>>> jonathan.gallim...@gmail.com> wrote: > >>>>>>>>> > >>>>>>>>>> I now have the principal injection part of this working - thanks > >>>>>> Romain > >>>>>>>>> for > >>>>>>>>>> your help and explanations. Progress is in my fork here: > >>>>>>>>>> https://github.com/jgallimore/tomee/tree/jwt-1.1 (changes here: > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>> > >>>>>>>> > >>>>>> > >>>> > >> > https://github.com/apache/tomee/compare/master...jgallimore:jwt-1.1?expand=1 > >>>>>>>>>> ). > >>>>>>>>>> There are still a couple of TODOs to clean up, and 3 tests to > get > >>>>>>>>> passing. > >>>>>>>>>> Any feedback is appreciated. > >>>>>>>>>> > >>>>>>>>>> Jon > >>>>>>>>>> > >>>>>>>>>> On Sat, Nov 3, 2018 at 9:10 AM Jonathan Gallimore < > >>>>>>>>>> jonathan.gallim...@gmail.com> wrote: > >>>>>>>>>> > >>>>>>>>>>> Yep, got it. Thanks for the feedback - makes sense now. > >>>>>>>>>>> > >>>>>>>>>>> Cheers > >>>>>>>>>>> > >>>>>>>>>>> Jon > >>>>>>>>>>> > >>>>>>>>>>> On Fri, 2 Nov 2018, 16:46 Romain Manni-Bucau < > >>>> rmannibu...@gmail.com > >>>>>>>>>> wrote: > >>>>>>>>>>> > >>>>>>>>>>>> Answered hopefully "long enough" on dev@geronimo so will just > >> do > >>>> a > >>>>>>>>>> short > >>>>>>>>>>>> one here and shout if not enough: ManagedSecurityService in > cdi > >>>>>>>>> package > >>>>>>>>>> of > >>>>>>>>>>>> openejb-core must make the getCurrentPrincipal contextual so > >>>> hidden > >>>>>>>>>> behind > >>>>>>>>>>>> a proxy. The proxied API must be Principal and JsonWebToken > when > >>>>>>>>>> available > >>>>>>>>>>>> (try { add if can load } catch { ignore } works as pattern). > The > >>>>>>>> proxy > >>>>>>>>>>>> instance can be created once for all app using the container > >>>> loader > >>>>>>>> or > >>>>>>>>>> per > >>>>>>>>>>>> app using the app loader and avoiding to leak between apps > since > >>>> the > >>>>>>>>> API > >>>>>>>>>>>> can use different loaders. > >>>>>>>>>>>> > >>>>>>>>>>>> Le ven. 2 nov. 2018 14:44, Jonathan Gallimore < > >>>>>>>>>>>> jonathan.gallim...@gmail.com> > >>>>>>>>>>>> a écrit : > >>>>>>>>>>>> > >>>>>>>>>>>>> Thanks for the reply, but I am confused by your response. The > >> PR > >>>> I > >>>>>>>>>>>>> referenced adds a single test to the geronimo-jwt-auth > project > >> ( > >>>>>>>>>>>>> https://github.com/apache/geronimo-jwt-auth/pull/3), based > on > >>>>>>>>>>>>> > >>>>>>>>>> > >>>>>> > >> org.eclipse.microprofile.jwt.tck.container.jaxrs.PrincipalInjectionTest > >>>>>>>>>>>>> from the TCK. It fails at present (hopefully we agree on > that - > >>>> my > >>>>>>>>>>>> results > >>>>>>>>>>>>> attached). The geronimo-jwt-auth project doesn't touch TomEE > at > >>>>>>>> all > >>>>>>>>> - > >>>>>>>>>> it > >>>>>>>>>>>>> uses OWB/Meecrowave to run the MicroProfile JWT TCK. I have > not > >>>>>>>>>> modified > >>>>>>>>>>>>> the project config at all, so it is using the SecurityService > >>>> code > >>>>>>>>> you > >>>>>>>>>>>>> previously posted. If this additional test were part of the > >>>>>>>>>> MicroProfile > >>>>>>>>>>>>> JWT TCK (and I'm going to propose it), the Geronimo JWT Auth > >>>>>>>>>>>> implementation > >>>>>>>>>>>>> would *not* pass the TCK. > >>>>>>>>>>>>> > >>>>>>>>>>>>> I posted this here as I originally found the issue when > >>>> continuing > >>>>>>>>>>>>> Roberto's efforts, but this has probably contributed to some > >>>>>>>>>> confusion. > >>>>>>>>>>>> I > >>>>>>>>>>>>> would suggest we continue this over on the Geronimo and OWB > >> lists > >>>>>>>> to > >>>>>>>>>>>> avoid > >>>>>>>>>>>>> further confusion. > >>>>>>>>>>>>> > >>>>>>>>>>>>> Jon > >>>>>>>>>>>>> > >>>>>>>>>>>>> On Fri, Nov 2, 2018 at 12:46 PM Romain Manni-Bucau < > >>>>>>>>>>>> rmannibu...@gmail.com> > >>>>>>>>>>>>> wrote: > >>>>>>>>>>>>> > >>>>>>>>>>>>>> Hi > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> Yes this is an owb misconfiguration/integration > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> Geronimo is fine here so likely tomee owb spi to update as > in > >>>>>>>>>> geronimo > >>>>>>>>>>>> tck > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> Le ven. 2 nov. 2018 10:42, Jonathan Gallimore < > >>>>>>>>>>>>>> jonathan.gallim...@gmail.com> > >>>>>>>>>>>>>> a écrit : > >>>>>>>>>>>>>> > >>>>>>>>>>>>>>> Thanks for the reply. I am still sure there is some sort of > >>>>>>>>> issue. > >>>>>>>>>>>>>> Putting > >>>>>>>>>>>>>>> TomEE to one side for the moment, I am able to reproduce > this > >>>>>>>> in > >>>>>>>>>> the > >>>>>>>>>>>>>>> Geronimo JWT auth library as well. This PR includes a test > to > >>>>>>>>> show > >>>>>>>>>>>> what > >>>>>>>>>>>>>> I > >>>>>>>>>>>>>>> mean: https://github.com/apache/geronimo-jwt-auth/pull/3. > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> I can confirm that this change: > >>>>>>>>>>>>>>> https://github.com/apache/openwebbeans/pull/12 enables > that > >>>>>>>> new > >>>>>>>>>>>> test to > >>>>>>>>>>>>>>> pass. > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> In short, if you @Inject JsonWebToken, or individual > claims, > >> or > >>>>>>>>>>>>>>> use @RolesAllowed, I think you're ok, but if you @Inject > >>>>>>>>> Principal, > >>>>>>>>>>>> you > >>>>>>>>>>>>>>> will most likely get the wrong principal because the > instance > >>>>>>>> is > >>>>>>>>>>>> cache > >>>>>>>>>>>>>> in a > >>>>>>>>>>>>>>> field in the > >> org.apache.webbeans.portable.ProviderBasedProducer > >>>>>>>>>>>> class, > >>>>>>>>>>>>>> and > >>>>>>>>>>>>>>> that looks like a security issue. > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> Jon > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> On Tue, Oct 30, 2018 at 5:56 AM Romain Manni-Bucau < > >>>>>>>>>>>>>> rmannibu...@gmail.com> > >>>>>>>>>>>>>>> wrote: > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>> Hi Jon, > >>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>> yes and no, idea is to be fast and for all producers it > >> works > >>>>>>>>>>>> except > >>>>>>>>>>>>>> the > >>>>>>>>>>>>>>>> principal which is broken anyway in CDI 1.x so guess this > >> was > >>>>>>>>> not > >>>>>>>>>>>>>> fixed > >>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>> in CDI 2 (tomee 8) we can impl it this way: > >>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>> > >>>>>>>>>> > >>>>>>>>> > >>>>>>>> > >>>>>> > >>>> > >> > https://github.com/apache/geronimo-jwt-auth/blob/master/src/test/java/org/apache/geronimo/microprofile/impl/jwtauth/tck/TckSecurityService.java > >>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>> Romain Manni-Bucau > >>>>>>>>>>>>>>>> @rmannibucau <https://twitter.com/rmannibucau> | Blog > >>>>>>>>>>>>>>>> <https://rmannibucau.metawerx.net/> | Old Blog > >>>>>>>>>>>>>>>> <http://rmannibucau.wordpress.com> | Github < > >>>>>>>>>>>>>>>> https://github.com/rmannibucau> | > >>>>>>>>>>>>>>>> LinkedIn <https://www.linkedin.com/in/rmannibucau> | Book > >>>>>>>>>>>>>>>> < > >>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>> > >>>>>>>>>> > >>>>>>>>> > >>>>>>>> > >>>>>> > >>>> > >> > https://www.packtpub.com/application-development/java-ee-8-high-performance > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>> Le mar. 30 oct. 2018 à 00:58, Jonathan Gallimore < > >>>>>>>>>>>>>>>> jonathan.gallim...@gmail.com> a écrit : > >>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> Here's a question, probably for Mark or Romain. If I turn > >>>>>>>> the > >>>>>>>>>>>> proxy > >>>>>>>>>>>>>>> *off* > >>>>>>>>>>>>>>>>> in org.apache.webbeans.component.PrincipalBean, I'm > finding > >>>>>>>>>> that > >>>>>>>>>>>> I > >>>>>>>>>>>>>> get > >>>>>>>>>>>>>>>> the > >>>>>>>>>>>>>>>>> wrong principal injected sometimes. Specifically, I get > the > >>>>>>>>>>>>>> whatever is > >>>>>>>>>>>>>>>> on > >>>>>>>>>>>>>>>>> the proxyInstance field here: > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>> > >>>>>>>>>> > >>>>>>>>> > >>>>>>>> > >>>>>> > >>>> > >> > https://github.com/apache/openwebbeans/blob/trunk/webbeans-impl/src/main/java/org/apache/webbeans/portable/ProviderBasedProducer.java#L51 > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> Should this line (line 66) > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>> > >>>>>>>>>> > >>>>>>>>> > >>>>>>>> > >>>>>> > >>>> > >> > https://github.com/apache/openwebbeans/blob/trunk/webbeans-impl/src/main/java/org/apache/webbeans/portable/ProviderBasedProducer.java#L66 > >>>>>>>>>>>>>>>>> , > >>>>>>>>>>>>>>>>> not simply be: > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> return provider.get(); > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> as opposed to > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> proxyInstance = provider.get(); ? > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> That way, the proxyInstance field would never get set if > >>>>>>>>> proxy > >>>>>>>>>>>> mode > >>>>>>>>>>>>>> is > >>>>>>>>>>>>>>>> set > >>>>>>>>>>>>>>>>> to false. When proxy is true, this seems to work > correctly > >>>>>>>>>>>>>> (although I > >>>>>>>>>>>>>>>> have > >>>>>>>>>>>>>>>>> other unrelated issues in TomEE). > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> I can probably work around this some other way, but it > >>>>>>>> seems > >>>>>>>>> to > >>>>>>>>>>>> me > >>>>>>>>>>>>>> like > >>>>>>>>>>>>>>>>> that behaviour isn't quite right. > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> Trying to think of a way to test it - I can probably come > >>>>>>>> up > >>>>>>>>>> with > >>>>>>>>>>>>>>>>> something, but I'd appreciate some pointers. Happy to > shift > >>>>>>>>>> this > >>>>>>>>>>>> to > >>>>>>>>>>>>>>>>> openwebbeans-dev, and submit a PR. Replying here > initially > >>>>>>>>> as I > >>>>>>>>>>>> ran > >>>>>>>>>>>>>>> into > >>>>>>>>>>>>>>>>> this while hacking on the JWT code. > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> Jon > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> On Wed, Oct 17, 2018 at 12:41 AM Roberto Cortez > >>>>>>>>>>>>>>>>> <radcor...@yahoo.com.invalid> > >>>>>>>>>>>>>>>>> wrote: > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>>> Please, go ahead. Let me know if need anything. Thanks! > >>>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>>>> On 16 Oct 2018, at 21:53, Jonathan Gallimore < > >>>>>>>>>>>>>>>>>> jonathan.gallim...@gmail.com> wrote: > >>>>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>>>> Any objection if I pick this up and have a go at the > >>>>>>>> last > >>>>>>>>>>>>>> tests, or > >>>>>>>>>>>>>>>> is > >>>>>>>>>>>>>>>>>>> someone already working on this? > >>>>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>>>> On Thu, Sep 27, 2018 at 5:44 PM Romain Manni-Bucau < > >>>>>>>>>>>>>>>>>> rmannibu...@gmail.com> > >>>>>>>>>>>>>>>>>>> wrote: > >>>>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>>>>> Yep this feature. Then it must works since we support > >>>>>>>>> user > >>>>>>>>>>>>>>> principal > >>>>>>>>>>>>>>>>> if > >>>>>>>>>>>>>>>>>> the > >>>>>>>>>>>>>>>>>>>> jwt filter is corretly placed in the filter chain and > >>>>>>>> we > >>>>>>>>>>>> must > >>>>>>>>>>>>>>>> inherit > >>>>>>>>>>>>>>>>>> from > >>>>>>>>>>>>>>>>>>>> the request principal. > >>>>>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>>>>> Le jeu. 27 sept. 2018 18:37, Roberto Cortez > >>>>>>>>>>>>>>>>> <radcor...@yahoo.com.invalid > >>>>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>>>>> a > >>>>>>>>>>>>>>>>>>>> écrit : > >>>>>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>>>>>> I guess you are referring to this, to remove the > >>>>>>>> proxy? > >>>>>>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>> > >>>>>>>>>> > >>>>>>>>> > >>>>>>>> > >>>>>> > >>>> > >> > https://github.com/apache/openwebbeans/commit/a21a949fb19247dcc39ee89292a1554b2cf1388e > >>>>>>>>>>>>>>>>>>>>> < > >>>>>>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>> > >>>>>>>>>> > >>>>>>>>> > >>>>>>>> > >>>>>> > >>>> > >> > https://github.com/apache/openwebbeans/commit/a21a949fb19247dcc39ee89292a1554b2cf1388e > >>>>>>>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>>>>>> Yes, this one step. > >>>>>>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>>>>>> By default, we do inject the generic Principal of > >>>>>>>>> Tomcat. > >>>>>>>>>>>> We > >>>>>>>>>>>>>>>> probably > >>>>>>>>>>>>>>>>>>>> need > >>>>>>>>>>>>>>>>>>>>> to check first about the existence of a JWT Principal > >>>>>>>>> and > >>>>>>>>>>>> then > >>>>>>>>>>>>>>>>> fallback > >>>>>>>>>>>>>>>>>>>> to > >>>>>>>>>>>>>>>>>>>>> the Tomcat one. I think I know how to do it, I was > >>>>>>>> just > >>>>>>>>>>>>>> trying to > >>>>>>>>>>>>>>>>>> broaden > >>>>>>>>>>>>>>>>>>>>> up the conversation about general integration with EE > >>>>>>>>>>>>>> security. > >>>>>>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>>>>>> Cheers, > >>>>>>>>>>>>>>>>>>>>> Roberto > >>>>>>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>>>>>>> On 26 Sep 2018, at 07:21, Romain Manni-Bucau < > >>>>>>>>>>>>>>>> rmannibu...@gmail.com > >>>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>>>>>> wrote: > >>>>>>>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>>>>>>> OWB enable to do it - we did it in geronimo impl to > >>>>>>>>> pass > >>>>>>>>>>>> tck > >>>>>>>>>>>>>> of > >>>>>>>>>>>>>>>> jwt > >>>>>>>>>>>>>>>>>>>> auth > >>>>>>>>>>>>>>>>>>>>>> spec. > >>>>>>>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>>>>>>> Le mer. 26 sept. 2018 03:28, Roberto Cortez > >>>>>>>>>>>>>>>>>>>> <radcor...@yahoo.com.invalid> > >>>>>>>>>>>>>>>>>>>>> a > >>>>>>>>>>>>>>>>>>>>>> écrit : > >>>>>>>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>>>>>>>> Hi, > >>>>>>>>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>>>>>>>> I’ve done some work to push our MP JWT > >>>>>>>> implementation > >>>>>>>>>>>> from > >>>>>>>>>>>>>> 1.0 > >>>>>>>>>>>>>>> to > >>>>>>>>>>>>>>>>>> 1.1. > >>>>>>>>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>>>>>>>> You can check it here: > >>>>>>>>>>>>>>>>>>>>>>> https://github.com/apache/tomee/pull/173 < > >>>>>>>>>>>>>>>>>>>>>>> https://github.com/apache/tomee/pull/173> > >>>>>>>>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>>>>>>>> There are still a couple of tests in the TCK that I > >>>>>>>>>> have > >>>>>>>>>>>> to > >>>>>>>>>>>>>> fix > >>>>>>>>>>>>>>>>> and a > >>>>>>>>>>>>>>>>>>>>> few > >>>>>>>>>>>>>>>>>>>>>>> things that I would like to improve, but I think > >>>>>>>> the > >>>>>>>>>>>>>> majority > >>>>>>>>>>>>>>> of > >>>>>>>>>>>>>>>>> the > >>>>>>>>>>>>>>>>>>>>> work > >>>>>>>>>>>>>>>>>>>>>>> is done. > >>>>>>>>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>>>>>>>> Some time ago, there was a discussion in the list > >>>>>>>>> about > >>>>>>>>>>>> how > >>>>>>>>>>>>>> to > >>>>>>>>>>>>>>>>>>>> integrate > >>>>>>>>>>>>>>>>>>>>>>> MP JWT with EE security: > >>>>>>>>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>> > >>>>>>>>>> > >>>>>>>>> > >>>>>>>> > >>>>>> > >>>> > >> > http://tomee-openejb.979440.n4.nabble.com/Implementing-Microprofile-JWT-td4683212i40.html > >>>>>>>>>>>>>>>>>>>>>>> < > >>>>>>>>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>> > >>>>>>>>>> > >>>>>>>>> > >>>>>>>> > >>>>>> > >>>> > >> > http://tomee-openejb.979440.n4.nabble.com/Implementing-Microprofile-JWT-td4683212i40.html > >>>>>>>>>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>>>>>>>> I believe we need to revisit that conversation and > >>>>>>>>>> figure > >>>>>>>>>>>>>> out > >>>>>>>>>>>>>>> how > >>>>>>>>>>>>>>>>> to > >>>>>>>>>>>>>>>>>>>>> move > >>>>>>>>>>>>>>>>>>>>>>> forward. > >>>>>>>>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>>>>>>>> Right now for instance, we don’t support injecting > >>>>>>>> a > >>>>>>>>>> JWT > >>>>>>>>>>>>>>>> Principal > >>>>>>>>>>>>>>>>>>>> since > >>>>>>>>>>>>>>>>>>>>>>> it clashes with the predefined by CDI. Most likely, > >>>>>>>>> we > >>>>>>>>>>>> would > >>>>>>>>>>>>>>> need > >>>>>>>>>>>>>>>>> to > >>>>>>>>>>>>>>>>>>>>> plugin > >>>>>>>>>>>>>>>>>>>>>>> the JWT Principal lookup in TomcatSecurityService. > >>>>>>>>> I’m > >>>>>>>>>>>> not > >>>>>>>>>>>>>> sure > >>>>>>>>>>>>>>>> if > >>>>>>>>>>>>>>>>> we > >>>>>>>>>>>>>>>>>>>>> want > >>>>>>>>>>>>>>>>>>>>>>> to do it in that way, or if we want to think in > >>>>>>>>>> something > >>>>>>>>>>>>>> else. > >>>>>>>>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>>>>>>>> Cheers, > >>>>>>>>>>>>>>>>>>>>>>> Roberto > >>>>>>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>>> > >>>>>>>>>>>> > >>>>>>>>>>> > >>>>>>>>>> > >>>>>>>>> > >>>>>>>> > >>>>>> > >>>>>> > >>>> > >>>> > >> > >> > >