Hey, I think we are mostly done with the JWT 1.1 work. At least the TCK is passing except for two tests with the issue described here: https://github.com/eclipse/microprofile-jwt-auth/issues/118 <https://github.com/eclipse/microprofile-jwt-auth/issues/118>. I did copy the test code and added a second arquillian deployment to deploy the key endpoint for test in a separate app. In this case, the test works as expected. I’ll also try to submit a PR with this work to the JWT TCK project.
The entire work can be seen here: https://github.com/apache/tomee/pull/173 <https://github.com/apache/tomee/pull/173> MP JWT 1.1 mostly adds support for: - Loading keys using MP Config from multiple sources (inline, classpath, file, url). - JWK and JWKS support. - JWT as Principal injection. Thank you Jon for helping out with the implementation. Cheers, Roberto > On 3 Dec 2018, at 18:00, Roberto Cortez <[email protected]> wrote: > > Sure. If you don’t mind, I’ll merge your branch with mine and then submit a > PR with everything. > >> On 3 Dec 2018, at 17:12, Jonathan Gallimore <[email protected]> >> wrote: >> >> If you have the cycles, it would be great if you could do it. >> >> Cheers! >> >> Jon >> >> On Mon, Dec 3, 2018 at 5:06 PM Roberto Cortez <[email protected]> >> wrote: >> >>> Yes, I would be in favor on commenting these tests, but implement on our >>> tests that set up an endpoint and try to deploy and app to load the key >>> from the endpoint. At least we make sure that the feature is working as >>> supposed. >>> >>> Do you want to do it, or should I do it? >>> >>>> On 3 Dec 2018, at 16:49, Jonathan Gallimore < >>> [email protected]> wrote: >>>> >>>> Interesting. I'd be in favor of commenting those tests out and merging >>> the >>>> PR, if you think the rest of it is in shape. If the spec says there >>> should >>>> be a deployment exception, then that makes sense. The TCK should probably >>>> start its own little embedded http server to supply these keys instead. >>> We >>>> could contribute a PR there for consideration there. >>>> >>>> Jon >>>> >>>> On Mon, Dec 3, 2018 at 4:39 PM Roberto Cortez >>> <[email protected]> >>>> wrote: >>>> >>>>> Yes, >>>>> >>>>> I think that the current state of the TCK is actually wrong. Look here: >>>>> https://github.com/eclipse/microprofile-jwt-auth/issues/118 < >>>>> https://github.com/eclipse/microprofile-jwt-auth/issues/118> >>>>> >>>>> And also from the spec: >>>>> MicroProfile JWT implementations are required to throw a >>>>> `DeploymentException` when given >>>>> a public key that cannot be parsed using either the standardly >>> supported or >>>>> vendor-specific key formats. >>>>> >>>>> My understanding of this is that the load / parsing of the key is part >>> of >>>>> the application deployment, so if you fail to load the key you should >>> fail >>>>> with DeploymentException. It doesn’t make sense to defer the loading of >>> the >>>>> key when you need it and then fail with the DeploymentException, when >>> the >>>>> application is already deployed. >>>>> >>>>> Now, the issue is a chicken / egg. The TCK test exposes the key to load >>>>> from an endpoint in the actual test app that we are testing. I believe >>> the >>>>> correct behaviour should be to have a separate test app that exposes the >>>>> test keys and then have a separate app to test the behaviour. >>>>> >>>>> I think we can implement our own tests like these and then contribute >>> them >>>>> back / fix the TCK. >>>>> >>>>> Cheers, >>>>> Roberto >>>>> >>>>>> On 3 Dec 2018, at 16:24, Jonathan Gallimore < >>>>> [email protected]> wrote: >>>>>> >>>>>> Thanks for asking. There are 3 tests I can't get passing. These are the >>>>>> ones where the key is referred to by a HTTP url, which isn't available >>> at >>>>>> deployment time where the keys are actually read. I spent quite a lot >>> of >>>>>> time trying to make this happen later in lifecycle (like on first load, >>>>> or >>>>>> something like that). I ended up getting lost in a complete maze of >>>>>> lambdas. I am stuck and in need of help. I think this class is the >>> issue: >>>>>> >>>>> >>> https://github.com/jgallimore/tomee/blob/jwt-1.1/mp-jwt/src/main/java/org/apache/tomee/microprofile/jwt/config/ConfigurableJWTAuthContextInfo.java >>>>> , >>>>>> and this piece of functionality will probably need some design >>> discussion >>>>>> to enable these tests to pass. >>>>>> >>>>>> I had tried flip the storage to Map<String,Supplier> with a supplier >>> that >>>>>> does a lazy lookup and caches the value. The issue there is the JWKS >>>>> keys, >>>>>> where you appear to get multiple keys in one file. Wrapping the whole >>>>> thing >>>>>> a supplier might work too - you'd effectively then have run that logic >>> on >>>>>> first login, or find something else that can trigger it. >>>>>> >>>>>> Do you have any thoughts? >>>>>> >>>>>> Jon >>>>>> >>>>>> On Mon, Dec 3, 2018 at 3:27 PM Roberto Cortez >>>>> <[email protected]> >>>>>> wrote: >>>>>> >>>>>>> Hi Jon, >>>>>>> >>>>>>> I’ve seen you made some changes in your branch. What is the current >>>>>>> status? I would like to start pushing for MP 2.0 specs. >>>>>>> >>>>>>> Cheers, >>>>>>> Roberto >>>>>>> >>>>>>>> On 21 Nov 2018, at 17:57, Jonathan Gallimore < >>>>>>> [email protected]> wrote: >>>>>>>> >>>>>>>> Was going to have another look at those tests over the next couple of >>>>>>> days. >>>>>>>> >>>>>>>> Jon >>>>>>>> >>>>>>>> On Wed, 21 Nov 2018, 17:53 Roberto Cortez >>> <[email protected] >>>>>>>> wrote: >>>>>>>> >>>>>>>>> Hi Jon, >>>>>>>>> >>>>>>>>> What it the status of this? >>>>>>>>> >>>>>>>>> For the remaining failing tests, the issues are related with this: >>>>>>>>> https://github.com/eclipse/microprofile-jwt-auth/issues/118 < >>>>>>>>> https://github.com/eclipse/microprofile-jwt-auth/issues/118> >>>>>>>>> >>>>>>>>> I don’t think there is a way to fix it on our side, so se could just >>>>>>>>> ignore those specific methods and build a specific test for this >>> with >>>>> 2 >>>>>>>>> apps deployment so we can reach out then public key endpoint from >>> the >>>>>>> test. >>>>>>>>> Then we should be good to go with this! >>>>>>>>> >>>>>>>>> Cheers, >>>>>>>>> Roberto >>>>>>>>> >>>>>>>>>> On 20 Nov 2018, at 15:28, Jean-Louis Monteiro < >>>>>>> [email protected]> >>>>>>>>> wrote: >>>>>>>>>> >>>>>>>>>> Ok, yes I see it. >>>>>>>>>> -- >>>>>>>>>> Jean-Louis Monteiro >>>>>>>>>> http://twitter.com/jlouismonteiro >>>>>>>>>> http://www.tomitribe.com >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> On Tue, Nov 20, 2018 at 4:11 PM Jonathan Gallimore < >>>>>>>>>> [email protected]> wrote: >>>>>>>>>> >>>>>>>>>>> The commits are showing for me (at the bottom). Here's the latest >>>>> one: >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>> >>>>>>> >>>>> >>> https://github.com/apache/tomee/commit/7ce1f8033e239331cfa7843e4e5565ed0aa83345 >>>>>>>>>>> >>>>>>>>>>> On Tue, Nov 20, 2018 at 2:44 PM Jean-Louis Monteiro < >>>>>>>>>>> [email protected]> wrote: >>>>>>>>>>> >>>>>>>>>>>> Hey Jon, >>>>>>>>>>>> >>>>>>>>>>>> I clicked on the link and the diff tab does not show any >>>>> difference. >>>>>>>>>>>> Did you push? >>>>>>>>>>>> -- >>>>>>>>>>>> Jean-Louis Monteiro >>>>>>>>>>>> http://twitter.com/jlouismonteiro >>>>>>>>>>>> http://www.tomitribe.com >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> On Mon, Nov 19, 2018 at 12:36 PM Jonathan Gallimore < >>>>>>>>>>>> [email protected]> wrote: >>>>>>>>>>>> >>>>>>>>>>>>> I now have the principal injection part of this working - thanks >>>>>>>>> Romain >>>>>>>>>>>> for >>>>>>>>>>>>> your help and explanations. Progress is in my fork here: >>>>>>>>>>>>> https://github.com/jgallimore/tomee/tree/jwt-1.1 (changes here: >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>> >>>>>>> >>>>> >>> https://github.com/apache/tomee/compare/master...jgallimore:jwt-1.1?expand=1 >>>>>>>>>>>>> ). >>>>>>>>>>>>> There are still a couple of TODOs to clean up, and 3 tests to >>> get >>>>>>>>>>>> passing. >>>>>>>>>>>>> Any feedback is appreciated. >>>>>>>>>>>>> >>>>>>>>>>>>> Jon >>>>>>>>>>>>> >>>>>>>>>>>>> On Sat, Nov 3, 2018 at 9:10 AM Jonathan Gallimore < >>>>>>>>>>>>> [email protected]> wrote: >>>>>>>>>>>>> >>>>>>>>>>>>>> Yep, got it. Thanks for the feedback - makes sense now. >>>>>>>>>>>>>> >>>>>>>>>>>>>> Cheers >>>>>>>>>>>>>> >>>>>>>>>>>>>> Jon >>>>>>>>>>>>>> >>>>>>>>>>>>>> On Fri, 2 Nov 2018, 16:46 Romain Manni-Bucau < >>>>>>> [email protected] >>>>>>>>>>>>> wrote: >>>>>>>>>>>>>> >>>>>>>>>>>>>>> Answered hopefully "long enough" on dev@geronimo so will just >>>>> do >>>>>>> a >>>>>>>>>>>>> short >>>>>>>>>>>>>>> one here and shout if not enough: ManagedSecurityService in >>> cdi >>>>>>>>>>>> package >>>>>>>>>>>>> of >>>>>>>>>>>>>>> openejb-core must make the getCurrentPrincipal contextual so >>>>>>> hidden >>>>>>>>>>>>> behind >>>>>>>>>>>>>>> a proxy. The proxied API must be Principal and JsonWebToken >>> when >>>>>>>>>>>>> available >>>>>>>>>>>>>>> (try { add if can load } catch { ignore } works as pattern). >>> The >>>>>>>>>>> proxy >>>>>>>>>>>>>>> instance can be created once for all app using the container >>>>>>> loader >>>>>>>>>>> or >>>>>>>>>>>>> per >>>>>>>>>>>>>>> app using the app loader and avoiding to leak between apps >>> since >>>>>>> the >>>>>>>>>>>> API >>>>>>>>>>>>>>> can use different loaders. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Le ven. 2 nov. 2018 14:44, Jonathan Gallimore < >>>>>>>>>>>>>>> [email protected]> >>>>>>>>>>>>>>> a écrit : >>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Thanks for the reply, but I am confused by your response. The >>>>> PR >>>>>>> I >>>>>>>>>>>>>>>> referenced adds a single test to the geronimo-jwt-auth >>> project >>>>> ( >>>>>>>>>>>>>>>> https://github.com/apache/geronimo-jwt-auth/pull/3), based >>> on >>>>>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>> >>>>> org.eclipse.microprofile.jwt.tck.container.jaxrs.PrincipalInjectionTest >>>>>>>>>>>>>>>> from the TCK. It fails at present (hopefully we agree on >>> that - >>>>>>> my >>>>>>>>>>>>>>> results >>>>>>>>>>>>>>>> attached). The geronimo-jwt-auth project doesn't touch TomEE >>> at >>>>>>>>>>> all >>>>>>>>>>>> - >>>>>>>>>>>>> it >>>>>>>>>>>>>>>> uses OWB/Meecrowave to run the MicroProfile JWT TCK. I have >>> not >>>>>>>>>>>>> modified >>>>>>>>>>>>>>>> the project config at all, so it is using the SecurityService >>>>>>> code >>>>>>>>>>>> you >>>>>>>>>>>>>>>> previously posted. If this additional test were part of the >>>>>>>>>>>>> MicroProfile >>>>>>>>>>>>>>>> JWT TCK (and I'm going to propose it), the Geronimo JWT Auth >>>>>>>>>>>>>>> implementation >>>>>>>>>>>>>>>> would *not* pass the TCK. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> I posted this here as I originally found the issue when >>>>>>> continuing >>>>>>>>>>>>>>>> Roberto's efforts, but this has probably contributed to some >>>>>>>>>>>>> confusion. >>>>>>>>>>>>>>> I >>>>>>>>>>>>>>>> would suggest we continue this over on the Geronimo and OWB >>>>> lists >>>>>>>>>>> to >>>>>>>>>>>>>>> avoid >>>>>>>>>>>>>>>> further confusion. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Jon >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> On Fri, Nov 2, 2018 at 12:46 PM Romain Manni-Bucau < >>>>>>>>>>>>>>> [email protected]> >>>>>>>>>>>>>>>> wrote: >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Hi >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Yes this is an owb misconfiguration/integration >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Geronimo is fine here so likely tomee owb spi to update as >>> in >>>>>>>>>>>>> geronimo >>>>>>>>>>>>>>> tck >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Le ven. 2 nov. 2018 10:42, Jonathan Gallimore < >>>>>>>>>>>>>>>>> [email protected]> >>>>>>>>>>>>>>>>> a écrit : >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> Thanks for the reply. I am still sure there is some sort of >>>>>>>>>>>> issue. >>>>>>>>>>>>>>>>> Putting >>>>>>>>>>>>>>>>>> TomEE to one side for the moment, I am able to reproduce >>> this >>>>>>>>>>> in >>>>>>>>>>>>> the >>>>>>>>>>>>>>>>>> Geronimo JWT auth library as well. This PR includes a test >>> to >>>>>>>>>>>> show >>>>>>>>>>>>>>> what >>>>>>>>>>>>>>>>> I >>>>>>>>>>>>>>>>>> mean: https://github.com/apache/geronimo-jwt-auth/pull/3. >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> I can confirm that this change: >>>>>>>>>>>>>>>>>> https://github.com/apache/openwebbeans/pull/12 enables >>> that >>>>>>>>>>> new >>>>>>>>>>>>>>> test to >>>>>>>>>>>>>>>>>> pass. >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> In short, if you @Inject JsonWebToken, or individual >>> claims, >>>>> or >>>>>>>>>>>>>>>>>> use @RolesAllowed, I think you're ok, but if you @Inject >>>>>>>>>>>> Principal, >>>>>>>>>>>>>>> you >>>>>>>>>>>>>>>>>> will most likely get the wrong principal because the >>> instance >>>>>>>>>>> is >>>>>>>>>>>>>>> cache >>>>>>>>>>>>>>>>> in a >>>>>>>>>>>>>>>>>> field in the >>>>> org.apache.webbeans.portable.ProviderBasedProducer >>>>>>>>>>>>>>> class, >>>>>>>>>>>>>>>>> and >>>>>>>>>>>>>>>>>> that looks like a security issue. >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> Jon >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> On Tue, Oct 30, 2018 at 5:56 AM Romain Manni-Bucau < >>>>>>>>>>>>>>>>> [email protected]> >>>>>>>>>>>>>>>>>> wrote: >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> Hi Jon, >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> yes and no, idea is to be fast and for all producers it >>>>> works >>>>>>>>>>>>>>> except >>>>>>>>>>>>>>>>> the >>>>>>>>>>>>>>>>>>> principal which is broken anyway in CDI 1.x so guess this >>>>> was >>>>>>>>>>>> not >>>>>>>>>>>>>>>>> fixed >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> in CDI 2 (tomee 8) we can impl it this way: >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>> >>>>>>> >>>>> >>> https://github.com/apache/geronimo-jwt-auth/blob/master/src/test/java/org/apache/geronimo/microprofile/impl/jwtauth/tck/TckSecurityService.java >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> Romain Manni-Bucau >>>>>>>>>>>>>>>>>>> @rmannibucau <https://twitter.com/rmannibucau> | Blog >>>>>>>>>>>>>>>>>>> <https://rmannibucau.metawerx.net/> | Old Blog >>>>>>>>>>>>>>>>>>> <http://rmannibucau.wordpress.com> | Github < >>>>>>>>>>>>>>>>>>> https://github.com/rmannibucau> | >>>>>>>>>>>>>>>>>>> LinkedIn <https://www.linkedin.com/in/rmannibucau> | Book >>>>>>>>>>>>>>>>>>> < >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>> >>>>>>> >>>>> >>> https://www.packtpub.com/application-development/java-ee-8-high-performance >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> Le mar. 30 oct. 2018 à 00:58, Jonathan Gallimore < >>>>>>>>>>>>>>>>>>> [email protected]> a écrit : >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> Here's a question, probably for Mark or Romain. If I turn >>>>>>>>>>> the >>>>>>>>>>>>>>> proxy >>>>>>>>>>>>>>>>>> *off* >>>>>>>>>>>>>>>>>>>> in org.apache.webbeans.component.PrincipalBean, I'm >>> finding >>>>>>>>>>>>> that >>>>>>>>>>>>>>> I >>>>>>>>>>>>>>>>> get >>>>>>>>>>>>>>>>>>> the >>>>>>>>>>>>>>>>>>>> wrong principal injected sometimes. Specifically, I get >>> the >>>>>>>>>>>>>>>>> whatever is >>>>>>>>>>>>>>>>>>> on >>>>>>>>>>>>>>>>>>>> the proxyInstance field here: >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>> >>>>>>> >>>>> >>> https://github.com/apache/openwebbeans/blob/trunk/webbeans-impl/src/main/java/org/apache/webbeans/portable/ProviderBasedProducer.java#L51 >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> Should this line (line 66) >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>> >>>>>>> >>>>> >>> https://github.com/apache/openwebbeans/blob/trunk/webbeans-impl/src/main/java/org/apache/webbeans/portable/ProviderBasedProducer.java#L66 >>>>>>>>>>>>>>>>>>>> , >>>>>>>>>>>>>>>>>>>> not simply be: >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> return provider.get(); >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> as opposed to >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> proxyInstance = provider.get(); ? >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> That way, the proxyInstance field would never get set if >>>>>>>>>>>> proxy >>>>>>>>>>>>>>> mode >>>>>>>>>>>>>>>>> is >>>>>>>>>>>>>>>>>>> set >>>>>>>>>>>>>>>>>>>> to false. When proxy is true, this seems to work >>> correctly >>>>>>>>>>>>>>>>> (although I >>>>>>>>>>>>>>>>>>> have >>>>>>>>>>>>>>>>>>>> other unrelated issues in TomEE). >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> I can probably work around this some other way, but it >>>>>>>>>>> seems >>>>>>>>>>>> to >>>>>>>>>>>>>>> me >>>>>>>>>>>>>>>>> like >>>>>>>>>>>>>>>>>>>> that behaviour isn't quite right. >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> Trying to think of a way to test it - I can probably come >>>>>>>>>>> up >>>>>>>>>>>>> with >>>>>>>>>>>>>>>>>>>> something, but I'd appreciate some pointers. Happy to >>> shift >>>>>>>>>>>>> this >>>>>>>>>>>>>>> to >>>>>>>>>>>>>>>>>>>> openwebbeans-dev, and submit a PR. Replying here >>> initially >>>>>>>>>>>> as I >>>>>>>>>>>>>>> ran >>>>>>>>>>>>>>>>>> into >>>>>>>>>>>>>>>>>>>> this while hacking on the JWT code. >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> Jon >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> On Wed, Oct 17, 2018 at 12:41 AM Roberto Cortez >>>>>>>>>>>>>>>>>>>> <[email protected]> >>>>>>>>>>>>>>>>>>>> wrote: >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> Please, go ahead. Let me know if need anything. Thanks! >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> On 16 Oct 2018, at 21:53, Jonathan Gallimore < >>>>>>>>>>>>>>>>>>>>> [email protected]> wrote: >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> Any objection if I pick this up and have a go at the >>>>>>>>>>> last >>>>>>>>>>>>>>>>> tests, or >>>>>>>>>>>>>>>>>>> is >>>>>>>>>>>>>>>>>>>>>> someone already working on this? >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> On Thu, Sep 27, 2018 at 5:44 PM Romain Manni-Bucau < >>>>>>>>>>>>>>>>>>>>> [email protected]> >>>>>>>>>>>>>>>>>>>>>> wrote: >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> Yep this feature. Then it must works since we support >>>>>>>>>>>> user >>>>>>>>>>>>>>>>>> principal >>>>>>>>>>>>>>>>>>>> if >>>>>>>>>>>>>>>>>>>>> the >>>>>>>>>>>>>>>>>>>>>>> jwt filter is corretly placed in the filter chain and >>>>>>>>>>> we >>>>>>>>>>>>>>> must >>>>>>>>>>>>>>>>>>> inherit >>>>>>>>>>>>>>>>>>>>> from >>>>>>>>>>>>>>>>>>>>>>> the request principal. >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> Le jeu. 27 sept. 2018 18:37, Roberto Cortez >>>>>>>>>>>>>>>>>>>> <[email protected] >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> a >>>>>>>>>>>>>>>>>>>>>>> écrit : >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> I guess you are referring to this, to remove the >>>>>>>>>>> proxy? >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>> >>>>>>> >>>>> >>> https://github.com/apache/openwebbeans/commit/a21a949fb19247dcc39ee89292a1554b2cf1388e >>>>>>>>>>>>>>>>>>>>>>>> < >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>> >>>>>>> >>>>> >>> https://github.com/apache/openwebbeans/commit/a21a949fb19247dcc39ee89292a1554b2cf1388e >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> Yes, this one step. >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> By default, we do inject the generic Principal of >>>>>>>>>>>> Tomcat. >>>>>>>>>>>>>>> We >>>>>>>>>>>>>>>>>>> probably >>>>>>>>>>>>>>>>>>>>>>> need >>>>>>>>>>>>>>>>>>>>>>>> to check first about the existence of a JWT Principal >>>>>>>>>>>> and >>>>>>>>>>>>>>> then >>>>>>>>>>>>>>>>>>>> fallback >>>>>>>>>>>>>>>>>>>>>>> to >>>>>>>>>>>>>>>>>>>>>>>> the Tomcat one. I think I know how to do it, I was >>>>>>>>>>> just >>>>>>>>>>>>>>>>> trying to >>>>>>>>>>>>>>>>>>>>> broaden >>>>>>>>>>>>>>>>>>>>>>>> up the conversation about general integration with EE >>>>>>>>>>>>>>>>> security. >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> Cheers, >>>>>>>>>>>>>>>>>>>>>>>> Roberto >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> On 26 Sep 2018, at 07:21, Romain Manni-Bucau < >>>>>>>>>>>>>>>>>>> [email protected] >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> wrote: >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> OWB enable to do it - we did it in geronimo impl to >>>>>>>>>>>> pass >>>>>>>>>>>>>>> tck >>>>>>>>>>>>>>>>> of >>>>>>>>>>>>>>>>>>> jwt >>>>>>>>>>>>>>>>>>>>>>> auth >>>>>>>>>>>>>>>>>>>>>>>>> spec. >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> Le mer. 26 sept. 2018 03:28, Roberto Cortez >>>>>>>>>>>>>>>>>>>>>>> <[email protected]> >>>>>>>>>>>>>>>>>>>>>>>> a >>>>>>>>>>>>>>>>>>>>>>>>> écrit : >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>> Hi, >>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>> I’ve done some work to push our MP JWT >>>>>>>>>>> implementation >>>>>>>>>>>>>>> from >>>>>>>>>>>>>>>>> 1.0 >>>>>>>>>>>>>>>>>> to >>>>>>>>>>>>>>>>>>>>> 1.1. >>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>> You can check it here: >>>>>>>>>>>>>>>>>>>>>>>>>> https://github.com/apache/tomee/pull/173 < >>>>>>>>>>>>>>>>>>>>>>>>>> https://github.com/apache/tomee/pull/173> >>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>> There are still a couple of tests in the TCK that I >>>>>>>>>>>>> have >>>>>>>>>>>>>>> to >>>>>>>>>>>>>>>>> fix >>>>>>>>>>>>>>>>>>>> and a >>>>>>>>>>>>>>>>>>>>>>>> few >>>>>>>>>>>>>>>>>>>>>>>>>> things that I would like to improve, but I think >>>>>>>>>>> the >>>>>>>>>>>>>>>>> majority >>>>>>>>>>>>>>>>>> of >>>>>>>>>>>>>>>>>>>> the >>>>>>>>>>>>>>>>>>>>>>>> work >>>>>>>>>>>>>>>>>>>>>>>>>> is done. >>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>> Some time ago, there was a discussion in the list >>>>>>>>>>>> about >>>>>>>>>>>>>>> how >>>>>>>>>>>>>>>>> to >>>>>>>>>>>>>>>>>>>>>>> integrate >>>>>>>>>>>>>>>>>>>>>>>>>> MP JWT with EE security: >>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>> >>>>>>> >>>>> >>> http://tomee-openejb.979440.n4.nabble.com/Implementing-Microprofile-JWT-td4683212i40.html >>>>>>>>>>>>>>>>>>>>>>>>>> < >>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>> >>>>>>> >>>>> >>> http://tomee-openejb.979440.n4.nabble.com/Implementing-Microprofile-JWT-td4683212i40.html >>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>> I believe we need to revisit that conversation and >>>>>>>>>>>>> figure >>>>>>>>>>>>>>>>> out >>>>>>>>>>>>>>>>>> how >>>>>>>>>>>>>>>>>>>> to >>>>>>>>>>>>>>>>>>>>>>>> move >>>>>>>>>>>>>>>>>>>>>>>>>> forward. >>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>> Right now for instance, we don’t support injecting >>>>>>>>>>> a >>>>>>>>>>>>> JWT >>>>>>>>>>>>>>>>>>> Principal >>>>>>>>>>>>>>>>>>>>>>> since >>>>>>>>>>>>>>>>>>>>>>>>>> it clashes with the predefined by CDI. Most likely, >>>>>>>>>>>> we >>>>>>>>>>>>>>> would >>>>>>>>>>>>>>>>>> need >>>>>>>>>>>>>>>>>>>> to >>>>>>>>>>>>>>>>>>>>>>>> plugin >>>>>>>>>>>>>>>>>>>>>>>>>> the JWT Principal lookup in TomcatSecurityService. >>>>>>>>>>>> I’m >>>>>>>>>>>>>>> not >>>>>>>>>>>>>>>>> sure >>>>>>>>>>>>>>>>>>> if >>>>>>>>>>>>>>>>>>>> we >>>>>>>>>>>>>>>>>>>>>>>> want >>>>>>>>>>>>>>>>>>>>>>>>>> to do it in that way, or if we want to think in >>>>>>>>>>>>> something >>>>>>>>>>>>>>>>> else. >>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>> Cheers, >>>>>>>>>>>>>>>>>>>>>>>>>> Roberto >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>> >>>>>>> >>>>> >>>>> >>> >>> >
