Thank you @Roberto for the comments. I finish my PR and removed the "WIP" from the PR name, can somebody please review it: https://github.com/apache/tomee/pull/233
El mar., 11 dic. 2018 a las 4:32, Roberto Cortez (<[email protected]>) escribió: > If I remember correctly, you only need one of the roles in RolesAllowed to > be authorized. > > > On 11 Dec 2018, at 06:24, César Hernández Mendoza <[email protected]> > wrote: > > > > I started to move forward this PR. > > > > I have one question: > > What would be the correct behavior of a request containing a valid token > > that only hast the Group of Claims "crud" but the REST endpoint is > > annotated like this: > > > > @RolesAllowed({"crud", "read-only"}) > > > > > > Should the REST endpoint reply with a 403 because the token used in the > > request doesn't have both Group of claims? > > or > > Should the REST endpoint reply correctly if and only if the Token used in > > the request contains Any of this two Group of claims? > > > > After reading: both MP JWT spec and also the section 2.12 of JSR-250 I > > think we have a bug that you can easily reproduce in my PR if you use > token > > type "*2*" instead of "1" in the following test: > > > https://github.com/apache/tomee/pull/233/files#diff-c8b4606595833238670d666da0b95651R80 > > > > > > > > El lun., 3 dic. 2018 a las 9:22, Bruno Baptista (<[email protected]>) > > escribió: > > > >> Hi César, > >> > >> Looking forward to review it. > >> > >> Cheers. > >> > >> Bruno Baptista > >> https://twitter.com/brunobat_ > >> > >> > >> On 30/11/18 22:44, César Hernández Mendoza wrote: > >>> Hi, > >>> > >>> I'm planning to implement a couple of small improvements on the > >>> MicroProfile JWT example the project already has. > >>> I opened https://issues.apache.org/jira/browse/TOMEE-2304 for this. > >>> > >>> I'll keep you updated with the proposal and progress. Ideas, proposal > are > >>> more than welcome! > >> > > > > > > -- > > Atentamente: > > César Hernández Mendoza. > > -- Atentamente: César Hernández Mendoza.
