[jira] [Commented] (OFBIZ-10814) Error parsing JWT

Sun, 03 Feb 2019 01:05:39 -0800 


    [ 
https://issues.apache.org/jira/browse/OFBIZ-10814?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16759341#comment-16759341
 ] 

Jacques Le Roux commented on OFBIZ-10814:
-----------------------------------------

Hi Michael,

Should we not use HttpHeaders.AUTHORIZATION in JWTManager::checkJWTLogin?
Also, please add a new line at the end of security.properties, it's else 
sometimes difficult to read (got issue in Eclipse Photon)

All, forget my question about
bq.  "USERNAME" and "PASSWORD" as parameters in a request
We already use that to sign in  without having to pass to the login screen and 
type credentials, that's OK with me.


> Error parsing JWT
> -----------------
>
>                 Key: OFBIZ-10814
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-10814
>             Project: OFBiz
>          Issue Type: Bug
>          Components: framework
>    Affects Versions: Trunk
>            Reporter: Michael Brohl
>            Assignee: Michael Brohl
>            Priority: Major
>         Attachments: Apache OFBiz JWT Test.postman_collection.json, 
> OFBIZ-10814_JWT_parsing_error.patch, 
> OFBIZ-10814_JWT_parsing_error_and_refactoring.patch, 
> OFBIZ-10814_JWT_parsing_error_examples.patch
>
>
> I have problems using the Authorization: Bearer header value for requests 
> towards OFBiz. OFBiz has problems parsing externally generated JSON Web 
> Tokens.
> I have generated them using both [1] and [2] using HS512 and the default 
> secret.
> The JWT check fails because of a parsing error:
> {noformat}
> 2019-01-17 16:48:36,233 |jsse-nio-8443-exec-7 |JavaEventHandler              
> |E| Problems Processing Event
> io.jsonwebtoken.MalformedJwtException: Unable to read JSON value: 
> �z��'G�#�$�uB"�&�r#�$�3S"
>     at 
> io.jsonwebtoken.impl.DefaultJwtParser.readValue(DefaultJwtParser.java:554) 
> ~[jjwt-0.9.1.jar:0.9.1]
>     at io.jsonwebtoken.impl.DefaultJwtParser.parse(DefaultJwtParser.java:252) 
> ~[jjwt-0.9.1.jar:0.9.1]
>     at io.jsonwebtoken.impl.DefaultJwtParser.parse(DefaultJwtParser.java:481) 
> ~[jjwt-0.9.1.jar:0.9.1]
>     at 
> io.jsonwebtoken.impl.DefaultJwtParser.parseClaimsJws(DefaultJwtParser.java:541)
>  ~[jjwt-0.9.1.jar:0.9.1]
>     at 
> org.apache.ofbiz.webapp.control.JWTManager.validateToken(JWTManager.java:124) 
> ~[ofbiz.jar:?]
>     at 
> org.apache.ofbiz.webapp.control.ExternalLoginKeysManager.jwtValidation(ExternalLoginKeysManager.java:292)
>  ~[ofbiz.jar:?]
>     at 
> org.apache.ofbiz.webapp.control.ExternalLoginKeysManager.checkJWTLogin(ExternalLoginKeysManager.java:196)
>  ~[ofbiz.jar:?]
>     at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) 
> ~[?:1.8.0_152]
>     at 
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) 
> ~[?:1.8.0_152]
>     at 
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>  ~[?:1.8.0_152]
>     at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_152]
>     at 
> org.apache.ofbiz.webapp.event.JavaEventHandler.invoke(JavaEventHandler.java:86)
>  [ofbiz.jar:?]
>     at 
> org.apache.ofbiz.webapp.control.RequestHandler.runEvent(RequestHandler.java:774)
>  [ofbiz.jar:?]
>     at 
> org.apache.ofbiz.webapp.control.RequestHandler.doRequest(RequestHandler.java:407)
>  [ofbiz.jar:?]
>     at 
> org.apache.ofbiz.webapp.control.ControlServlet.doGet(ControlServlet.java:208) 
> [ofbiz.jar:?]
>     at javax.servlet.http.HttpServlet.service(HttpServlet.java:645) 
> [javax.servlet-api-4.0.1.jar:4.0.1]
>     at javax.servlet.http.HttpServlet.service(HttpServlet.java:750) 
> [javax.servlet-api-4.0.1.jar:4.0.1]
>     at 
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231)
>  [tomcat-catalina-9.0.13.jar:9.0.13]
>     at 
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
>  [tomcat-catalina-9.0.13.jar:9.0.13]
>     at 
> org.apache.ofbiz.webapp.control.ContextFilter.doFilter(ContextFilter.java:191)
>  [ofbiz.jar:?]
>     at 
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
>  [tomcat-catalina-9.0.13.jar:9.0.13]
>     at 
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
>  [tomcat-catalina-9.0.13.jar:9.0.13]
>     at 
> org.apache.ofbiz.webapp.control.ControlFilter.doFilter(ControlFilter.java:156)
>  [ofbiz.jar:?]
>     at javax.servlet.http.HttpFilter.doFilter(HttpFilter.java:127) 
> [javax.servlet-api-4.0.1.jar:4.0.1]
>     at 
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
>  [tomcat-catalina-9.0.13.jar:9.0.13]
>     at 
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
>  [tomcat-catalina-9.0.13.jar:9.0.13]
>     at 
> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:199)
>  [tomcat-catalina-9.0.13.jar:9.0.13]
>     at 
> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
>  [tomcat-catalina-9.0.13.jar:9.0.13]
>     at 
> org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:490)
>  [tomcat-catalina-9.0.13.jar:9.0.13]
>     at 
> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139) 
> [tomcat-catalina-9.0.13.jar:9.0.13]
>     at 
> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92) 
> [tomcat-catalina-9.0.13.jar:9.0.13]
>     at 
> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74)
>  [tomcat-catalina-9.0.13.jar:9.0.13]
>     at 
> org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:668)
>  [tomcat-catalina-9.0.13.jar:9.0.13]
>     at 
> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343) 
> [tomcat-catalina-9.0.13.jar:9.0.13]
>     at 
> org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:408) 
> [tomcat-coyote-9.0.13.jar:9.0.13]
>     at 
> org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
>  [tomcat-coyote-9.0.13.jar:9.0.13]
>     at 
> org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:791)
>  [tomcat-coyote-9.0.13.jar:9.0.13]
>     at 
> org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1417)
>  [tomcat-coyote-9.0.13.jar:9.0.13]
>     at 
> org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
>  [tomcat-coyote-9.0.13.jar:9.0.13]
>     at 
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
>  [?:1.8.0_152]
>     at 
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
>  [?:1.8.0_152]
>     at 
> org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
>  [tomcat-util-9.0.13.jar:9.0.13]
>     at java.lang.Thread.run(Thread.java:748) [?:1.8.0_152]
> Caused by: com.fasterxml.jackson.core.JsonParseException: Illegal character 
> ((CTRL-CHAR, code 5)): only regular white space (\r, \n, \t) is allowed 
> between tokens
>  at [Source: (String)"�z��'G�#�$�uB"�&�r#�$�3S""; line: 1, column: 2]
>     at 
> com.fasterxml.jackson.core.JsonParser._constructError(JsonParser.java:1804) 
> ~[jackson-core-2.9.6.jar:2.9.6]
>     at 
> com.fasterxml.jackson.core.base.ParserMinimalBase._reportError(ParserMinimalBase.java:669)
>  ~[jackson-core-2.9.6.jar:2.9.6]
>     at 
> com.fasterxml.jackson.core.base.ParserMinimalBase._throwInvalidSpace(ParserMinimalBase.java:620)
>  ~[jackson-core-2.9.6.jar:2.9.6]
>     at 
> com.fasterxml.jackson.core.json.ReaderBasedJsonParser._skipWSOrEnd(ReaderBasedJsonParser.java:2350)
>  ~[jackson-core-2.9.6.jar:2.9.6]
>     at 
> com.fasterxml.jackson.core.json.ReaderBasedJsonParser.nextToken(ReaderBasedJsonParser.java:646)
>  ~[jackson-core-2.9.6.jar:2.9.6]
>     at 
> com.fasterxml.jackson.databind.ObjectMapper._initForReading(ObjectMapper.java:4141)
>  ~[jackson-databind-2.9.6.jar:2.9.6]
>     at 
> com.fasterxml.jackson.databind.ObjectMapper._readMapAndClose(ObjectMapper.java:4000)
>  ~[jackson-databind-2.9.6.jar:2.9.6]
>     at 
> com.fasterxml.jackson.databind.ObjectMapper.readValue(ObjectMapper.java:3004) 
> ~[jackson-databind-2.9.6.jar:2.9.6]
>     at 
> io.jsonwebtoken.impl.DefaultJwtParser.readValue(DefaultJwtParser.java:552) 
> ~[jjwt-0.9.1.jar:0.9.1]
>     ... 42 more
> 2019-01-17 16:48:36,237 |jsse-nio-8443-exec-7 |RequestHandler                
> |E| null
> org.apache.ofbiz.webapp.event.EventHandlerException: Problems processing 
> event: io.jsonwebtoken.MalformedJwtException: Unable to read JSON value: 
> �z��'G�#�$�uB"�&�r#�$�3S" (Unable to read JSON value: 
> �z��'G�#�$�uB"�&�r#�$�3S")
>     at 
> org.apache.ofbiz.webapp.event.JavaEventHandler.invoke(JavaEventHandler.java:94)
>  ~[ofbiz.jar:?]
>     at 
> org.apache.ofbiz.webapp.control.RequestHandler.runEvent(RequestHandler.java:774)
>  ~[ofbiz.jar:?]
>     at 
> org.apache.ofbiz.webapp.control.RequestHandler.doRequest(RequestHandler.java:407)
>  [ofbiz.jar:?]
>     at 
> org.apache.ofbiz.webapp.control.ControlServlet.doGet(ControlServlet.java:208) 
> [ofbiz.jar:?]
>     at javax.servlet.http.HttpServlet.service(HttpServlet.java:645) 
> [javax.servlet-api-4.0.1.jar:4.0.1]
>     at javax.servlet.http.HttpServlet.service(HttpServlet.java:750) 
> [javax.servlet-api-4.0.1.jar:4.0.1]
>     at 
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231)
>  [tomcat-catalina-9.0.13.jar:9.0.13]
>     at 
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
>  [tomcat-catalina-9.0.13.jar:9.0.13]
>     at 
> org.apache.ofbiz.webapp.control.ContextFilter.doFilter(ContextFilter.java:191)
>  [ofbiz.jar:?]
>     at 
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
>  [tomcat-catalina-9.0.13.jar:9.0.13]
>     at 
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
>  [tomcat-catalina-9.0.13.jar:9.0.13]
>     at 
> org.apache.ofbiz.webapp.control.ControlFilter.doFilter(ControlFilter.java:156)
>  [ofbiz.jar:?]
>     at javax.servlet.http.HttpFilter.doFilter(HttpFilter.java:127) 
> [javax.servlet-api-4.0.1.jar:4.0.1]
>     at 
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
>  [tomcat-catalina-9.0.13.jar:9.0.13]
>     at 
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
>  [tomcat-catalina-9.0.13.jar:9.0.13]
>     at 
> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:199)
>  [tomcat-catalina-9.0.13.jar:9.0.13]
>     at 
> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
>  [tomcat-catalina-9.0.13.jar:9.0.13]
>     at 
> org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:490)
>  [tomcat-catalina-9.0.13.jar:9.0.13]
>     at 
> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139) 
> [tomcat-catalina-9.0.13.jar:9.0.13]
>     at 
> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92) 
> [tomcat-catalina-9.0.13.jar:9.0.13]
>     at 
> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74)
>  [tomcat-catalina-9.0.13.jar:9.0.13]
>     at 
> org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:668)
>  [tomcat-catalina-9.0.13.jar:9.0.13]
>     at 
> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343) 
> [tomcat-catalina-9.0.13.jar:9.0.13]
>     at 
> org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:408) 
> [tomcat-coyote-9.0.13.jar:9.0.13]
>     at 
> org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
>  [tomcat-coyote-9.0.13.jar:9.0.13]
>     at 
> org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:791)
>  [tomcat-coyote-9.0.13.jar:9.0.13]
>     at 
> org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1417)
>  [tomcat-coyote-9.0.13.jar:9.0.13]
>     at 
> org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
>  [tomcat-coyote-9.0.13.jar:9.0.13]
>     at 
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
>  [?:1.8.0_152]
>     at 
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
>  [?:1.8.0_152]
>     at 
> org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
>  [tomcat-util-9.0.13.jar:9.0.13]
>     at java.lang.Thread.run(Thread.java:748) [?:1.8.0_152]
> Caused by: io.jsonwebtoken.MalformedJwtException: Unable to read JSON value: 
> �z��'G�#�$�uB"�&�r#�$�3S"
>     at 
> io.jsonwebtoken.impl.DefaultJwtParser.readValue(DefaultJwtParser.java:554) 
> ~[jjwt-0.9.1.jar:0.9.1]
>     at io.jsonwebtoken.impl.DefaultJwtParser.parse(DefaultJwtParser.java:252) 
> ~[jjwt-0.9.1.jar:0.9.1]
>     at io.jsonwebtoken.impl.DefaultJwtParser.parse(DefaultJwtParser.java:481) 
> ~[jjwt-0.9.1.jar:0.9.1]
>     at 
> io.jsonwebtoken.impl.DefaultJwtParser.parseClaimsJws(DefaultJwtParser.java:541)
>  ~[jjwt-0.9.1.jar:0.9.1]
>     at 
> org.apache.ofbiz.webapp.control.JWTManager.validateToken(JWTManager.java:124) 
> ~[ofbiz.jar:?]
>     at 
> org.apache.ofbiz.webapp.control.ExternalLoginKeysManager.jwtValidation(ExternalLoginKeysManager.java:292)
>  ~[ofbiz.jar:?]
>     at 
> org.apache.ofbiz.webapp.control.ExternalLoginKeysManager.checkJWTLogin(ExternalLoginKeysManager.java:196)
>  ~[ofbiz.jar:?]
>     at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) 
> ~[?:1.8.0_152]
>     at 
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) 
> ~[?:1.8.0_152]
>     at 
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>  ~[?:1.8.0_152]
>     at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_152]
>     at 
> org.apache.ofbiz.webapp.event.JavaEventHandler.invoke(JavaEventHandler.java:86)
>  ~[ofbiz.jar:?]
>     ... 31 more
> Caused by: com.fasterxml.jackson.core.JsonParseException: Illegal character 
> ((CTRL-CHAR, code 5)): only regular white space (\r, \n, \t) is allowed 
> between tokens
>  at [Source: (String)"�z��'G�#�$�uB"�&�r#�$�3S""; line: 1, column: 2]
>     at 
> com.fasterxml.jackson.core.JsonParser._constructError(JsonParser.java:1804) 
> ~[jackson-core-2.9.6.jar:2.9.6]
>     at 
> com.fasterxml.jackson.core.base.ParserMinimalBase._reportError(ParserMinimalBase.java:669)
>  ~[jackson-core-2.9.6.jar:2.9.6]
>     at 
> com.fasterxml.jackson.core.base.ParserMinimalBase._throwInvalidSpace(ParserMinimalBase.java:620)
>  ~[jackson-core-2.9.6.jar:2.9.6]
>     at 
> com.fasterxml.jackson.core.json.ReaderBasedJsonParser._skipWSOrEnd(ReaderBasedJsonParser.java:2350)
>  ~[jackson-core-2.9.6.jar:2.9.6]
>     at 
> com.fasterxml.jackson.core.json.ReaderBasedJsonParser.nextToken(ReaderBasedJsonParser.java:646)
>  ~[jackson-core-2.9.6.jar:2.9.6]
>     at 
> com.fasterxml.jackson.databind.ObjectMapper._initForReading(ObjectMapper.java:4141)
>  ~[jackson-databind-2.9.6.jar:2.9.6]
>     at 
> com.fasterxml.jackson.databind.ObjectMapper._readMapAndClose(ObjectMapper.java:4000)
>  ~[jackson-databind-2.9.6.jar:2.9.6]
>     at 
> com.fasterxml.jackson.databind.ObjectMapper.readValue(ObjectMapper.java:3004) 
> ~[jackson-databind-2.9.6.jar:2.9.6]
>     at 
> io.jsonwebtoken.impl.DefaultJwtParser.readValue(DefaultJwtParser.java:552) 
> ~[jjwt-0.9.1.jar:0.9.1]
>     at io.jsonwebtoken.impl.DefaultJwtParser.parse(DefaultJwtParser.java:252) 
> ~[jjwt-0.9.1.jar:0.9.1]
>     at io.jsonwebtoken.impl.DefaultJwtParser.parse(DefaultJwtParser.java:481) 
> ~[jjwt-0.9.1.jar:0.9.1]
>     at 
> io.jsonwebtoken.impl.DefaultJwtParser.parseClaimsJws(DefaultJwtParser.java:541)
>  ~[jjwt-0.9.1.jar:0.9.1]
>     at 
> org.apache.ofbiz.webapp.control.JWTManager.validateToken(JWTManager.java:124) 
> ~[ofbiz.jar:?]
>     at 
> org.apache.ofbiz.webapp.control.ExternalLoginKeysManager.jwtValidation(ExternalLoginKeysManager.java:292)
>  ~[ofbiz.jar:?]
>     at 
> org.apache.ofbiz.webapp.control.ExternalLoginKeysManager.checkJWTLogin(ExternalLoginKeysManager.java:196)
>  ~[ofbiz.jar:?]
>     at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) 
> ~[?:1.8.0_152]
>     at 
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) 
> ~[?:1.8.0_152]
>     at 
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>  ~[?:1.8.0_152]
>     at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_152]
>     at 
> org.apache.ofbiz.webapp.event.JavaEventHandler.invoke(JavaEventHandler.java:86)
>  ~[ofbiz.jar:?]
>     ... 31 more{noformat}
> If I create a JWT in [2] and paste it in [1] with a not Base64 encoded 
> secret, the JWT claims are displayed fine so I think they are correct and 
> parsable.
> You can test using
> {noformat}
> eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJpc3MiOiJPbmxpbmUgSldUIEJ1aWxkZXIiLCJpYXQiOjE1NDc3MzkzNDgsImV4cCI6MTU3OTI3NTM0OCwiYXVkIjoid3d3LmV4YW1wbGUuY29tIiwic3ViIjoianJvY2tldEBleGFtcGxlLmNvbSIsIkdpdmVuTmFtZSI6IkpvaG5ueSIsIlN1cm5hbWUiOiJSb2NrZXQiLCJFbWFpbCI6Impyb2NrZXRAZXhhbXBsZS5jb20iLCJSb2xlIjpbIk1hbmFnZXIiLCJQcm9qZWN0IEFkbWluaXN0cmF0b3IiXX0.KTZOnBj_GlZw5btWc8_8xau3pqs685idQGta9WC3WEJzk4AEeOhjyDCbT6AbOsaLcu5uKDHDphdsq9Tiea_Hpg{noformat}
>  
> Any ideas what could be wrong?
>  
> [1] [https://jwt.io/]
> [2] [http://jwtbuilder.jamiekurtz.com/]
>  



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to