Payara and JWT

523 views
Skip to first unread message

Findulas

unread,
Apr 11, 2018, 10:57:35 AM4/11/18
to Payara Forum
Hello,

I want to use JsonWebTokens for the authentication and authorization of users against an jax-rs web-service.

I manage to write an LoginModule to parse the Bearer Token and set the groups. My problem is that the WebPrincipal is set in the RealmAdapter, but the username is not known there.

I use followed up authorizations for EJB, payara is full stack.

Can you point me to a place where I can implement a pre-auth-filter to extract the username from the token and simulate a basic auth? Or do you have another idea for getting the RealmAdapter use the User-Principal from the LoginModule.

Thanks and greetings!


Payara Version: 4.1.2.181

Steve Millidge

unread,
Apr 12, 2018, 5:08:46 AM4/12/18
to Payara Forum
Have you tried using the JWT support built into 4.181? https://docs.payara.fish/v/181/documentation/microprofile/jwt.html 

Findulas

unread,
Apr 12, 2018, 10:31:36 AM4/12/18
to Payara Forum
I'll have a look at it.

Thanks for pointing me there.

Findulas

unread,
Apr 16, 2018, 9:35:25 AM4/16/18
to Payara Forum
Hi,

I worked through the documentation, but cannot get the JWT running. I use the sample and change the payara version to 4.1.2.181 and the server to full. This works. Deploying to a new domain yields an unauthorized answer.

I look at the logs and there is a difference during deployment:

This one is from the standalone server.
[Payara 4.1] [WARNUNG] [] [org.glassfish.jersey.internal.Errors] [tid: _ThreadID=98 _ThreadName=admin-thread-pool::admin-listener(5)] [timeMillis: 1523884502336] [levelValue: 900] [[
 
The following warnings have been detected: WARNING: Parameter interceptedBean of type javax.enterprise.inject.spi.Bean<?> from private javax.enterprise.inject.spi.Bean<?> org.glassfish.soteria.cdi.RememberMeInterceptor.interceptedBean is not resolvable to a concrete type.
]]
[Payara 4.1] [WARNUNG] [] [org.glassfish.jersey.internal.Errors] [tid: _ThreadID=98 _ThreadName=admin-thread-pool::admin-listener(5)] [timeMillis: 1523884502338] [levelValue: 900] [[
 
The following warnings have been detected: WARNING: Parameter interceptedBean of type javax.enterprise.inject.spi.Bean<?> from private javax.enterprise.inject.spi.Bean<?> org.glassfish.soteria.cdi.LoginToContinueInterceptor.interceptedBean is not resolvable to a concrete type.
]]

This one is from the test (Arquillian).
[Payara 4.1] [INFORMATION] [] [fish.payara.microprofile.jwtauth.servlet.RolesDeclarationInitializer] [tid: _ThreadID=61 _ThreadName=admin-thread-pool::admin-listener(1)] [timeMillis: 1523884566671] [levelValue: 800] [[
 
Initializing MP-JWT 4.1.2.181 for context '/e429e266-3d8a-4bfd-9d75-6ac2c3d78755']]

Do you have a hint for me?

Greetings

Steve Millidge

unread,
Apr 16, 2018, 12:22:52 PM4/16/18
to Payara Forum
Have you set Soteria and Jersey as a provided api to ensure they are not packaged into your application?

Findulas

unread,
Apr 17, 2018, 5:35:48 AM4/17/18
to Payara Forum
Hi,

I just used the resultiing war of the microprofile examples project(https://github.com/javaee-samples/microprofile1.2-samples/tree/master/jwt-auth). I changed some dependecies to remove the test-utils from the war.

A fresh started payaraDomain from 4.1.2.181 produces the following output:

INFORMATION:   Virtual server server loaded default web module 
Information:   WELD-000900: 2.4.6 (Final)
WARNUNG:   Could not load service class fish.payara.appserver.roles.api.extension.RolesCDIExtension
Information:   WELD-000411: Observer method [BackedAnnotatedMethod] private org.glassfish.jersey.ext.cdi1x.internal.CdiComponentProvider.processAnnotatedType(@Observes ProcessAnnotatedType) receives events for all annotated types. Consider restricting events using @WithAnnotations or a generic type with bounds.
WARNUNG:   The following warnings have been detected: WARNING: Parameter interceptedBean of type javax.enterprise.inject.spi.Bean<?> from private javax.enterprise.inject.spi.Bean<?> org.glassfish.soteria.cdi.RememberMeInterceptor.interceptedBean is not resolvable to a concrete type.

WARNUNG:   The following warnings have been detected: WARNING: Parameter interceptedBean of type javax.enterprise.inject.spi.Bean<?> from private javax.enterprise.inject.spi.Bean<?> org.glassfish.soteria.cdi.LoginToContinueInterceptor.interceptedBean is not resolvable to a concrete type.

INFORMATION:   Initializing Soteria 1.1-b01 for context '/jaxrs'
WARN:   WELD-000718: No EEModuleDescriptor defined for bean archive with ID: MicroProfile_1.2.war. @Initialized and @Destroyed events for ApplicationScoped may be fired twice.
INFORMATION:   Cannot find the resource bundle for the name com.sun.logging.enterprise.system.core.naming for class org.glassfish.concurrent.runtime.deployer.ConcurrentObjectFactory using org.glassfish.main.concurrent.impl [43]
INFORMATION:   Loading application [MicroProfile_1.2:_JWT-AUTH_-_JAX-RS] at [/jaxrs]
INFORMATION:   MicroProfile_1.2:_JWT-AUTH_-_JAX-RS was successfully deployed in 4.476 milliseconds.
WARNUNG:   WEB9102: Web Login Failed: com.sun.enterprise.security.auth.login.common.LoginException: Login failed: Failed file login for .
I changed the log level and it showed, that the login failed is thrown by a passwordlogin. The war file does not contain any jars.


The arquillian test server (changed from web tu full profile and after renaming payaradomain to production) produces the following output:

[2018-04-17T10:32:37.110+0200] [Payara 4.1] [INFORMATION] [AS-WEB-GLUE-00201] [javax.enterprise.web] [tid: _ThreadID=88 _ThreadName=admin-thread-pool::admin-listener(2)] [timeMillis: 1523953957110] [levelValue: 800] [[
  Virtual server server loaded default web module ]]

[2018-04-17T10:32:37.722+0200] [Payara 4.1] [INFO] [] [org.jboss.weld.Version] [tid: _ThreadID=88 _ThreadName=admin-thread-pool::admin-listener(2)] [timeMillis: 1523953957722] [levelValue: 800] [[
  WELD-000900: 2.4.6 (Final)]]

[2018-04-17T10:32:37.945+0200] [Payara 4.1] [WARNUNG] [] [ServiceLoader] [tid: _ThreadID=88 _ThreadName=admin-thread-pool::admin-listener(2)] [timeMillis: 1523953957945] [levelValue: 900] [[
  Could not load service class fish.payara.appserver.roles.api.extension.RolesCDIExtension]]

[2018-04-17T10:32:38.410+0200] [Payara 4.1] [INFO] [] [org.jboss.weld.Event] [tid: _ThreadID=88 _ThreadName=admin-thread-pool::admin-listener(2)] [timeMillis: 1523953958410] [levelValue: 800] [[
  WELD-000411: Observer method [BackedAnnotatedMethod] private org.glassfish.jersey.ext.cdi1x.internal.CdiComponentProvider.processAnnotatedType(@Observes ProcessAnnotatedType) receives events for all annotated types. Consider restricting events using @WithAnnotations or a generic type with bounds.]]

[2018-04-17T10:32:39.279+0200] [Payara 4.1] [INFORMATION] [] [org.glassfish.soteria.servlet.SamRegistrationInstaller] [tid: _ThreadID=88 _ThreadName=admin-thread-pool::admin-listener(2)] [timeMillis: 1523953959279] [levelValue: 800] [[
  Initializing Soteria 1.1-b01 for context '/772d7af9-1b3a-4305-a939-d556cfb6c74d']]

[2018-04-17T10:32:39.449+0200] [Payara 4.1] [INFORMATION] [] [fish.payara.microprofile.jwtauth.servlet.RolesDeclarationInitializer] [tid: _ThreadID=88 _ThreadName=admin-thread-pool::admin-listener(2)] [timeMillis: 1523953959449] [levelValue: 800] [[
  Initializing MP-JWT 4.1.2.181 for context '/772d7af9-1b3a-4305-a939-d556cfb6c74d']]

[2018-04-17T10:32:39.452+0200] [Payara 4.1] [WARN] [] [org.jboss.weld.Servlet] [tid: _ThreadID=88 _ThreadName=admin-thread-pool::admin-listener(2)] [timeMillis: 1523953959452] [levelValue: 900] [[
  WELD-000718: No EEModuleDescriptor defined for bean archive with ID: 772d7af9-1b3a-4305-a939-d556cfb6c74d.war. @Initialized and @Destroyed events for ApplicationScoped may be fired twice.]]

[2018-04-17T10:32:39.518+0200] [Payara 4.1] [INFORMATION] [] [] [tid: _ThreadID=88 _ThreadName=admin-thread-pool::admin-listener(2)] [timeMillis: 1523953959518] [levelValue: 800] [[
  Cannot find the resource bundle for the name com.sun.logging.enterprise.system.core.naming for class org.glassfish.concurrent.runtime.deployer.ConcurrentObjectFactory using org.glassfish.main.concurrent.impl [43]]]

[2018-04-17T10:32:39.778+0200] [Payara 4.1] [INFORMATION] [AS-WEB-GLUE-00172] [javax.enterprise.web] [tid: _ThreadID=88 _ThreadName=admin-thread-pool::admin-listener(2)] [timeMillis: 1523953959778] [levelValue: 800] [[
  Loading application [772d7af9-1b3a-4305-a939-d556cfb6c74d] at [/772d7af9-1b3a-4305-a939-d556cfb6c74d]]]

[2018-04-17T10:32:39.833+0200] [Payara 4.1] [INFORMATION] [] [javax.enterprise.system.core] [tid: _ThreadID=88 _ThreadName=admin-thread-pool::admin-listener(2)] [timeMillis: 1523953959833] [levelValue: 800] [[
  772d7af9-1b3a-4305-a939-d556cfb6c74d was successfully deployed in 3.524 milliseconds.]]

Findulas

unread,
Apr 18, 2018, 9:40:49 AM4/18/18
to Payara Forum
Okay, I got it working.

What was missing, is an empty beans.xml in the WEB-INF path of the war.

If you deploy using an EAR, you have to map the roles to Principals (either groups or names)

Now I can go on. Next I want to do is to move the public key from the application root to some configuration folder.

Hope this helps a little bit.

Hav a good day.
Reply all
Reply to author
Forward
0 new messages