Payara and JWT

[Findulas]

Hello,

I want to use JsonWebTokens for the authentication and authorization of users against an jax-rs web-service.

I manage to write an LoginModule to parse the Bearer Token and set the groups. My problem is that the WebPrincipal is set in the RealmAdapter, but the username is not known there.

I use followed up authorizations for EJB, payara is full stack.

Can you point me to a place where I can implement a pre-auth-filter to extract the username from the token and simulate a basic auth? Or do you have another idea for getting the RealmAdapter use the User-Principal from the LoginModule.

Thanks and greetings!

Payara Version: 4.1.2.181

[Steve Millidge]

Have you tried using the JWT support built into 4.181? https://docs.payara.fish/v/181/documentation/microprofile/jwt.html 

[Findulas]

I'll have a look at it.

Thanks for pointing me there.

[Findulas]

Hi,

I worked through the documentation, but cannot get the JWT running. I use the sample and change the payara version to 4.1.2.181 and the server to full. This works. Deploying to a new domain yields an unauthorized answer.

I look at the logs and there is a difference during deployment:

This one is from the standalone server.

[Payara 4.1] [WARNUNG] [] [org.glassfish.jersey.internal.Errors] [tid: _ThreadID=98 _ThreadName=admin-thread-pool::admin-listener(5)] [timeMillis: 1523884502336] [levelValue: 900] [[
  The following warnings have been detected: WARNING: Parameter interceptedBean of type javax.enterprise.inject.spi.Bean<?> from private javax.enterprise.inject.spi.Bean<?> org.glassfish.soteria.cdi.RememberMeInterceptor.interceptedBean is not resolvable to a concrete type.
]]
[Payara 4.1] [WARNUNG] [] [org.glassfish.jersey.internal.Errors] [tid: _ThreadID=98 _ThreadName=admin-thread-pool::admin-listener(5)] [timeMillis: 1523884502338] [levelValue: 900] [[
  The following warnings have been detected: WARNING: Parameter interceptedBean of type javax.enterprise.inject.spi.Bean<?> from private javax.enterprise.inject.spi.Bean<?> org.glassfish.soteria.cdi.LoginToContinueInterceptor.interceptedBean is not resolvable to a concrete type.
]]

This one is from the test (Arquillian).

[Payara 4.1] [INFORMATION] [] [fish.payara.microprofile.jwtauth.servlet.RolesDeclarationInitializer] [tid: _ThreadID=61 _ThreadName=admin-thread-pool::admin-listener(1)] [timeMillis: 1523884566671] [levelValue: 800] [[
  Initializing MP-JWT 4.1.2.181 for context '/e429e266-3d8a-4bfd-9d75-6ac2c3d78755']]

Do you have a hint for me?

Greetings

[Steve Millidge]

Have you set Soteria and Jersey as a provided api to ensure they are not packaged into your application?

[Findulas]

Hi,

I just used the resultiing war of the microprofile examples project(https://github.com/javaee-samples/microprofile1.2-samples/tree/master/jwt-auth). I changed some dependecies to remove the test-utils from the war.

A fresh started payaraDomain from 4.1.2.181 produces the following output:

INFORMATION:   Virtual server server loaded default web module 

Information:   WELD-000900: 2.4.6 (Final)

WARNUNG:   Could not load service class fish.payara.appserver.roles.api.extension.RolesCDIExtension

Information:   WELD-000411: Observer method [BackedAnnotatedMethod] private org.glassfish.jersey.ext.cdi1x.internal.CdiComponentProvider.processAnnotatedType(@Observes ProcessAnnotatedType) receives events for all annotated types. Consider restricting events using @WithAnnotations or a generic type with bounds.

WARNUNG:   The following warnings have been detected: WARNING: Parameter interceptedBean of type javax.enterprise.inject.spi.Bean<?> from private javax.enterprise.inject.spi.Bean<?> org.glassfish.soteria.cdi.RememberMeInterceptor.interceptedBean is not resolvable to a concrete type.

WARNUNG:   The following warnings have been detected: WARNING: Parameter interceptedBean of type javax.enterprise.inject.spi.Bean<?> from private javax.enterprise.inject.spi.Bean<?> org.glassfish.soteria.cdi.LoginToContinueInterceptor.interceptedBean is not resolvable to a concrete type.

INFORMATION:   Initializing Soteria 1.1-b01 for context '/jaxrs'

WARN:   WELD-000718: No EEModuleDescriptor defined for bean archive with ID: MicroProfile_1.2.war. @Initialized and @Destroyed events for ApplicationScoped may be fired twice.

INFORMATION:   Cannot find the resource bundle for the name com.sun.logging.enterprise.system.core.naming for class org.glassfish.concurrent.runtime.deployer.ConcurrentObjectFactory using org.glassfish.main.concurrent.impl [43]

INFORMATION:   Loading application [MicroProfile_1.2:_JWT-AUTH_-_JAX-RS] at [/jaxrs]

INFORMATION:   MicroProfile_1.2:_JWT-AUTH_-_JAX-RS was successfully deployed in 4.476 milliseconds.

WARNUNG:   WEB9102: Web Login Failed: com.sun.enterprise.security.auth.login.common.LoginException: Login failed: Failed file login for .

I changed the log level and it showed, that the login failed is thrown by a passwordlogin. The war file does not contain any jars.

The arquillian test server (changed from web tu full profile and after renaming payaradomain to production) produces the following output:

[2018-04-17T10:32:37.110+0200] [Payara 4.1] [INFORMATION] [AS-WEB-GLUE-00201] [javax.enterprise.web] [tid: _ThreadID=88 _ThreadName=admin-thread-pool::admin-listener(2)] [timeMillis: 1523953957110] [levelValue: 800] [[

  Virtual server server loaded default web module ]]

[2018-04-17T10:32:37.722+0200] [Payara 4.1] [INFO] [] [org.jboss.weld.Version] [tid: _ThreadID=88 _ThreadName=admin-thread-pool::admin-listener(2)] [timeMillis: 1523953957722] [levelValue: 800] [[

  WELD-000900: 2.4.6 (Final)]]

[2018-04-17T10:32:37.945+0200] [Payara 4.1] [WARNUNG] [] [ServiceLoader] [tid: _ThreadID=88 _ThreadName=admin-thread-pool::admin-listener(2)] [timeMillis: 1523953957945] [levelValue: 900] [[

  Could not load service class fish.payara.appserver.roles.api.extension.RolesCDIExtension]]

[2018-04-17T10:32:38.410+0200] [Payara 4.1] [INFO] [] [org.jboss.weld.Event] [tid: _ThreadID=88 _ThreadName=admin-thread-pool::admin-listener(2)] [timeMillis: 1523953958410] [levelValue: 800] [[

  WELD-000411: Observer method [BackedAnnotatedMethod] private org.glassfish.jersey.ext.cdi1x.internal.CdiComponentProvider.processAnnotatedType(@Observes ProcessAnnotatedType) receives events for all annotated types. Consider restricting events using @WithAnnotations or a generic type with bounds.]]

[2018-04-17T10:32:39.279+0200] [Payara 4.1] [INFORMATION] [] [org.glassfish.soteria.servlet.SamRegistrationInstaller] [tid: _ThreadID=88 _ThreadName=admin-thread-pool::admin-listener(2)] [timeMillis: 1523953959279] [levelValue: 800] [[

  Initializing Soteria 1.1-b01 for context '/772d7af9-1b3a-4305-a939-d556cfb6c74d']]

[2018-04-17T10:32:39.449+0200] [Payara 4.1] [INFORMATION] [] [fish.payara.microprofile.jwtauth.servlet.RolesDeclarationInitializer] [tid: _ThreadID=88 _ThreadName=admin-thread-pool::admin-listener(2)] [timeMillis: 1523953959449] [levelValue: 800] [[

  Initializing MP-JWT 4.1.2.181 for context '/772d7af9-1b3a-4305-a939-d556cfb6c74d']]

[2018-04-17T10:32:39.452+0200] [Payara 4.1] [WARN] [] [org.jboss.weld.Servlet] [tid: _ThreadID=88 _ThreadName=admin-thread-pool::admin-listener(2)] [timeMillis: 1523953959452] [levelValue: 900] [[

  WELD-000718: No EEModuleDescriptor defined for bean archive with ID: 772d7af9-1b3a-4305-a939-d556cfb6c74d.war. @Initialized and @Destroyed events for ApplicationScoped may be fired twice.]]

[2018-04-17T10:32:39.518+0200] [Payara 4.1] [INFORMATION] [] [] [tid: _ThreadID=88 _ThreadName=admin-thread-pool::admin-listener(2)] [timeMillis: 1523953959518] [levelValue: 800] [[

  Cannot find the resource bundle for the name com.sun.logging.enterprise.system.core.naming for class org.glassfish.concurrent.runtime.deployer.ConcurrentObjectFactory using org.glassfish.main.concurrent.impl [43]]]

[2018-04-17T10:32:39.778+0200] [Payara 4.1] [INFORMATION] [AS-WEB-GLUE-00172] [javax.enterprise.web] [tid: _ThreadID=88 _ThreadName=admin-thread-pool::admin-listener(2)] [timeMillis: 1523953959778] [levelValue: 800] [[

  Loading application [772d7af9-1b3a-4305-a939-d556cfb6c74d] at [/772d7af9-1b3a-4305-a939-d556cfb6c74d]]]

[2018-04-17T10:32:39.833+0200] [Payara 4.1] [INFORMATION] [] [javax.enterprise.system.core] [tid: _ThreadID=88 _ThreadName=admin-thread-pool::admin-listener(2)] [timeMillis: 1523953959833] [levelValue: 800] [[

  772d7af9-1b3a-4305-a939-d556cfb6c74d was successfully deployed in 3.524 milliseconds.]]

[Findulas]

Okay, I got it working.

What was missing, is an empty beans.xml in the WEB-INF path of the war.

If you deploy using an EAR, you have to map the roles to Principals (either groups or names)

Now I can go on. Next I want to do is to move the public key from the application root to some configuration folder.

Hope this helps a little bit.

Hav a good day.