Fail to @Inject JsonWebToken when trying to use microprofile-jwt-auth

[Victor]

I'm following the documentation found here: https://docs.payara.fish/documentation/microprofile/jwt.html

The code is packaged as a WAR file and deployed to payara micro 5.181

I'm implementing a sample REST service, and trying to inject a JsonWebToken so I can print the raw token to console output. However, the jsonWebToken.getRawToken() method (as well as any other claim) returns null. I'm probably doing something wrong, but I can't seem to figure out where the mistake is.

So far the steps I took:

1) Added maven dependency:

<dependency>
    <groupId>org.eclipse.microprofile</groupId>
    <artifactId>microprofile</artifactId>
    <version>1.2</version>
    <type>pom</type>
    <scope>provided</scope>
</dependency>

 

2) Added publicKey.pem file to src/main/reseources:

-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAi+cSoZGUaIB6TuT9IBma
15bBIOaUQIfxyyHiLDtpHOu6R7sHHxGSGQqkxIQaF0rq1TLh45cfc4d4Z0D0fUN6
dSvbl5SkccE5u7korkOTcb+ncvUOqLAPzXR6anmjDe3f75I4g6Cwmoy2chYIcz6v
yL9FPHiqBLV7NpldrW/kkUPCjSsuQShxnsG8atf+PE+yO9BlyjS4VRZcRnpfnVDL
gwpq1W5kfWOfmLFfY8zTqWAxweRIb+0w4eXvppf8SYI+a7K09VY5caAJyPvIXxFy
MEWHzsdG9aKcmjAtKr0SJEwj+JXHxuKiXaNdaYLO9RufG+/nNXwbEEUvG5Phd5nm
XwIDAQAB
-----END PUBLIC KEY-----

3) Added payara-mp-jwt.properties file to src/main/resources:

accepted.issuer=http://localhost:8180/auth/realms/master","authorization_endpoint

4) Application class contains @LoginConfig annotation:

@ApplicationPath("api")
@ApplicationScoped
@LoginConfig(authMethod = "MP-JWT")
public class ApplicationConfig extends Application {

}

5) Controller Class is @RequestScoped and injects JsonWebToken:

@Path("rng")
@DenyAll
@RequestScoped
public class RNGController {

    @Inject
    private RNGService rngService;

    @Inject
    private JsonWebToken jsonWebToken;

6) Endpoint inside RNGController simply tries to print the raw token:

@GET
@Produces(MediaType.APPLICATION_JSON)
public Response generate(
        @QueryParam("min") @DefaultValue("0") long min,
        @QueryParam("max") @DefaultValue("10") long max) {


    System.out.println("token: " + jsonWebToken.getRawToken());

7) src/main/webapp/WEB-INF folder contains very simple web.xml, beans.xml, glassfish-web.xml files:

<!DOCTYPE web-app PUBLIC
        "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
        "http://java.sun.com/dtd/web-app_2_3.dtd" >

<web-app>
    <display-name>Dummy Random Number Generator API</display-name>
</web-app>

<beans xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xsi:schemaLocation="
       http://java.sun.com/xml/ns/javaee
       http://java.sun.com/xml/ns/javaee/beans_1_0.xsd">
</beans>

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glassfish-web-app PUBLIC
        "-//Sun Microsystems, Inc.//DTD GlassFish Application Server 3.0 Servlet 3.0//EN"
        "http://www.sun.com/software/appserver/dtds/sun-web-app_3_0-0.dtd">
<glassfish-web-app error-url="">
    <context-root>/</context-root>
</glassfish-web-app>

The log output of the server doesn't give out any errors.

[Ondro Mihályi]

How do you call the endpoint? A client needs to add a JWT authentication header to the HTTP request.

Ondro

Dňa st 6. 6. 2018, 23:21 Victor <victor.b...@gmail.com> napísal(a):

--
You received this message because you are subscribed to the Google Groups "Payara Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to payara-forum...@googlegroups.com.
To view this discussion on the web, visit https://groups.google.com/d/msgid/payara-forum/89a490e5-8c60-450a-8eb5-eff45be04918%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Victor]

I'm doing the request through postman.

I added the token as a "Bearer Token" on the Authorization tab. It seems to generate the header just fine.

[Arjan Tijms]

There's two things that stand out. First of all, is "src/main/reseources" the actual directory, or is that a typo?

Second thing, in payara-mp-jwt.properties you say you have:

"accepted.issuer=http://localhost:8180/auth/realms/master","authorization_endpoint"

Although it should work, you may try a simpler issuer to start with, just to be sure.

For example:

accepted.issuer=foo

Also, doesn't authentication work at all, or is it just the injection failing? What happens if you inject the SecurityContect and check its Principal?

Finally, you could try if the following example works for you:

https://github.com/javaee-samples/microprofile1.2-samples/tree/master/jwt-auth/jaxrs

If it works, try to change it into your code step by step to see where it stops working.

Kind regards,

Arjan

[Victor]

There's two things that stand out. First of all, is "src/main/reseources" the actual directory, or is that a typo?

That was a typo. The directory is actually called "src/main/resources". I just verified it. I wrote it correctly on item 3.

Second thing, in payara-mp-jwt.properties you say you have:

"accepted.issuer=http://localhost:8180/auth/realms/master","authorization_endpoint"

Although it should work, you may try a simpler issuer to start with, just to be sure.

Changing the issuer to foo both on the properties file and on token generation was of no use.

Just to give an example, this is the Authorization header sent with the request:

Bearer eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJPbGxEb1NRZkVOYjhZZVZkeE53ZmxNcUgtYVFLTUZsaUNqR3QwZE9KNTMwIn0.eyJqdGkiOiI0NzFmNTlhMy1iNmRlLTRmZTctOTNiNy0wM2NjNDY0NmVmM2EiLCJleHAiOjE1Mjg1NzA5MjYsIm5iZiI6MCwiaWF0IjoxNTI4NTcwMDI2LCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgxODAvYXV0aC9yZWFsbXMvbWFzdGVyIiwiYXVkIjoiYW5ndWxhci1jbGllbnQiLCJzdWIiOiJlNjU1NjcwMi05MzM0LTRlNzUtOWEwMy01NTc3MmM4ZWYzYzAiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJhbmd1bGFyLWNsaWVudCIsIm5vbmNlIjoieFh4cVBXMWM3RFNkbnY4bDNncmdwT2w3MWRHbFRuMUtKQ0tISUdENiIsImF1dGhfdGltZSI6MTUyODU2OTY4NCwic2Vzc2lvbl9zdGF0ZSI6ImJjNzZiZWJmLTZlYTktNGI1Ny05ZGJhLTc3ZWIzODI0YjBhZiIsImFjciI6IjAiLCJhbGxvd2VkLW9yaWdpbnMiOltdLCJyZWFsbV9hY2Nlc3MiOnsicm9sZXMiOlsidW1hX2F1dGhvcml6YXRpb24iXX0sInJlc291cmNlX2FjY2VzcyI6eyJhY2NvdW50Ijp7InJvbGVzIjpbIm1hbmFnZS1hY2NvdW50IiwibWFuYWdlLWFjY291bnQtbGlua3MiLCJ2aWV3LXByb2ZpbGUiXX19LCJ1cG4iOiJwcm90byIsIm5hbWUiOiJQcm90byBVc2VyIiwiaXNzIjoiZm9vIiwiZ3JvdXBzIjpbInJvbGVfMCIsInJvbGVfMSIsInJvbGVfMiIsInJvbGVfMyIsInJvbGVfNCIsInJvbGVfNSIsInJuZ19tYXN0ZXIiXSwiZ2l2ZW5fbmFtZSI6IlByb3RvIiwiZmFtaWx5X25hbWUiOiJVc2VyIn0.PPLb7cUoM8Ik93crDFoARQ4-gTx5q7wANxENx5b9GNuFiVHBwdst9fsrB6RQsYtgexq3bbXLX79GGtGhkKsAaG0oprp5U6Cg1hvUoEmk89qFgtHRcayKKbFGKBO9U1fbQSzFMB75_jxZ2t6jRHt0Gr0w2d7_7_S2VOMt2NqRJegYOhgEH4d5QQZC8ELZUADruKdJUArz11yZlxyS1u16w9j5nUAxQsnLdhR1cmhNBVHShgAAL2GJSXpLMvmIt8psh6AjR2eaPfYs0DT_lKj8SUMRFosDcw0Zrk2sTPun4vB6qAPl7rlJSuM2zcC1Em7cPmmsAedWcdGnaFOvIkTe1Q

Also, doesn't authentication work at all, or is it just the injection failing? What happens if you inject the SecurityContect and check its Principal?

if I add a @RolesAllowed annotation to my endpoint with "rng_master" role I get a 401 response.

If I try to inject javax.ws.rs.core.SecurityContext I get exceptions on WeldListener on server startup. Maybe something missing on my pom.xml?

I actually based my code on the github link you linked to. I may try a step by step approach, but on through inspection I don't see anything missing. I'm rather pessimistic about this attempt.

[Victor]

Also, my mistake.

I injected the SecurityContext with @Context this time around, like this:

@Context
private SecurityContext securityContext;

And try to print out the principal, like this:

System.out.println("principal: " + securityContext.getUserPrincipal());

I get null as well.

[Arjan Tijms]

Thanks for the follow up.

The core problem is thus not the injection of the token that fails, but authentication does not (correctly) take place.

You may want to turn on logging for the fish.payara.microprofile.jwtauth package.

[Victor]

I like this approach.

Is there a way to easily turn on logging for this package in Payara Micro? I'm far from being an expert on it.

[Victor]

Just for the sake of closure, I managed to make it work after upgrading to microprofile spec 1.3 after the release of payara-micro-5.182.

Thanks for all the help anyway!