Yes I pushed the fix in g-jwt-auth to make it compliant with JWT-AUTH, the side note being that injecting a JsonWebToken as principal is not CDI compliant (you get a Principal proxy which is useless and not castable to a JsonWebToken unless you veto principal instances to replace them with the jsonwebtoken one which breaks apps in other ways - likely worse?). This is also why the TCK don't abuse of that injection since it cant really use it and it works with the bad TckSecurityService impl.
So long story short the issue is that OWB enforces the built-in beans to be "application scoped" (ie the provider returns a proxy otherwise the injections will not be contextual as expected) and default impl is not. On that aspect tomee ManagedSecurityService#getCurrentPrincipal impl is clearly wrong. side note: in meecrowave we have a config to know what we proxy and return back always the same proxy which solves that. We can likely push it back in openwebbeans but only in tomcat integration which is the only OWB impl with a principal management (which has the same bug btw - likely cause "current" is about the "current app" and not the "current context" in "getCurrentPrincipal" which is very misleading and not doc-ed). Hope it is clearer now and helps Romain Manni-Bucau @rmannibucau <https://twitter.com/rmannibucau> | Blog <https://rmannibucau.metawerx.net/> | Old Blog <http://rmannibucau.wordpress.com> | Github <https://github.com/rmannibucau> | LinkedIn <https://www.linkedin.com/in/rmannibucau> | Book <https://www.packtpub.com/application-development/java-ee-8-high-performance> Le ven. 2 nov. 2018 à 17:10, jgallimore <[email protected]> a écrit : > Is this what you're referring to: > > https://github.com/apache/meecrowave/blob/trunk/meecrowave-core/src/main/java/org/apache/meecrowave/openwebbeans/MeecrowaveSecurityService.java > - with the unwrap? > > That would make some sense, but is not catered for in > > https://github.com/apache/geronimo-jwt-auth/blob/master/src/test/java/org/apache/geronimo/microprofile/impl/jwtauth/tck/TckSecurityService.java > . > > I can update my PR to include something similar, but it seems like a hard > workaround for something that ought not to be a problem in the first place. > > Jon > > > > -- > Sent from: > http://apache-geronimo.328035.n3.nabble.com/Development-f342155.html >
