> On Feb 13, 2018, at 3:43 AM, John D. Ament <johndam...@apache.org> wrote: > > The JWT spec is weird, because it defined non MP runtime behavior in addition > to MP runtime behavior; so there may be more integration work in a fuller app > server like TomEE.
Agreed. I'd describe the MicorProfile JWT spec as almost all integration. There are also optional integration parts for EJB which I think we'd definitely implement. > On Feb 13, 2018, at 6:53 AM, Mark Struberg <strub...@yahoo.de.INVALID> wrote: > > I know JWT a bit and I wonder whether doing the signing part is just a bit of > Json (JSON-P) + commons-crypto? > After all JWT is especially designed to be lightweight and straight forward. Agreed. We could definitely get by with JSON-P and even the built-in JVM crypto. No need for commons-crypto. The MicroProfile JWT specification is intentionally "opinionated" about the JWT format and only allows for compact JWTs and RSA signatures. The actual JOSE specifications allow for much greater flexibility and options, which is why libraries like Nimbus exist. That said, I would still probably prototype with Nimbus and cut it out only after everything works. Just to make sure I was focusing on the right part of the problem. > On Feb 13, 2018, at 7:58 AM, Mark Struberg <strub...@yahoo.de.INVALID> wrote: > > I'm more worried about the authorisation and authentication interface. > Anything EE security seems way too heavyweight for me. This might work out > for TomEE, but would kill it's use in any more lightweight approach. > On Feb 13, 2018, at 11:27 AM, Rudy De Busscher <rdebussc...@gmail.com> wrote: > > I used JASPIC as it seemed to most natural way to feed the EE system > with authorisation > and authentication into the system. > > But probably need deep integration with server code because otherwise, the > JWT authentication mechanism is an all or nothing system, which is not the > best solution (maybe less a problem with MicroServices but if you want to > use it in a more general way it is an obstacle) These last two are very related. JASPIC would be great, but TomEE (specifically the OpenEJB part) doesn't implement it. All of the EJB calls for isCallerInRole etc are wired in and fed through this interface. https://github.com/apache/tomee/blob/master/container/openejb-core/src/main/java/org/apache/openejb/spi/SecurityService.java I think one of the things we'll find most puzzling about how to do the integration is that the Tomcat flavor of this is written assuming the users exist in a Tomcat Realm. The whole point of JWT is that they do not and the server has no such state. https://github.com/apache/tomee/blob/master/tomee/tomee-catalina/src/main/java/org/apache/tomee/catalina/TomcatSecurityService.java I think we'll grapple with questions like "should we support some local override if the user happens to exist locally?" Certainly, we could. I might suggest we don't for the first prototype and add that later. -David