> On Feb 14, 2018, at 8:49 AM, Mark Struberg <strub...@yahoo.de.INVALID> wrote:
>> I think one of the things we'll find most puzzling about how to do the 
>> integration is that the Tomcat flavor of this is written assuming the users 
>> exist in a Tomcat Realm.  The whole point of JWT is that they do not and the 
>> server has no such state.
>> https://github.com/apache/tomee/blob/master/tomee/tomee-catalina/src/main/java/org/apache/tomee/catalina/TomcatSecurityService.java
>> I think we'll grapple with questions like "should we support some local 
>> override if the user happens to exist locally?"  Certainly, we could.  I 
>> might suggest we don't for the first prototype and add that later.
> Didn't think about this yet, but I assume that's because their contract is to 
> keep HttpServletRequest#getUserPrincipal() and #isUserInRole working, even 
> for JWT?


> Don't know from the back of my mind about the MicroProfile-JWT contract. But 
> MicroProfile NOT being based on Servlets I assume they have just an 
> @Inject-able org.eclipse.microprofile.jwt.JsonWebToken [1].
> While this extends Principal I still think it will be hard to tweak 
> HttpServletRequest to work with it.
> But do we? 

We do, yes.

You're correct in that MicroProfile itself doesn't include Servlets, EJB, etc. 
but making sure JWTs worked for those things is definitely what we were trying 
to do in defining the spec.  The goal is that 100% of the security concepts in 
Java EE would work against a JWT; EJB isCallerInRole, EJB @RolesAllowed, 
Servlet getCallerPrincipal, exposing a JWT as a Principal, a few new Java EE 
Security calls, etc.

The fact that MicroProfile itself doesn't require the specs for all the touch 
points we needed/wanted was handled by effectively making all those things 
optional.  Despite them being optional, we tried to phrase it like "if you do 
implement it, it should work like this" and there are TCK tests to go along 
with a good chunk of it.

We were very much trying to define EE security as it pertains to JWT, while 
doing our best to navigate the Java EE and MicroProfile relationship.

Now that EE is moving to Eclipse, EE Security and MicroProfile JWT security are 
highly likely to meld in some way.


Reply via email to