> On Feb 14, 2018, at 8:49 AM, Mark Struberg <strub...@yahoo.de.INVALID> wrote: > >> >> I think one of the things we'll find most puzzling about how to do the >> integration is that the Tomcat flavor of this is written assuming the users >> exist in a Tomcat Realm. The whole point of JWT is that they do not and the >> server has no such state. >> >> https://github.com/apache/tomee/blob/master/tomee/tomee-catalina/src/main/java/org/apache/tomee/catalina/TomcatSecurityService.java >> >> I think we'll grapple with questions like "should we support some local >> override if the user happens to exist locally?" Certainly, we could. I >> might suggest we don't for the first prototype and add that later. > > Didn't think about this yet, but I assume that's because their contract is to > keep HttpServletRequest#getUserPrincipal() and #isUserInRole working, even > for JWT?
Correct. > Don't know from the back of my mind about the MicroProfile-JWT contract. But > MicroProfile NOT being based on Servlets I assume they have just an > @Inject-able org.eclipse.microprofile.jwt.JsonWebToken [1]. > > While this extends Principal I still think it will be hard to tweak > HttpServletRequest to work with it. > But do we? We do, yes. You're correct in that MicroProfile itself doesn't include Servlets, EJB, etc. but making sure JWTs worked for those things is definitely what we were trying to do in defining the spec. The goal is that 100% of the security concepts in Java EE would work against a JWT; EJB isCallerInRole, EJB @RolesAllowed, Servlet getCallerPrincipal, exposing a JWT as a Principal, a few new Java EE Security calls, etc. The fact that MicroProfile itself doesn't require the specs for all the touch points we needed/wanted was handled by effectively making all those things optional. Despite them being optional, we tried to phrase it like "if you do implement it, it should work like this" and there are TCK tests to go along with a good chunk of it. We were very much trying to define EE security as it pertains to JWT, while doing our best to navigate the Java EE and MicroProfile relationship. Now that EE is moving to Eclipse, EE Security and MicroProfile JWT security are highly likely to meld in some way. -David