Sure. If you don’t mind, I’ll merge your branch with mine and then submit a PR with everything.
> On 3 Dec 2018, at 17:12, Jonathan Gallimore <jonathan.gallim...@gmail.com> > wrote: > > If you have the cycles, it would be great if you could do it. > > Cheers! > > Jon > > On Mon, Dec 3, 2018 at 5:06 PM Roberto Cortez <radcor...@yahoo.com.invalid> > wrote: > >> Yes, I would be in favor on commenting these tests, but implement on our >> tests that set up an endpoint and try to deploy and app to load the key >> from the endpoint. At least we make sure that the feature is working as >> supposed. >> >> Do you want to do it, or should I do it? >> >>> On 3 Dec 2018, at 16:49, Jonathan Gallimore < >> jonathan.gallim...@gmail.com> wrote: >>> >>> Interesting. I'd be in favor of commenting those tests out and merging >> the >>> PR, if you think the rest of it is in shape. If the spec says there >> should >>> be a deployment exception, then that makes sense. The TCK should probably >>> start its own little embedded http server to supply these keys instead. >> We >>> could contribute a PR there for consideration there. >>> >>> Jon >>> >>> On Mon, Dec 3, 2018 at 4:39 PM Roberto Cortez >> <radcor...@yahoo.com.invalid> >>> wrote: >>> >>>> Yes, >>>> >>>> I think that the current state of the TCK is actually wrong. Look here: >>>> https://github.com/eclipse/microprofile-jwt-auth/issues/118 < >>>> https://github.com/eclipse/microprofile-jwt-auth/issues/118> >>>> >>>> And also from the spec: >>>> MicroProfile JWT implementations are required to throw a >>>> `DeploymentException` when given >>>> a public key that cannot be parsed using either the standardly >> supported or >>>> vendor-specific key formats. >>>> >>>> My understanding of this is that the load / parsing of the key is part >> of >>>> the application deployment, so if you fail to load the key you should >> fail >>>> with DeploymentException. It doesn’t make sense to defer the loading of >> the >>>> key when you need it and then fail with the DeploymentException, when >> the >>>> application is already deployed. >>>> >>>> Now, the issue is a chicken / egg. The TCK test exposes the key to load >>>> from an endpoint in the actual test app that we are testing. I believe >> the >>>> correct behaviour should be to have a separate test app that exposes the >>>> test keys and then have a separate app to test the behaviour. >>>> >>>> I think we can implement our own tests like these and then contribute >> them >>>> back / fix the TCK. >>>> >>>> Cheers, >>>> Roberto >>>> >>>>> On 3 Dec 2018, at 16:24, Jonathan Gallimore < >>>> jonathan.gallim...@gmail.com> wrote: >>>>> >>>>> Thanks for asking. There are 3 tests I can't get passing. These are the >>>>> ones where the key is referred to by a HTTP url, which isn't available >> at >>>>> deployment time where the keys are actually read. I spent quite a lot >> of >>>>> time trying to make this happen later in lifecycle (like on first load, >>>> or >>>>> something like that). I ended up getting lost in a complete maze of >>>>> lambdas. I am stuck and in need of help. I think this class is the >> issue: >>>>> >>>> >> https://github.com/jgallimore/tomee/blob/jwt-1.1/mp-jwt/src/main/java/org/apache/tomee/microprofile/jwt/config/ConfigurableJWTAuthContextInfo.java >>>> , >>>>> and this piece of functionality will probably need some design >> discussion >>>>> to enable these tests to pass. >>>>> >>>>> I had tried flip the storage to Map<String,Supplier> with a supplier >> that >>>>> does a lazy lookup and caches the value. The issue there is the JWKS >>>> keys, >>>>> where you appear to get multiple keys in one file. Wrapping the whole >>>> thing >>>>> a supplier might work too - you'd effectively then have run that logic >> on >>>>> first login, or find something else that can trigger it. >>>>> >>>>> Do you have any thoughts? >>>>> >>>>> Jon >>>>> >>>>> On Mon, Dec 3, 2018 at 3:27 PM Roberto Cortez >>>> <radcor...@yahoo.com.invalid> >>>>> wrote: >>>>> >>>>>> Hi Jon, >>>>>> >>>>>> I’ve seen you made some changes in your branch. What is the current >>>>>> status? I would like to start pushing for MP 2.0 specs. >>>>>> >>>>>> Cheers, >>>>>> Roberto >>>>>> >>>>>>> On 21 Nov 2018, at 17:57, Jonathan Gallimore < >>>>>> jonathan.gallim...@gmail.com> wrote: >>>>>>> >>>>>>> Was going to have another look at those tests over the next couple of >>>>>> days. >>>>>>> >>>>>>> Jon >>>>>>> >>>>>>> On Wed, 21 Nov 2018, 17:53 Roberto Cortez >> <radcor...@yahoo.com.invalid >>>>>>> wrote: >>>>>>> >>>>>>>> Hi Jon, >>>>>>>> >>>>>>>> What it the status of this? >>>>>>>> >>>>>>>> For the remaining failing tests, the issues are related with this: >>>>>>>> https://github.com/eclipse/microprofile-jwt-auth/issues/118 < >>>>>>>> https://github.com/eclipse/microprofile-jwt-auth/issues/118> >>>>>>>> >>>>>>>> I don’t think there is a way to fix it on our side, so se could just >>>>>>>> ignore those specific methods and build a specific test for this >> with >>>> 2 >>>>>>>> apps deployment so we can reach out then public key endpoint from >> the >>>>>> test. >>>>>>>> Then we should be good to go with this! >>>>>>>> >>>>>>>> Cheers, >>>>>>>> Roberto >>>>>>>> >>>>>>>>> On 20 Nov 2018, at 15:28, Jean-Louis Monteiro < >>>>>> jlmonte...@tomitribe.com> >>>>>>>> wrote: >>>>>>>>> >>>>>>>>> Ok, yes I see it. >>>>>>>>> -- >>>>>>>>> Jean-Louis Monteiro >>>>>>>>> http://twitter.com/jlouismonteiro >>>>>>>>> http://www.tomitribe.com >>>>>>>>> >>>>>>>>> >>>>>>>>> On Tue, Nov 20, 2018 at 4:11 PM Jonathan Gallimore < >>>>>>>>> jonathan.gallim...@gmail.com> wrote: >>>>>>>>> >>>>>>>>>> The commits are showing for me (at the bottom). Here's the latest >>>> one: >>>>>>>>>> >>>>>>>>>> >>>>>>>> >>>>>> >>>> >> https://github.com/apache/tomee/commit/7ce1f8033e239331cfa7843e4e5565ed0aa83345 >>>>>>>>>> >>>>>>>>>> On Tue, Nov 20, 2018 at 2:44 PM Jean-Louis Monteiro < >>>>>>>>>> jlmonte...@tomitribe.com> wrote: >>>>>>>>>> >>>>>>>>>>> Hey Jon, >>>>>>>>>>> >>>>>>>>>>> I clicked on the link and the diff tab does not show any >>>> difference. >>>>>>>>>>> Did you push? >>>>>>>>>>> -- >>>>>>>>>>> Jean-Louis Monteiro >>>>>>>>>>> http://twitter.com/jlouismonteiro >>>>>>>>>>> http://www.tomitribe.com >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> On Mon, Nov 19, 2018 at 12:36 PM Jonathan Gallimore < >>>>>>>>>>> jonathan.gallim...@gmail.com> wrote: >>>>>>>>>>> >>>>>>>>>>>> I now have the principal injection part of this working - thanks >>>>>>>> Romain >>>>>>>>>>> for >>>>>>>>>>>> your help and explanations. Progress is in my fork here: >>>>>>>>>>>> https://github.com/jgallimore/tomee/tree/jwt-1.1 (changes here: >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> >>>>>>>> >>>>>> >>>> >> https://github.com/apache/tomee/compare/master...jgallimore:jwt-1.1?expand=1 >>>>>>>>>>>> ). >>>>>>>>>>>> There are still a couple of TODOs to clean up, and 3 tests to >> get >>>>>>>>>>> passing. >>>>>>>>>>>> Any feedback is appreciated. >>>>>>>>>>>> >>>>>>>>>>>> Jon >>>>>>>>>>>> >>>>>>>>>>>> On Sat, Nov 3, 2018 at 9:10 AM Jonathan Gallimore < >>>>>>>>>>>> jonathan.gallim...@gmail.com> wrote: >>>>>>>>>>>> >>>>>>>>>>>>> Yep, got it. Thanks for the feedback - makes sense now. >>>>>>>>>>>>> >>>>>>>>>>>>> Cheers >>>>>>>>>>>>> >>>>>>>>>>>>> Jon >>>>>>>>>>>>> >>>>>>>>>>>>> On Fri, 2 Nov 2018, 16:46 Romain Manni-Bucau < >>>>>> rmannibu...@gmail.com >>>>>>>>>>>> wrote: >>>>>>>>>>>>> >>>>>>>>>>>>>> Answered hopefully "long enough" on dev@geronimo so will just >>>> do >>>>>> a >>>>>>>>>>>> short >>>>>>>>>>>>>> one here and shout if not enough: ManagedSecurityService in >> cdi >>>>>>>>>>> package >>>>>>>>>>>> of >>>>>>>>>>>>>> openejb-core must make the getCurrentPrincipal contextual so >>>>>> hidden >>>>>>>>>>>> behind >>>>>>>>>>>>>> a proxy. The proxied API must be Principal and JsonWebToken >> when >>>>>>>>>>>> available >>>>>>>>>>>>>> (try { add if can load } catch { ignore } works as pattern). >> The >>>>>>>>>> proxy >>>>>>>>>>>>>> instance can be created once for all app using the container >>>>>> loader >>>>>>>>>> or >>>>>>>>>>>> per >>>>>>>>>>>>>> app using the app loader and avoiding to leak between apps >> since >>>>>> the >>>>>>>>>>> API >>>>>>>>>>>>>> can use different loaders. >>>>>>>>>>>>>> >>>>>>>>>>>>>> Le ven. 2 nov. 2018 14:44, Jonathan Gallimore < >>>>>>>>>>>>>> jonathan.gallim...@gmail.com> >>>>>>>>>>>>>> a écrit : >>>>>>>>>>>>>> >>>>>>>>>>>>>>> Thanks for the reply, but I am confused by your response. The >>>> PR >>>>>> I >>>>>>>>>>>>>>> referenced adds a single test to the geronimo-jwt-auth >> project >>>> ( >>>>>>>>>>>>>>> https://github.com/apache/geronimo-jwt-auth/pull/3), based >> on >>>>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>> >>>> org.eclipse.microprofile.jwt.tck.container.jaxrs.PrincipalInjectionTest >>>>>>>>>>>>>>> from the TCK. It fails at present (hopefully we agree on >> that - >>>>>> my >>>>>>>>>>>>>> results >>>>>>>>>>>>>>> attached). The geronimo-jwt-auth project doesn't touch TomEE >> at >>>>>>>>>> all >>>>>>>>>>> - >>>>>>>>>>>> it >>>>>>>>>>>>>>> uses OWB/Meecrowave to run the MicroProfile JWT TCK. I have >> not >>>>>>>>>>>> modified >>>>>>>>>>>>>>> the project config at all, so it is using the SecurityService >>>>>> code >>>>>>>>>>> you >>>>>>>>>>>>>>> previously posted. If this additional test were part of the >>>>>>>>>>>> MicroProfile >>>>>>>>>>>>>>> JWT TCK (and I'm going to propose it), the Geronimo JWT Auth >>>>>>>>>>>>>> implementation >>>>>>>>>>>>>>> would *not* pass the TCK. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> I posted this here as I originally found the issue when >>>>>> continuing >>>>>>>>>>>>>>> Roberto's efforts, but this has probably contributed to some >>>>>>>>>>>> confusion. >>>>>>>>>>>>>> I >>>>>>>>>>>>>>> would suggest we continue this over on the Geronimo and OWB >>>> lists >>>>>>>>>> to >>>>>>>>>>>>>> avoid >>>>>>>>>>>>>>> further confusion. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Jon >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> On Fri, Nov 2, 2018 at 12:46 PM Romain Manni-Bucau < >>>>>>>>>>>>>> rmannibu...@gmail.com> >>>>>>>>>>>>>>> wrote: >>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Hi >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Yes this is an owb misconfiguration/integration >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Geronimo is fine here so likely tomee owb spi to update as >> in >>>>>>>>>>>> geronimo >>>>>>>>>>>>>> tck >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Le ven. 2 nov. 2018 10:42, Jonathan Gallimore < >>>>>>>>>>>>>>>> jonathan.gallim...@gmail.com> >>>>>>>>>>>>>>>> a écrit : >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Thanks for the reply. I am still sure there is some sort of >>>>>>>>>>> issue. >>>>>>>>>>>>>>>> Putting >>>>>>>>>>>>>>>>> TomEE to one side for the moment, I am able to reproduce >> this >>>>>>>>>> in >>>>>>>>>>>> the >>>>>>>>>>>>>>>>> Geronimo JWT auth library as well. This PR includes a test >> to >>>>>>>>>>> show >>>>>>>>>>>>>> what >>>>>>>>>>>>>>>> I >>>>>>>>>>>>>>>>> mean: https://github.com/apache/geronimo-jwt-auth/pull/3. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> I can confirm that this change: >>>>>>>>>>>>>>>>> https://github.com/apache/openwebbeans/pull/12 enables >> that >>>>>>>>>> new >>>>>>>>>>>>>> test to >>>>>>>>>>>>>>>>> pass. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> In short, if you @Inject JsonWebToken, or individual >> claims, >>>> or >>>>>>>>>>>>>>>>> use @RolesAllowed, I think you're ok, but if you @Inject >>>>>>>>>>> Principal, >>>>>>>>>>>>>> you >>>>>>>>>>>>>>>>> will most likely get the wrong principal because the >> instance >>>>>>>>>> is >>>>>>>>>>>>>> cache >>>>>>>>>>>>>>>> in a >>>>>>>>>>>>>>>>> field in the >>>> org.apache.webbeans.portable.ProviderBasedProducer >>>>>>>>>>>>>> class, >>>>>>>>>>>>>>>> and >>>>>>>>>>>>>>>>> that looks like a security issue. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Jon >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> On Tue, Oct 30, 2018 at 5:56 AM Romain Manni-Bucau < >>>>>>>>>>>>>>>> rmannibu...@gmail.com> >>>>>>>>>>>>>>>>> wrote: >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> Hi Jon, >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> yes and no, idea is to be fast and for all producers it >>>> works >>>>>>>>>>>>>> except >>>>>>>>>>>>>>>> the >>>>>>>>>>>>>>>>>> principal which is broken anyway in CDI 1.x so guess this >>>> was >>>>>>>>>>> not >>>>>>>>>>>>>>>> fixed >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> in CDI 2 (tomee 8) we can impl it this way: >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> >>>>>>>> >>>>>> >>>> >> https://github.com/apache/geronimo-jwt-auth/blob/master/src/test/java/org/apache/geronimo/microprofile/impl/jwtauth/tck/TckSecurityService.java >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> Romain Manni-Bucau >>>>>>>>>>>>>>>>>> @rmannibucau <https://twitter.com/rmannibucau> | Blog >>>>>>>>>>>>>>>>>> <https://rmannibucau.metawerx.net/> | Old Blog >>>>>>>>>>>>>>>>>> <http://rmannibucau.wordpress.com> | Github < >>>>>>>>>>>>>>>>>> https://github.com/rmannibucau> | >>>>>>>>>>>>>>>>>> LinkedIn <https://www.linkedin.com/in/rmannibucau> | Book >>>>>>>>>>>>>>>>>> < >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> >>>>>>>> >>>>>> >>>> >> https://www.packtpub.com/application-development/java-ee-8-high-performance >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> Le mar. 30 oct. 2018 à 00:58, Jonathan Gallimore < >>>>>>>>>>>>>>>>>> jonathan.gallim...@gmail.com> a écrit : >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> Here's a question, probably for Mark or Romain. If I turn >>>>>>>>>> the >>>>>>>>>>>>>> proxy >>>>>>>>>>>>>>>>> *off* >>>>>>>>>>>>>>>>>>> in org.apache.webbeans.component.PrincipalBean, I'm >> finding >>>>>>>>>>>> that >>>>>>>>>>>>>> I >>>>>>>>>>>>>>>> get >>>>>>>>>>>>>>>>>> the >>>>>>>>>>>>>>>>>>> wrong principal injected sometimes. Specifically, I get >> the >>>>>>>>>>>>>>>> whatever is >>>>>>>>>>>>>>>>>> on >>>>>>>>>>>>>>>>>>> the proxyInstance field here: >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> >>>>>>>> >>>>>> >>>> >> https://github.com/apache/openwebbeans/blob/trunk/webbeans-impl/src/main/java/org/apache/webbeans/portable/ProviderBasedProducer.java#L51 >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> Should this line (line 66) >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> >>>>>>>> >>>>>> >>>> >> https://github.com/apache/openwebbeans/blob/trunk/webbeans-impl/src/main/java/org/apache/webbeans/portable/ProviderBasedProducer.java#L66 >>>>>>>>>>>>>>>>>>> , >>>>>>>>>>>>>>>>>>> not simply be: >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> return provider.get(); >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> as opposed to >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> proxyInstance = provider.get(); ? >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> That way, the proxyInstance field would never get set if >>>>>>>>>>> proxy >>>>>>>>>>>>>> mode >>>>>>>>>>>>>>>> is >>>>>>>>>>>>>>>>>> set >>>>>>>>>>>>>>>>>>> to false. When proxy is true, this seems to work >> correctly >>>>>>>>>>>>>>>> (although I >>>>>>>>>>>>>>>>>> have >>>>>>>>>>>>>>>>>>> other unrelated issues in TomEE). >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> I can probably work around this some other way, but it >>>>>>>>>> seems >>>>>>>>>>> to >>>>>>>>>>>>>> me >>>>>>>>>>>>>>>> like >>>>>>>>>>>>>>>>>>> that behaviour isn't quite right. >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> Trying to think of a way to test it - I can probably come >>>>>>>>>> up >>>>>>>>>>>> with >>>>>>>>>>>>>>>>>>> something, but I'd appreciate some pointers. Happy to >> shift >>>>>>>>>>>> this >>>>>>>>>>>>>> to >>>>>>>>>>>>>>>>>>> openwebbeans-dev, and submit a PR. Replying here >> initially >>>>>>>>>>> as I >>>>>>>>>>>>>> ran >>>>>>>>>>>>>>>>> into >>>>>>>>>>>>>>>>>>> this while hacking on the JWT code. >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> Jon >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> On Wed, Oct 17, 2018 at 12:41 AM Roberto Cortez >>>>>>>>>>>>>>>>>>> <radcor...@yahoo.com.invalid> >>>>>>>>>>>>>>>>>>> wrote: >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> Please, go ahead. Let me know if need anything. Thanks! >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> On 16 Oct 2018, at 21:53, Jonathan Gallimore < >>>>>>>>>>>>>>>>>>>> jonathan.gallim...@gmail.com> wrote: >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> Any objection if I pick this up and have a go at the >>>>>>>>>> last >>>>>>>>>>>>>>>> tests, or >>>>>>>>>>>>>>>>>> is >>>>>>>>>>>>>>>>>>>>> someone already working on this? >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> On Thu, Sep 27, 2018 at 5:44 PM Romain Manni-Bucau < >>>>>>>>>>>>>>>>>>>> rmannibu...@gmail.com> >>>>>>>>>>>>>>>>>>>>> wrote: >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> Yep this feature. Then it must works since we support >>>>>>>>>>> user >>>>>>>>>>>>>>>>> principal >>>>>>>>>>>>>>>>>>> if >>>>>>>>>>>>>>>>>>>> the >>>>>>>>>>>>>>>>>>>>>> jwt filter is corretly placed in the filter chain and >>>>>>>>>> we >>>>>>>>>>>>>> must >>>>>>>>>>>>>>>>>> inherit >>>>>>>>>>>>>>>>>>>> from >>>>>>>>>>>>>>>>>>>>>> the request principal. >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> Le jeu. 27 sept. 2018 18:37, Roberto Cortez >>>>>>>>>>>>>>>>>>> <radcor...@yahoo.com.invalid >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> a >>>>>>>>>>>>>>>>>>>>>> écrit : >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> I guess you are referring to this, to remove the >>>>>>>>>> proxy? >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> >>>>>>>> >>>>>> >>>> >> https://github.com/apache/openwebbeans/commit/a21a949fb19247dcc39ee89292a1554b2cf1388e >>>>>>>>>>>>>>>>>>>>>>> < >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> >>>>>>>> >>>>>> >>>> >> https://github.com/apache/openwebbeans/commit/a21a949fb19247dcc39ee89292a1554b2cf1388e >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> Yes, this one step. >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> By default, we do inject the generic Principal of >>>>>>>>>>> Tomcat. >>>>>>>>>>>>>> We >>>>>>>>>>>>>>>>>> probably >>>>>>>>>>>>>>>>>>>>>> need >>>>>>>>>>>>>>>>>>>>>>> to check first about the existence of a JWT Principal >>>>>>>>>>> and >>>>>>>>>>>>>> then >>>>>>>>>>>>>>>>>>> fallback >>>>>>>>>>>>>>>>>>>>>> to >>>>>>>>>>>>>>>>>>>>>>> the Tomcat one. I think I know how to do it, I was >>>>>>>>>> just >>>>>>>>>>>>>>>> trying to >>>>>>>>>>>>>>>>>>>> broaden >>>>>>>>>>>>>>>>>>>>>>> up the conversation about general integration with EE >>>>>>>>>>>>>>>> security. >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> Cheers, >>>>>>>>>>>>>>>>>>>>>>> Roberto >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> On 26 Sep 2018, at 07:21, Romain Manni-Bucau < >>>>>>>>>>>>>>>>>> rmannibu...@gmail.com >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> wrote: >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> OWB enable to do it - we did it in geronimo impl to >>>>>>>>>>> pass >>>>>>>>>>>>>> tck >>>>>>>>>>>>>>>> of >>>>>>>>>>>>>>>>>> jwt >>>>>>>>>>>>>>>>>>>>>> auth >>>>>>>>>>>>>>>>>>>>>>>> spec. >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> Le mer. 26 sept. 2018 03:28, Roberto Cortez >>>>>>>>>>>>>>>>>>>>>> <radcor...@yahoo.com.invalid> >>>>>>>>>>>>>>>>>>>>>>> a >>>>>>>>>>>>>>>>>>>>>>>> écrit : >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> Hi, >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> I’ve done some work to push our MP JWT >>>>>>>>>> implementation >>>>>>>>>>>>>> from >>>>>>>>>>>>>>>> 1.0 >>>>>>>>>>>>>>>>> to >>>>>>>>>>>>>>>>>>>> 1.1. >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> You can check it here: >>>>>>>>>>>>>>>>>>>>>>>>> https://github.com/apache/tomee/pull/173 < >>>>>>>>>>>>>>>>>>>>>>>>> https://github.com/apache/tomee/pull/173> >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> There are still a couple of tests in the TCK that I >>>>>>>>>>>> have >>>>>>>>>>>>>> to >>>>>>>>>>>>>>>> fix >>>>>>>>>>>>>>>>>>> and a >>>>>>>>>>>>>>>>>>>>>>> few >>>>>>>>>>>>>>>>>>>>>>>>> things that I would like to improve, but I think >>>>>>>>>> the >>>>>>>>>>>>>>>> majority >>>>>>>>>>>>>>>>> of >>>>>>>>>>>>>>>>>>> the >>>>>>>>>>>>>>>>>>>>>>> work >>>>>>>>>>>>>>>>>>>>>>>>> is done. >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> Some time ago, there was a discussion in the list >>>>>>>>>>> about >>>>>>>>>>>>>> how >>>>>>>>>>>>>>>> to >>>>>>>>>>>>>>>>>>>>>> integrate >>>>>>>>>>>>>>>>>>>>>>>>> MP JWT with EE security: >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> >>>>>>>> >>>>>> >>>> >> http://tomee-openejb.979440.n4.nabble.com/Implementing-Microprofile-JWT-td4683212i40.html >>>>>>>>>>>>>>>>>>>>>>>>> < >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> >>>>>>>> >>>>>> >>>> >> http://tomee-openejb.979440.n4.nabble.com/Implementing-Microprofile-JWT-td4683212i40.html >>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> I believe we need to revisit that conversation and >>>>>>>>>>>> figure >>>>>>>>>>>>>>>> out >>>>>>>>>>>>>>>>> how >>>>>>>>>>>>>>>>>>> to >>>>>>>>>>>>>>>>>>>>>>> move >>>>>>>>>>>>>>>>>>>>>>>>> forward. >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> Right now for instance, we don’t support injecting >>>>>>>>>> a >>>>>>>>>>>> JWT >>>>>>>>>>>>>>>>>> Principal >>>>>>>>>>>>>>>>>>>>>> since >>>>>>>>>>>>>>>>>>>>>>>>> it clashes with the predefined by CDI. Most likely, >>>>>>>>>>> we >>>>>>>>>>>>>> would >>>>>>>>>>>>>>>>> need >>>>>>>>>>>>>>>>>>> to >>>>>>>>>>>>>>>>>>>>>>> plugin >>>>>>>>>>>>>>>>>>>>>>>>> the JWT Principal lookup in TomcatSecurityService. >>>>>>>>>>> I’m >>>>>>>>>>>>>> not >>>>>>>>>>>>>>>> sure >>>>>>>>>>>>>>>>>> if >>>>>>>>>>>>>>>>>>> we >>>>>>>>>>>>>>>>>>>>>>> want >>>>>>>>>>>>>>>>>>>>>>>>> to do it in that way, or if we want to think in >>>>>>>>>>>> something >>>>>>>>>>>>>>>> else. >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> Cheers, >>>>>>>>>>>>>>>>>>>>>>>>> Roberto >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> >>>>>>>> >>>>>>>> >>>>>> >>>>>> >>>> >>>> >> >>
