Hi, Just rebased this PR with the MP 2.0 merge, so this one should be good to go too.
Cheers, Roberto > On 4 Dec 2018, at 19:18, Roberto Cortez <radcor...@yahoo.com.INVALID> wrote: > > Hey, > > I think we are mostly done with the JWT 1.1 work. At least the TCK is passing > except for two tests with the issue described here: > https://github.com/eclipse/microprofile-jwt-auth/issues/118 > <https://github.com/eclipse/microprofile-jwt-auth/issues/118>. I did copy the > test code and added a second arquillian deployment to deploy the key endpoint > for test in a separate app. In this case, the test works as expected. I’ll > also try to submit a PR with this work to the JWT TCK project. > > The entire work can be seen here: > https://github.com/apache/tomee/pull/173 > <https://github.com/apache/tomee/pull/173> > > MP JWT 1.1 mostly adds support for: > - Loading keys using MP Config from multiple sources (inline, classpath, > file, url). > - JWK and JWKS support. > - JWT as Principal injection. > > Thank you Jon for helping out with the implementation. > > Cheers, > Roberto > >> On 3 Dec 2018, at 18:00, Roberto Cortez <radcor...@yahoo.com> wrote: >> >> Sure. If you don’t mind, I’ll merge your branch with mine and then submit a >> PR with everything. >> >>> On 3 Dec 2018, at 17:12, Jonathan Gallimore <jonathan.gallim...@gmail.com> >>> wrote: >>> >>> If you have the cycles, it would be great if you could do it. >>> >>> Cheers! >>> >>> Jon >>> >>> On Mon, Dec 3, 2018 at 5:06 PM Roberto Cortez <radcor...@yahoo.com.invalid> >>> wrote: >>> >>>> Yes, I would be in favor on commenting these tests, but implement on our >>>> tests that set up an endpoint and try to deploy and app to load the key >>>> from the endpoint. At least we make sure that the feature is working as >>>> supposed. >>>> >>>> Do you want to do it, or should I do it? >>>> >>>>> On 3 Dec 2018, at 16:49, Jonathan Gallimore < >>>> jonathan.gallim...@gmail.com> wrote: >>>>> >>>>> Interesting. I'd be in favor of commenting those tests out and merging >>>> the >>>>> PR, if you think the rest of it is in shape. If the spec says there >>>> should >>>>> be a deployment exception, then that makes sense. The TCK should probably >>>>> start its own little embedded http server to supply these keys instead. >>>> We >>>>> could contribute a PR there for consideration there. >>>>> >>>>> Jon >>>>> >>>>> On Mon, Dec 3, 2018 at 4:39 PM Roberto Cortez >>>> <radcor...@yahoo.com.invalid> >>>>> wrote: >>>>> >>>>>> Yes, >>>>>> >>>>>> I think that the current state of the TCK is actually wrong. Look here: >>>>>> https://github.com/eclipse/microprofile-jwt-auth/issues/118 < >>>>>> https://github.com/eclipse/microprofile-jwt-auth/issues/118> >>>>>> >>>>>> And also from the spec: >>>>>> MicroProfile JWT implementations are required to throw a >>>>>> `DeploymentException` when given >>>>>> a public key that cannot be parsed using either the standardly >>>> supported or >>>>>> vendor-specific key formats. >>>>>> >>>>>> My understanding of this is that the load / parsing of the key is part >>>> of >>>>>> the application deployment, so if you fail to load the key you should >>>> fail >>>>>> with DeploymentException. It doesn’t make sense to defer the loading of >>>> the >>>>>> key when you need it and then fail with the DeploymentException, when >>>> the >>>>>> application is already deployed. >>>>>> >>>>>> Now, the issue is a chicken / egg. The TCK test exposes the key to load >>>>>> from an endpoint in the actual test app that we are testing. I believe >>>> the >>>>>> correct behaviour should be to have a separate test app that exposes the >>>>>> test keys and then have a separate app to test the behaviour. >>>>>> >>>>>> I think we can implement our own tests like these and then contribute >>>> them >>>>>> back / fix the TCK. >>>>>> >>>>>> Cheers, >>>>>> Roberto >>>>>> >>>>>>> On 3 Dec 2018, at 16:24, Jonathan Gallimore < >>>>>> jonathan.gallim...@gmail.com> wrote: >>>>>>> >>>>>>> Thanks for asking. There are 3 tests I can't get passing. These are the >>>>>>> ones where the key is referred to by a HTTP url, which isn't available >>>> at >>>>>>> deployment time where the keys are actually read. I spent quite a lot >>>> of >>>>>>> time trying to make this happen later in lifecycle (like on first load, >>>>>> or >>>>>>> something like that). I ended up getting lost in a complete maze of >>>>>>> lambdas. I am stuck and in need of help. I think this class is the >>>> issue: >>>>>>> >>>>>> >>>> https://github.com/jgallimore/tomee/blob/jwt-1.1/mp-jwt/src/main/java/org/apache/tomee/microprofile/jwt/config/ConfigurableJWTAuthContextInfo.java >>>>>> , >>>>>>> and this piece of functionality will probably need some design >>>> discussion >>>>>>> to enable these tests to pass. >>>>>>> >>>>>>> I had tried flip the storage to Map<String,Supplier> with a supplier >>>> that >>>>>>> does a lazy lookup and caches the value. The issue there is the JWKS >>>>>> keys, >>>>>>> where you appear to get multiple keys in one file. Wrapping the whole >>>>>> thing >>>>>>> a supplier might work too - you'd effectively then have run that logic >>>> on >>>>>>> first login, or find something else that can trigger it. >>>>>>> >>>>>>> Do you have any thoughts? >>>>>>> >>>>>>> Jon >>>>>>> >>>>>>> On Mon, Dec 3, 2018 at 3:27 PM Roberto Cortez >>>>>> <radcor...@yahoo.com.invalid> >>>>>>> wrote: >>>>>>> >>>>>>>> Hi Jon, >>>>>>>> >>>>>>>> I’ve seen you made some changes in your branch. What is the current >>>>>>>> status? I would like to start pushing for MP 2.0 specs. >>>>>>>> >>>>>>>> Cheers, >>>>>>>> Roberto >>>>>>>> >>>>>>>>> On 21 Nov 2018, at 17:57, Jonathan Gallimore < >>>>>>>> jonathan.gallim...@gmail.com> wrote: >>>>>>>>> >>>>>>>>> Was going to have another look at those tests over the next couple of >>>>>>>> days. >>>>>>>>> >>>>>>>>> Jon >>>>>>>>> >>>>>>>>> On Wed, 21 Nov 2018, 17:53 Roberto Cortez >>>> <radcor...@yahoo.com.invalid >>>>>>>>> wrote: >>>>>>>>> >>>>>>>>>> Hi Jon, >>>>>>>>>> >>>>>>>>>> What it the status of this? >>>>>>>>>> >>>>>>>>>> For the remaining failing tests, the issues are related with this: >>>>>>>>>> https://github.com/eclipse/microprofile-jwt-auth/issues/118 < >>>>>>>>>> https://github.com/eclipse/microprofile-jwt-auth/issues/118> >>>>>>>>>> >>>>>>>>>> I don’t think there is a way to fix it on our side, so se could just >>>>>>>>>> ignore those specific methods and build a specific test for this >>>> with >>>>>> 2 >>>>>>>>>> apps deployment so we can reach out then public key endpoint from >>>> the >>>>>>>> test. >>>>>>>>>> Then we should be good to go with this! >>>>>>>>>> >>>>>>>>>> Cheers, >>>>>>>>>> Roberto >>>>>>>>>> >>>>>>>>>>> On 20 Nov 2018, at 15:28, Jean-Louis Monteiro < >>>>>>>> jlmonte...@tomitribe.com> >>>>>>>>>> wrote: >>>>>>>>>>> >>>>>>>>>>> Ok, yes I see it. >>>>>>>>>>> -- >>>>>>>>>>> Jean-Louis Monteiro >>>>>>>>>>> http://twitter.com/jlouismonteiro >>>>>>>>>>> http://www.tomitribe.com >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> On Tue, Nov 20, 2018 at 4:11 PM Jonathan Gallimore < >>>>>>>>>>> jonathan.gallim...@gmail.com> wrote: >>>>>>>>>>> >>>>>>>>>>>> The commits are showing for me (at the bottom). Here's the latest >>>>>> one: >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>> >>>>>>>> >>>>>> >>>> https://github.com/apache/tomee/commit/7ce1f8033e239331cfa7843e4e5565ed0aa83345 >>>>>>>>>>>> >>>>>>>>>>>> On Tue, Nov 20, 2018 at 2:44 PM Jean-Louis Monteiro < >>>>>>>>>>>> jlmonte...@tomitribe.com> wrote: >>>>>>>>>>>> >>>>>>>>>>>>> Hey Jon, >>>>>>>>>>>>> >>>>>>>>>>>>> I clicked on the link and the diff tab does not show any >>>>>> difference. >>>>>>>>>>>>> Did you push? >>>>>>>>>>>>> -- >>>>>>>>>>>>> Jean-Louis Monteiro >>>>>>>>>>>>> http://twitter.com/jlouismonteiro >>>>>>>>>>>>> http://www.tomitribe.com >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> On Mon, Nov 19, 2018 at 12:36 PM Jonathan Gallimore < >>>>>>>>>>>>> jonathan.gallim...@gmail.com> wrote: >>>>>>>>>>>>> >>>>>>>>>>>>>> I now have the principal injection part of this working - thanks >>>>>>>>>> Romain >>>>>>>>>>>>> for >>>>>>>>>>>>>> your help and explanations. Progress is in my fork here: >>>>>>>>>>>>>> https://github.com/jgallimore/tomee/tree/jwt-1.1 (changes here: >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>> >>>>>>>> >>>>>> >>>> https://github.com/apache/tomee/compare/master...jgallimore:jwt-1.1?expand=1 >>>>>>>>>>>>>> ). >>>>>>>>>>>>>> There are still a couple of TODOs to clean up, and 3 tests to >>>> get >>>>>>>>>>>>> passing. >>>>>>>>>>>>>> Any feedback is appreciated. >>>>>>>>>>>>>> >>>>>>>>>>>>>> Jon >>>>>>>>>>>>>> >>>>>>>>>>>>>> On Sat, Nov 3, 2018 at 9:10 AM Jonathan Gallimore < >>>>>>>>>>>>>> jonathan.gallim...@gmail.com> wrote: >>>>>>>>>>>>>> >>>>>>>>>>>>>>> Yep, got it. Thanks for the feedback - makes sense now. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Cheers >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Jon >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> On Fri, 2 Nov 2018, 16:46 Romain Manni-Bucau < >>>>>>>> rmannibu...@gmail.com >>>>>>>>>>>>>> wrote: >>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Answered hopefully "long enough" on dev@geronimo so will just >>>>>> do >>>>>>>> a >>>>>>>>>>>>>> short >>>>>>>>>>>>>>>> one here and shout if not enough: ManagedSecurityService in >>>> cdi >>>>>>>>>>>>> package >>>>>>>>>>>>>> of >>>>>>>>>>>>>>>> openejb-core must make the getCurrentPrincipal contextual so >>>>>>>> hidden >>>>>>>>>>>>>> behind >>>>>>>>>>>>>>>> a proxy. The proxied API must be Principal and JsonWebToken >>>> when >>>>>>>>>>>>>> available >>>>>>>>>>>>>>>> (try { add if can load } catch { ignore } works as pattern). >>>> The >>>>>>>>>>>> proxy >>>>>>>>>>>>>>>> instance can be created once for all app using the container >>>>>>>> loader >>>>>>>>>>>> or >>>>>>>>>>>>>> per >>>>>>>>>>>>>>>> app using the app loader and avoiding to leak between apps >>>> since >>>>>>>> the >>>>>>>>>>>>> API >>>>>>>>>>>>>>>> can use different loaders. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Le ven. 2 nov. 2018 14:44, Jonathan Gallimore < >>>>>>>>>>>>>>>> jonathan.gallim...@gmail.com> >>>>>>>>>>>>>>>> a écrit : >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Thanks for the reply, but I am confused by your response. The >>>>>> PR >>>>>>>> I >>>>>>>>>>>>>>>>> referenced adds a single test to the geronimo-jwt-auth >>>> project >>>>>> ( >>>>>>>>>>>>>>>>> https://github.com/apache/geronimo-jwt-auth/pull/3), based >>>> on >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>> >>>>>> org.eclipse.microprofile.jwt.tck.container.jaxrs.PrincipalInjectionTest >>>>>>>>>>>>>>>>> from the TCK. It fails at present (hopefully we agree on >>>> that - >>>>>>>> my >>>>>>>>>>>>>>>> results >>>>>>>>>>>>>>>>> attached). The geronimo-jwt-auth project doesn't touch TomEE >>>> at >>>>>>>>>>>> all >>>>>>>>>>>>> - >>>>>>>>>>>>>> it >>>>>>>>>>>>>>>>> uses OWB/Meecrowave to run the MicroProfile JWT TCK. I have >>>> not >>>>>>>>>>>>>> modified >>>>>>>>>>>>>>>>> the project config at all, so it is using the SecurityService >>>>>>>> code >>>>>>>>>>>>> you >>>>>>>>>>>>>>>>> previously posted. If this additional test were part of the >>>>>>>>>>>>>> MicroProfile >>>>>>>>>>>>>>>>> JWT TCK (and I'm going to propose it), the Geronimo JWT Auth >>>>>>>>>>>>>>>> implementation >>>>>>>>>>>>>>>>> would *not* pass the TCK. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> I posted this here as I originally found the issue when >>>>>>>> continuing >>>>>>>>>>>>>>>>> Roberto's efforts, but this has probably contributed to some >>>>>>>>>>>>>> confusion. >>>>>>>>>>>>>>>> I >>>>>>>>>>>>>>>>> would suggest we continue this over on the Geronimo and OWB >>>>>> lists >>>>>>>>>>>> to >>>>>>>>>>>>>>>> avoid >>>>>>>>>>>>>>>>> further confusion. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Jon >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> On Fri, Nov 2, 2018 at 12:46 PM Romain Manni-Bucau < >>>>>>>>>>>>>>>> rmannibu...@gmail.com> >>>>>>>>>>>>>>>>> wrote: >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> Hi >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> Yes this is an owb misconfiguration/integration >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> Geronimo is fine here so likely tomee owb spi to update as >>>> in >>>>>>>>>>>>>> geronimo >>>>>>>>>>>>>>>> tck >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> Le ven. 2 nov. 2018 10:42, Jonathan Gallimore < >>>>>>>>>>>>>>>>>> jonathan.gallim...@gmail.com> >>>>>>>>>>>>>>>>>> a écrit : >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> Thanks for the reply. I am still sure there is some sort of >>>>>>>>>>>>> issue. >>>>>>>>>>>>>>>>>> Putting >>>>>>>>>>>>>>>>>>> TomEE to one side for the moment, I am able to reproduce >>>> this >>>>>>>>>>>> in >>>>>>>>>>>>>> the >>>>>>>>>>>>>>>>>>> Geronimo JWT auth library as well. This PR includes a test >>>> to >>>>>>>>>>>>> show >>>>>>>>>>>>>>>> what >>>>>>>>>>>>>>>>>> I >>>>>>>>>>>>>>>>>>> mean: https://github.com/apache/geronimo-jwt-auth/pull/3. >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> I can confirm that this change: >>>>>>>>>>>>>>>>>>> https://github.com/apache/openwebbeans/pull/12 enables >>>> that >>>>>>>>>>>> new >>>>>>>>>>>>>>>> test to >>>>>>>>>>>>>>>>>>> pass. >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> In short, if you @Inject JsonWebToken, or individual >>>> claims, >>>>>> or >>>>>>>>>>>>>>>>>>> use @RolesAllowed, I think you're ok, but if you @Inject >>>>>>>>>>>>> Principal, >>>>>>>>>>>>>>>> you >>>>>>>>>>>>>>>>>>> will most likely get the wrong principal because the >>>> instance >>>>>>>>>>>> is >>>>>>>>>>>>>>>> cache >>>>>>>>>>>>>>>>>> in a >>>>>>>>>>>>>>>>>>> field in the >>>>>> org.apache.webbeans.portable.ProviderBasedProducer >>>>>>>>>>>>>>>> class, >>>>>>>>>>>>>>>>>> and >>>>>>>>>>>>>>>>>>> that looks like a security issue. >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> Jon >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> On Tue, Oct 30, 2018 at 5:56 AM Romain Manni-Bucau < >>>>>>>>>>>>>>>>>> rmannibu...@gmail.com> >>>>>>>>>>>>>>>>>>> wrote: >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> Hi Jon, >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> yes and no, idea is to be fast and for all producers it >>>>>> works >>>>>>>>>>>>>>>> except >>>>>>>>>>>>>>>>>> the >>>>>>>>>>>>>>>>>>>> principal which is broken anyway in CDI 1.x so guess this >>>>>> was >>>>>>>>>>>>> not >>>>>>>>>>>>>>>>>> fixed >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> in CDI 2 (tomee 8) we can impl it this way: >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>> >>>>>>>> >>>>>> >>>> https://github.com/apache/geronimo-jwt-auth/blob/master/src/test/java/org/apache/geronimo/microprofile/impl/jwtauth/tck/TckSecurityService.java >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> Romain Manni-Bucau >>>>>>>>>>>>>>>>>>>> @rmannibucau <https://twitter.com/rmannibucau> | Blog >>>>>>>>>>>>>>>>>>>> <https://rmannibucau.metawerx.net/> | Old Blog >>>>>>>>>>>>>>>>>>>> <http://rmannibucau.wordpress.com> | Github < >>>>>>>>>>>>>>>>>>>> https://github.com/rmannibucau> | >>>>>>>>>>>>>>>>>>>> LinkedIn <https://www.linkedin.com/in/rmannibucau> | Book >>>>>>>>>>>>>>>>>>>> < >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>> >>>>>>>> >>>>>> >>>> https://www.packtpub.com/application-development/java-ee-8-high-performance >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> Le mar. 30 oct. 2018 à 00:58, Jonathan Gallimore < >>>>>>>>>>>>>>>>>>>> jonathan.gallim...@gmail.com> a écrit : >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> Here's a question, probably for Mark or Romain. If I turn >>>>>>>>>>>> the >>>>>>>>>>>>>>>> proxy >>>>>>>>>>>>>>>>>>> *off* >>>>>>>>>>>>>>>>>>>>> in org.apache.webbeans.component.PrincipalBean, I'm >>>> finding >>>>>>>>>>>>>> that >>>>>>>>>>>>>>>> I >>>>>>>>>>>>>>>>>> get >>>>>>>>>>>>>>>>>>>> the >>>>>>>>>>>>>>>>>>>>> wrong principal injected sometimes. Specifically, I get >>>> the >>>>>>>>>>>>>>>>>> whatever is >>>>>>>>>>>>>>>>>>>> on >>>>>>>>>>>>>>>>>>>>> the proxyInstance field here: >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>> >>>>>>>> >>>>>> >>>> https://github.com/apache/openwebbeans/blob/trunk/webbeans-impl/src/main/java/org/apache/webbeans/portable/ProviderBasedProducer.java#L51 >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> Should this line (line 66) >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>> >>>>>>>> >>>>>> >>>> https://github.com/apache/openwebbeans/blob/trunk/webbeans-impl/src/main/java/org/apache/webbeans/portable/ProviderBasedProducer.java#L66 >>>>>>>>>>>>>>>>>>>>> , >>>>>>>>>>>>>>>>>>>>> not simply be: >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> return provider.get(); >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> as opposed to >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> proxyInstance = provider.get(); ? >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> That way, the proxyInstance field would never get set if >>>>>>>>>>>>> proxy >>>>>>>>>>>>>>>> mode >>>>>>>>>>>>>>>>>> is >>>>>>>>>>>>>>>>>>>> set >>>>>>>>>>>>>>>>>>>>> to false. When proxy is true, this seems to work >>>> correctly >>>>>>>>>>>>>>>>>> (although I >>>>>>>>>>>>>>>>>>>> have >>>>>>>>>>>>>>>>>>>>> other unrelated issues in TomEE). >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> I can probably work around this some other way, but it >>>>>>>>>>>> seems >>>>>>>>>>>>> to >>>>>>>>>>>>>>>> me >>>>>>>>>>>>>>>>>> like >>>>>>>>>>>>>>>>>>>>> that behaviour isn't quite right. >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> Trying to think of a way to test it - I can probably come >>>>>>>>>>>> up >>>>>>>>>>>>>> with >>>>>>>>>>>>>>>>>>>>> something, but I'd appreciate some pointers. Happy to >>>> shift >>>>>>>>>>>>>> this >>>>>>>>>>>>>>>> to >>>>>>>>>>>>>>>>>>>>> openwebbeans-dev, and submit a PR. Replying here >>>> initially >>>>>>>>>>>>> as I >>>>>>>>>>>>>>>> ran >>>>>>>>>>>>>>>>>>> into >>>>>>>>>>>>>>>>>>>>> this while hacking on the JWT code. >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> Jon >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> On Wed, Oct 17, 2018 at 12:41 AM Roberto Cortez >>>>>>>>>>>>>>>>>>>>> <radcor...@yahoo.com.invalid> >>>>>>>>>>>>>>>>>>>>> wrote: >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> Please, go ahead. Let me know if need anything. Thanks! >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> On 16 Oct 2018, at 21:53, Jonathan Gallimore < >>>>>>>>>>>>>>>>>>>>>> jonathan.gallim...@gmail.com> wrote: >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> Any objection if I pick this up and have a go at the >>>>>>>>>>>> last >>>>>>>>>>>>>>>>>> tests, or >>>>>>>>>>>>>>>>>>>> is >>>>>>>>>>>>>>>>>>>>>>> someone already working on this? >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> On Thu, Sep 27, 2018 at 5:44 PM Romain Manni-Bucau < >>>>>>>>>>>>>>>>>>>>>> rmannibu...@gmail.com> >>>>>>>>>>>>>>>>>>>>>>> wrote: >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> Yep this feature. Then it must works since we support >>>>>>>>>>>>> user >>>>>>>>>>>>>>>>>>> principal >>>>>>>>>>>>>>>>>>>>> if >>>>>>>>>>>>>>>>>>>>>> the >>>>>>>>>>>>>>>>>>>>>>>> jwt filter is corretly placed in the filter chain and >>>>>>>>>>>> we >>>>>>>>>>>>>>>> must >>>>>>>>>>>>>>>>>>>> inherit >>>>>>>>>>>>>>>>>>>>>> from >>>>>>>>>>>>>>>>>>>>>>>> the request principal. >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> Le jeu. 27 sept. 2018 18:37, Roberto Cortez >>>>>>>>>>>>>>>>>>>>> <radcor...@yahoo.com.invalid >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> a >>>>>>>>>>>>>>>>>>>>>>>> écrit : >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> I guess you are referring to this, to remove the >>>>>>>>>>>> proxy? >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>> >>>>>>>> >>>>>> >>>> https://github.com/apache/openwebbeans/commit/a21a949fb19247dcc39ee89292a1554b2cf1388e >>>>>>>>>>>>>>>>>>>>>>>>> < >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>> >>>>>>>> >>>>>> >>>> https://github.com/apache/openwebbeans/commit/a21a949fb19247dcc39ee89292a1554b2cf1388e >>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> Yes, this one step. >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> By default, we do inject the generic Principal of >>>>>>>>>>>>> Tomcat. >>>>>>>>>>>>>>>> We >>>>>>>>>>>>>>>>>>>> probably >>>>>>>>>>>>>>>>>>>>>>>> need >>>>>>>>>>>>>>>>>>>>>>>>> to check first about the existence of a JWT Principal >>>>>>>>>>>>> and >>>>>>>>>>>>>>>> then >>>>>>>>>>>>>>>>>>>>> fallback >>>>>>>>>>>>>>>>>>>>>>>> to >>>>>>>>>>>>>>>>>>>>>>>>> the Tomcat one. I think I know how to do it, I was >>>>>>>>>>>> just >>>>>>>>>>>>>>>>>> trying to >>>>>>>>>>>>>>>>>>>>>> broaden >>>>>>>>>>>>>>>>>>>>>>>>> up the conversation about general integration with EE >>>>>>>>>>>>>>>>>> security. >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> Cheers, >>>>>>>>>>>>>>>>>>>>>>>>> Roberto >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>> On 26 Sep 2018, at 07:21, Romain Manni-Bucau < >>>>>>>>>>>>>>>>>>>> rmannibu...@gmail.com >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> wrote: >>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>> OWB enable to do it - we did it in geronimo impl to >>>>>>>>>>>>> pass >>>>>>>>>>>>>>>> tck >>>>>>>>>>>>>>>>>> of >>>>>>>>>>>>>>>>>>>> jwt >>>>>>>>>>>>>>>>>>>>>>>> auth >>>>>>>>>>>>>>>>>>>>>>>>>> spec. >>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>> Le mer. 26 sept. 2018 03:28, Roberto Cortez >>>>>>>>>>>>>>>>>>>>>>>> <radcor...@yahoo.com.invalid> >>>>>>>>>>>>>>>>>>>>>>>>> a >>>>>>>>>>>>>>>>>>>>>>>>>> écrit : >>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>> Hi, >>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>> I’ve done some work to push our MP JWT >>>>>>>>>>>> implementation >>>>>>>>>>>>>>>> from >>>>>>>>>>>>>>>>>> 1.0 >>>>>>>>>>>>>>>>>>> to >>>>>>>>>>>>>>>>>>>>>> 1.1. >>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>> You can check it here: >>>>>>>>>>>>>>>>>>>>>>>>>>> https://github.com/apache/tomee/pull/173 < >>>>>>>>>>>>>>>>>>>>>>>>>>> https://github.com/apache/tomee/pull/173> >>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>> There are still a couple of tests in the TCK that I >>>>>>>>>>>>>> have >>>>>>>>>>>>>>>> to >>>>>>>>>>>>>>>>>> fix >>>>>>>>>>>>>>>>>>>>> and a >>>>>>>>>>>>>>>>>>>>>>>>> few >>>>>>>>>>>>>>>>>>>>>>>>>>> things that I would like to improve, but I think >>>>>>>>>>>> the >>>>>>>>>>>>>>>>>> majority >>>>>>>>>>>>>>>>>>> of >>>>>>>>>>>>>>>>>>>>> the >>>>>>>>>>>>>>>>>>>>>>>>> work >>>>>>>>>>>>>>>>>>>>>>>>>>> is done. >>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>> Some time ago, there was a discussion in the list >>>>>>>>>>>>> about >>>>>>>>>>>>>>>> how >>>>>>>>>>>>>>>>>> to >>>>>>>>>>>>>>>>>>>>>>>> integrate >>>>>>>>>>>>>>>>>>>>>>>>>>> MP JWT with EE security: >>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>> >>>>>>>> >>>>>> >>>> http://tomee-openejb.979440.n4.nabble.com/Implementing-Microprofile-JWT-td4683212i40.html >>>>>>>>>>>>>>>>>>>>>>>>>>> < >>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>> >>>>>>>> >>>>>> >>>> http://tomee-openejb.979440.n4.nabble.com/Implementing-Microprofile-JWT-td4683212i40.html >>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>> I believe we need to revisit that conversation and >>>>>>>>>>>>>> figure >>>>>>>>>>>>>>>>>> out >>>>>>>>>>>>>>>>>>> how >>>>>>>>>>>>>>>>>>>>> to >>>>>>>>>>>>>>>>>>>>>>>>> move >>>>>>>>>>>>>>>>>>>>>>>>>>> forward. >>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>> Right now for instance, we don’t support injecting >>>>>>>>>>>> a >>>>>>>>>>>>>> JWT >>>>>>>>>>>>>>>>>>>> Principal >>>>>>>>>>>>>>>>>>>>>>>> since >>>>>>>>>>>>>>>>>>>>>>>>>>> it clashes with the predefined by CDI. Most likely, >>>>>>>>>>>>> we >>>>>>>>>>>>>>>> would >>>>>>>>>>>>>>>>>>> need >>>>>>>>>>>>>>>>>>>>> to >>>>>>>>>>>>>>>>>>>>>>>>> plugin >>>>>>>>>>>>>>>>>>>>>>>>>>> the JWT Principal lookup in TomcatSecurityService. >>>>>>>>>>>>> I’m >>>>>>>>>>>>>>>> not >>>>>>>>>>>>>>>>>> sure >>>>>>>>>>>>>>>>>>>> if >>>>>>>>>>>>>>>>>>>>> we >>>>>>>>>>>>>>>>>>>>>>>>> want >>>>>>>>>>>>>>>>>>>>>>>>>>> to do it in that way, or if we want to think in >>>>>>>>>>>>>> something >>>>>>>>>>>>>>>>>> else. >>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>> Cheers, >>>>>>>>>>>>>>>>>>>>>>>>>>> Roberto >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>> >>>>>>>> >>>>>> >>>>>> >>>> >>>> >> >
