I started to move forward this PR.
I have one question:
What would be the correct behavior of a request containing a valid token
that only hast the Group of Claims "crud" but the REST endpoint is
annotated like this:
@RolesAllowed({"crud", "read-only"})
Should the REST endpoint reply with a 403 because the token used in the
request doesn't have both Group of claims?
or
Should the REST endpoint reply correctly if and only if the Token used in
the request contains Any of this two Group of claims?
After reading: both MP JWT spec and also the section 2.12 of JSR-250 I
think we have a bug that you can easily reproduce in my PR if you use token
type "*2*" instead of "1" in the following test:
https://github.com/apache/tomee/pull/233/files#diff-c8b4606595833238670d666da0b95651R80
El lun., 3 dic. 2018 a las 9:22, Bruno Baptista (<bruno...@gmail.com>)
escribió:
> Hi César,
>
> Looking forward to review it.
>
> Cheers.
>
> Bruno Baptista
> https://twitter.com/brunobat_
>
>
> On 30/11/18 22:44, César Hernández Mendoza wrote:
> > Hi,
> >
> > I'm planning to implement a couple of small improvements on the
> > MicroProfile JWT example the project already has.
> > I opened https://issues.apache.org/jira/browse/TOMEE-2304 for this.
> >
> > I'll keep you updated with the proposal and progress. Ideas, proposal are
> > more than welcome!
>
--
Atentamente:
César Hernández Mendoza.
