> On May 14, 2019, at 3:54 AM, Ivan Junckes Filho <[email protected]> wrote:
>
> Quick question David, @RolesAllowed currently checks "groups" claim only.
> Does the bean validation feature allows checking roles in "roles"?
The feature ultimately allows you to implement a method like this:
@Override
public boolean isValid(final JsonWebToken jsonWebToken, final
ConstraintValidatorContext context) {
// your code here
return ...;
}
And attach that logic to any annotation of your creation. You then use that
annotation on your methods, and the above code will run each time the JAX-RS
service is invoked.
If you want people to pass you information via the annotation, you override
this method.
@Override
public void initialize(final Issuer issuer) {
this.issuer = issuer;
}
Here, Issuer is an annotation made up in the app code.
So the short answer is, yes, you could validate roles claim or any data in the
token you want. The JsonWebToken interface can give you the full encoded JWT
or individual claims. So sky is the limit. If you can put it in a token, you
can validate it.
Bean Validation allows you to have many validating annotations. One annotation
can reuse another, so you can even have one validation annotation made from
several smaller validation annotations, all of which you create.
-David
> On Mon, May 13, 2019 at 3:52 PM Jean-Louis Monteiro <
> [email protected]> wrote:
>
>> I'll do tonight
>>
>> --
>> Jean-Louis Monteiro
>> http://twitter.com/jlouismonteiro
>> http://www.tomitribe.com
>>
>>
>> On Mon, May 13, 2019 at 8:47 PM David Blevins <[email protected]>
>> wrote:
>>
>>> Ok,
>>>
>>> This one is ready for merge. If anyone has a chance to take another look
>>> at it today, excellent. I'd like to merge tomorrow and start the
>> release.
>>>
>>> There are a lot of commits, so here is the high level:
>>>
>>> - TOMEE-2519: MP JWT Logging Improvements ensures we know exactly why a
>>> JWT is not validating. There are new tests in itests that boot the
>> server
>>> and actually check the log output. The tomee-server-composer is a new
>> bit
>>> of tech introduced in this PR.
>>>
>>> - TOMEE-2515: Adds support for RSA keys 1024bits and signatures of
>>> RSA-SHA384, RSA-SHA512, with tests for each key and signature type.
>> There
>>> is also tests to ensure the only two required claims are 'sub' and 'exp'.
>>> There is a class JsonWebTokenValidator which is not used yet. It's
>>> mid-refactor. The intent is to add a builder. I'm out of time so I'll
>>> have to come back to it later.
>>>
>>> - TOMEE-2517: MP-JWT and BeanValidation adds a fancy new feature that
>>> allows users to use Bean Validation to check JWTs. You simply write a
>>> validation constraints for against the JsonWebToken and annotate your
>>> method. A method no longer needs to use @RolesAllowed and can be very
>>> expressive and specific through the power of bean validation.
>>>
>>> - TOMEE-2517: MP-JWT and BeanValidation Example. Any new feature needs
>>> documentation or it doesn't exist. The example is functional and clean.
>>> The README is barely there and will need more work.
>>>
>>> - TOMEE-2521: Apache BVal 2.0.3-SNAPSHOT there was a fix that had to be
>>> made to cover a method that has a void return type. BVal was throwing an
>>> exception causing a 500. This was fixed and passes the bean validation
>>> TCK. Work was done so we could use a custom build for the release
>>> tomorrow. Ideally we'll be back no proper BVal release very shortly.
>>>
>>> That's the high level. Doing a build on my laptop tonight. If it looks
>>> good I'll merge early tomorrow (in a few hours) so there's 2-3 hours for
>> a
>>> green build to run prior to starting a release.
>>>
>>>
>>> -David
>>>
>>>
>>
