Thanks for the question! I used this email to seed the README: - https://github.com/apache/tomee/pull/465/commits/cd5d062884074dc4c9655a4fdc919b26b4109b83
-- David Blevins http://twitter.com/dblevins http://www.tomitribe.com > On May 14, 2019, at 9:47 AM, David Blevins <[email protected]> wrote: > >> On May 14, 2019, at 3:54 AM, Ivan Junckes Filho <[email protected]> >> wrote: >> >> Quick question David, @RolesAllowed currently checks "groups" claim only. >> Does the bean validation feature allows checking roles in "roles"? > > The feature ultimately allows you to implement a method like this: > > @Override > public boolean isValid(final JsonWebToken jsonWebToken, final > ConstraintValidatorContext context) { > // your code here > return ...; > } > > And attach that logic to any annotation of your creation. You then use that > annotation on your methods, and the above code will run each time the JAX-RS > service is invoked. > > If you want people to pass you information via the annotation, you override > this method. > > @Override > public void initialize(final Issuer issuer) { > this.issuer = issuer; > } > > Here, Issuer is an annotation made up in the app code. > > So the short answer is, yes, you could validate roles claim or any data in > the token you want. The JsonWebToken interface can give you the full encoded > JWT or individual claims. So sky is the limit. If you can put it in a > token, you can validate it. > > Bean Validation allows you to have many validating annotations. One > annotation can reuse another, so you can even have one validation annotation > made from several smaller validation annotations, all of which you create. > > -David > >> On Mon, May 13, 2019 at 3:52 PM Jean-Louis Monteiro < >> [email protected]> wrote: >> >>> I'll do tonight >>> >>> -- >>> Jean-Louis Monteiro >>> http://twitter.com/jlouismonteiro >>> http://www.tomitribe.com >>> >>> >>> On Mon, May 13, 2019 at 8:47 PM David Blevins <[email protected]> >>> wrote: >>> >>>> Ok, >>>> >>>> This one is ready for merge. If anyone has a chance to take another look >>>> at it today, excellent. I'd like to merge tomorrow and start the >>> release. >>>> >>>> There are a lot of commits, so here is the high level: >>>> >>>> - TOMEE-2519: MP JWT Logging Improvements ensures we know exactly why a >>>> JWT is not validating. There are new tests in itests that boot the >>> server >>>> and actually check the log output. The tomee-server-composer is a new >>> bit >>>> of tech introduced in this PR. >>>> >>>> - TOMEE-2515: Adds support for RSA keys 1024bits and signatures of >>>> RSA-SHA384, RSA-SHA512, with tests for each key and signature type. >>> There >>>> is also tests to ensure the only two required claims are 'sub' and 'exp'. >>>> There is a class JsonWebTokenValidator which is not used yet. It's >>>> mid-refactor. The intent is to add a builder. I'm out of time so I'll >>>> have to come back to it later. >>>> >>>> - TOMEE-2517: MP-JWT and BeanValidation adds a fancy new feature that >>>> allows users to use Bean Validation to check JWTs. You simply write a >>>> validation constraints for against the JsonWebToken and annotate your >>>> method. A method no longer needs to use @RolesAllowed and can be very >>>> expressive and specific through the power of bean validation. >>>> >>>> - TOMEE-2517: MP-JWT and BeanValidation Example. Any new feature needs >>>> documentation or it doesn't exist. The example is functional and clean. >>>> The README is barely there and will need more work. >>>> >>>> - TOMEE-2521: Apache BVal 2.0.3-SNAPSHOT there was a fix that had to be >>>> made to cover a method that has a void return type. BVal was throwing an >>>> exception causing a 500. This was fixed and passes the bean validation >>>> TCK. Work was done so we could use a custom build for the release >>>> tomorrow. Ideally we'll be back no proper BVal release very shortly. >>>> >>>> That's the high level. Doing a build on my laptop tonight. If it looks >>>> good I'll merge early tomorrow (in a few hours) so there's 2-3 hours for >>> a >>>> green build to run prior to starting a release. >>>> >>>> >>>> -David >>>> >>>> >>> >
