Thanks David, this is very useful!
On Mon, May 13, 2019 at 9:54 PM David Blevins <[email protected]> wrote: > Thanks for the question! I used this email to seed the README: > > - > https://github.com/apache/tomee/pull/465/commits/cd5d062884074dc4c9655a4fdc919b26b4109b83 > > > -- > David Blevins > http://twitter.com/dblevins > http://www.tomitribe.com > > > On May 14, 2019, at 9:47 AM, David Blevins <[email protected]> > wrote: > > > >> On May 14, 2019, at 3:54 AM, Ivan Junckes Filho <[email protected]> > wrote: > >> > >> Quick question David, @RolesAllowed currently checks "groups" claim > only. > >> Does the bean validation feature allows checking roles in "roles"? > > > > The feature ultimately allows you to implement a method like this: > > > > @Override > > public boolean isValid(final JsonWebToken jsonWebToken, final > ConstraintValidatorContext context) { > > // your code here > > return ...; > > } > > > > And attach that logic to any annotation of your creation. You then use > that annotation on your methods, and the above code will run each time the > JAX-RS service is invoked. > > > > If you want people to pass you information via the annotation, you > override this method. > > > > @Override > > public void initialize(final Issuer issuer) { > > this.issuer = issuer; > > } > > > > Here, Issuer is an annotation made up in the app code. > > > > So the short answer is, yes, you could validate roles claim or any data > in the token you want. The JsonWebToken interface can give you the full > encoded JWT or individual claims. So sky is the limit. If you can put it > in a token, you can validate it. > > > > Bean Validation allows you to have many validating annotations. One > annotation can reuse another, so you can even have one validation > annotation made from several smaller validation annotations, all of which > you create. > > > > -David > > > >> On Mon, May 13, 2019 at 3:52 PM Jean-Louis Monteiro < > >> [email protected]> wrote: > >> > >>> I'll do tonight > >>> > >>> -- > >>> Jean-Louis Monteiro > >>> http://twitter.com/jlouismonteiro > >>> http://www.tomitribe.com > >>> > >>> > >>> On Mon, May 13, 2019 at 8:47 PM David Blevins <[email protected] > > > >>> wrote: > >>> > >>>> Ok, > >>>> > >>>> This one is ready for merge. If anyone has a chance to take another > look > >>>> at it today, excellent. I'd like to merge tomorrow and start the > >>> release. > >>>> > >>>> There are a lot of commits, so here is the high level: > >>>> > >>>> - TOMEE-2519: MP JWT Logging Improvements ensures we know exactly why > a > >>>> JWT is not validating. There are new tests in itests that boot the > >>> server > >>>> and actually check the log output. The tomee-server-composer is a new > >>> bit > >>>> of tech introduced in this PR. > >>>> > >>>> - TOMEE-2515: Adds support for RSA keys 1024bits and signatures of > >>>> RSA-SHA384, RSA-SHA512, with tests for each key and signature type. > >>> There > >>>> is also tests to ensure the only two required claims are 'sub' and > 'exp'. > >>>> There is a class JsonWebTokenValidator which is not used yet. It's > >>>> mid-refactor. The intent is to add a builder. I'm out of time so > I'll > >>>> have to come back to it later. > >>>> > >>>> - TOMEE-2517: MP-JWT and BeanValidation adds a fancy new feature that > >>>> allows users to use Bean Validation to check JWTs. You simply write a > >>>> validation constraints for against the JsonWebToken and annotate your > >>>> method. A method no longer needs to use @RolesAllowed and can be very > >>>> expressive and specific through the power of bean validation. > >>>> > >>>> - TOMEE-2517: MP-JWT and BeanValidation Example. Any new feature > needs > >>>> documentation or it doesn't exist. The example is functional and > clean. > >>>> The README is barely there and will need more work. > >>>> > >>>> - TOMEE-2521: Apache BVal 2.0.3-SNAPSHOT there was a fix that had to > be > >>>> made to cover a method that has a void return type. BVal was throwing > an > >>>> exception causing a 500. This was fixed and passes the bean > validation > >>>> TCK. Work was done so we could use a custom build for the release > >>>> tomorrow. Ideally we'll be back no proper BVal release very shortly. > >>>> > >>>> That's the high level. Doing a build on my laptop tonight. If it > looks > >>>> good I'll merge early tomorrow (in a few hours) so there's 2-3 hours > for > >>> a > >>>> green build to run prior to starting a release. > >>>> > >>>> > >>>> -David > >>>> > >>>> > >>> > > > >
