[jira] [Comment Edited] (OFBIZ-10814) Error parsing JWT
[
https://issues.apache.org/jira/browse/OFBIZ-10814?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16759345#comment-16759345
]
Michael Brohl edited comment on OFBIZ-10814 at 2/3/19 9:39 AM:
---
{quote}Should we not use HttpHeaders.AUTHORIZATION in JWTManager::checkJWTLogin?
{quote}
Do you use the right patch? The 1st patch is outdated. I think that I've used
it instead of a string value.
{quote}Also, please add a new line at the end of security.properties, it's else
sometimes difficult to read (got issue in Eclipse Photon)
{quote}
What do you mean? What is the issue?
was (Author: mbrohl):
{quote}Should we not use HttpHeaders.AUTHORIZATION in JWTManager::checkJWTLogin?
{quote}
Do you use the right patch? I think that I've used it instead of a string value.
{quote}Also, please add a new line at the end of security.properties, it's else
sometimes difficult to read (got issue in Eclipse Photon)
{quote}
What do you mean? What is the issue?
> Error parsing JWT
> -
>
> Key: OFBIZ-10814
> URL: https://issues.apache.org/jira/browse/OFBIZ-10814
> Project: OFBiz
> Issue Type: Bug
> Components: framework
>Affects Versions: Trunk
>Reporter: Michael Brohl
>Assignee: Michael Brohl
>Priority: Major
> Attachments: Apache OFBiz JWT Test.postman_collection.json,
> OFBIZ-10814_JWT_parsing_error.patch,
> OFBIZ-10814_JWT_parsing_error_and_refactoring.patch,
> OFBIZ-10814_JWT_parsing_error_examples.patch
>
>
> I have problems using the Authorization: Bearer header value for requests
> towards OFBiz. OFBiz has problems parsing externally generated JSON Web
> Tokens.
> I have generated them using both [1] and [2] using HS512 and the default
> secret.
> The JWT check fails because of a parsing error:
> {noformat}
> 2019-01-17 16:48:36,233 |jsse-nio-8443-exec-7 |JavaEventHandler
> |E| Problems Processing Event
> io.jsonwebtoken.MalformedJwtException: Unable to read JSON value:
> �z��'G�#�$�uB"�&�r#�$�3S"
> at
> io.jsonwebtoken.impl.DefaultJwtParser.readValue(DefaultJwtParser.java:554)
> ~[jjwt-0.9.1.jar:0.9.1]
> at io.jsonwebtoken.impl.DefaultJwtParser.parse(DefaultJwtParser.java:252)
> ~[jjwt-0.9.1.jar:0.9.1]
> at io.jsonwebtoken.impl.DefaultJwtParser.parse(DefaultJwtParser.java:481)
> ~[jjwt-0.9.1.jar:0.9.1]
> at
> io.jsonwebtoken.impl.DefaultJwtParser.parseClaimsJws(DefaultJwtParser.java:541)
> ~[jjwt-0.9.1.jar:0.9.1]
> at
> org.apache.ofbiz.webapp.control.JWTManager.validateToken(JWTManager.java:124)
> ~[ofbiz.jar:?]
> at
> org.apache.ofbiz.webapp.control.ExternalLoginKeysManager.jwtValidation(ExternalLoginKeysManager.java:292)
> ~[ofbiz.jar:?]
> at
> org.apache.ofbiz.webapp.control.ExternalLoginKeysManager.checkJWTLogin(ExternalLoginKeysManager.java:196)
> ~[ofbiz.jar:?]
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> ~[?:1.8.0_152]
> at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> ~[?:1.8.0_152]
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> ~[?:1.8.0_152]
> at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_152]
> at
> org.apache.ofbiz.webapp.event.JavaEventHandler.invoke(JavaEventHandler.java:86)
> [ofbiz.jar:?]
> at
> org.apache.ofbiz.webapp.control.RequestHandler.runEvent(RequestHandler.java:774)
> [ofbiz.jar:?]
> at
> org.apache.ofbiz.webapp.control.RequestHandler.doRequest(RequestHandler.java:407)
> [ofbiz.jar:?]
> at
> org.apache.ofbiz.webapp.control.ControlServlet.doGet(ControlServlet.java:208)
> [ofbiz.jar:?]
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:645)
> [javax.servlet-api-4.0.1.jar:4.0.1]
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:750)
> [javax.servlet-api-4.0.1.jar:4.0.1]
> at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231)
> [tomcat-catalina-9.0.13.jar:9.0.13]
> at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
> [tomcat-catalina-9.0.13.jar:9.0.13]
> at
> org.apache.ofbiz.webapp.control.ContextFilter.doFilter(ContextFilter.java:191)
> [ofbiz.jar:?]
> at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
> [tomcat-catalina-9.0.13.jar:9.0.13]
> at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
> [tomcat-catalina-9.0.13.jar:9.0.13]
> at
> org.apache.ofbiz.webapp.control.ControlFilter.doFilter(ControlFilter.java:156)
> [ofbiz.jar:?]
> at javax.servlet.http.HttpFilter.doFilter(HttpFilter.java:127)
> [javax.servlet-api-4.0.1.jar:4.0.1]
> at
>
[jira] [Comment Edited] (OFBIZ-10814) Error parsing JWT
[
https://issues.apache.org/jira/browse/OFBIZ-10814?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16753047#comment-16753047
]
Jacques Le Roux edited comment on OFBIZ-10814 at 1/26/19 1:52 PM:
--
When OFBIZ-10751 will be done, in security.properties I will replace
_"Configuration in the SystemProperty entity is recommended for security
reasons."_
{quote}\# – The secret key for the JWT token signature. Configuration in the
SystemProperty entity is recommended for security reasons.
{quote}
by a short explanation and a link to the file where things will be explained in
details, based on our previous discussion, mostly with Jacopo and Taher.
was (Author: jacques.le.roux):
When OFBIZ-10751 will be done, in security.properties I will replace
_"Configuration in the SystemProperty entity is recommended for security
reasons."_
{quote}# – The secret key for the JWT token signature. Configuration in the
SystemProperty entity is recommended for security reasons.
{quote}
by a short explanation and a link to the file where things will be explained in
details, based on our previous discussion, mostly with Jacopo and Taher.
> Error parsing JWT
> -
>
> Key: OFBIZ-10814
> URL: https://issues.apache.org/jira/browse/OFBIZ-10814
> Project: OFBiz
> Issue Type: Bug
> Components: framework
>Affects Versions: Trunk
>Reporter: Michael Brohl
>Assignee: Michael Brohl
>Priority: Major
> Attachments: Apache OFBiz JWT Test.postman_collection.json,
> OFBIZ-10814_JWT_parsing_error.patch,
> OFBIZ-10814_JWT_parsing_error_and_refactoring.patch
>
>
> I have problems using the Authorization: Bearer header value for requests
> towards OFBiz. OFBiz has problems parsing externally generated JSON Web
> Tokens.
> I have generated them using both [1] and [2] using HS512 and the default
> secret.
> The JWT check fails because of a parsing error:
> {noformat}
> 2019-01-17 16:48:36,233 |jsse-nio-8443-exec-7 |JavaEventHandler
> |E| Problems Processing Event
> io.jsonwebtoken.MalformedJwtException: Unable to read JSON value:
> �z��'G�#�$�uB"�&�r#�$�3S"
> at
> io.jsonwebtoken.impl.DefaultJwtParser.readValue(DefaultJwtParser.java:554)
> ~[jjwt-0.9.1.jar:0.9.1]
> at io.jsonwebtoken.impl.DefaultJwtParser.parse(DefaultJwtParser.java:252)
> ~[jjwt-0.9.1.jar:0.9.1]
> at io.jsonwebtoken.impl.DefaultJwtParser.parse(DefaultJwtParser.java:481)
> ~[jjwt-0.9.1.jar:0.9.1]
> at
> io.jsonwebtoken.impl.DefaultJwtParser.parseClaimsJws(DefaultJwtParser.java:541)
> ~[jjwt-0.9.1.jar:0.9.1]
> at
> org.apache.ofbiz.webapp.control.JWTManager.validateToken(JWTManager.java:124)
> ~[ofbiz.jar:?]
> at
> org.apache.ofbiz.webapp.control.ExternalLoginKeysManager.jwtValidation(ExternalLoginKeysManager.java:292)
> ~[ofbiz.jar:?]
> at
> org.apache.ofbiz.webapp.control.ExternalLoginKeysManager.checkJWTLogin(ExternalLoginKeysManager.java:196)
> ~[ofbiz.jar:?]
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> ~[?:1.8.0_152]
> at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> ~[?:1.8.0_152]
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> ~[?:1.8.0_152]
> at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_152]
> at
> org.apache.ofbiz.webapp.event.JavaEventHandler.invoke(JavaEventHandler.java:86)
> [ofbiz.jar:?]
> at
> org.apache.ofbiz.webapp.control.RequestHandler.runEvent(RequestHandler.java:774)
> [ofbiz.jar:?]
> at
> org.apache.ofbiz.webapp.control.RequestHandler.doRequest(RequestHandler.java:407)
> [ofbiz.jar:?]
> at
> org.apache.ofbiz.webapp.control.ControlServlet.doGet(ControlServlet.java:208)
> [ofbiz.jar:?]
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:645)
> [javax.servlet-api-4.0.1.jar:4.0.1]
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:750)
> [javax.servlet-api-4.0.1.jar:4.0.1]
> at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231)
> [tomcat-catalina-9.0.13.jar:9.0.13]
> at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
> [tomcat-catalina-9.0.13.jar:9.0.13]
> at
> org.apache.ofbiz.webapp.control.ContextFilter.doFilter(ContextFilter.java:191)
> [ofbiz.jar:?]
> at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
> [tomcat-catalina-9.0.13.jar:9.0.13]
> at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
> [tomcat-catalina-9.0.13.jar:9.0.13]
> at
> org.apache.ofbiz.webapp.control.ControlFilter.doFilter(ControlFilter.java:156)
> [ofbiz.jar:?]
> at
[jira] [Comment Edited] (OFBIZ-10814) Error parsing JWT
[
https://issues.apache.org/jira/browse/OFBIZ-10814?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16751594#comment-16751594
]
Jacques Le Roux edited comment on OFBIZ-10814 at 1/26/19 12:36 PM:
---
Michael,
In the discussion you started on dev ML [\[DISCUSSION\] turn off OOTB JWT
authorization/SSO functionality|https://markmail.org/message/guk2orpnxulzrj3l]
I replied to you about the case in example:
{quote}> 2. the functionality to have a single sign on between two OFBiz
> instances will only be used in rare cases (I think). It is only designed
> for this special case and cannot be used for standard single sign on
> scenarios with other systems.
If we make this feature implicitly non-operational, what about showing it in
example?
I guess showing it should depend of the property which switch on/off the JWT
feature.
{quote}
But in the patch you did not address this issue. So it's ineffective when the
patch is applied. We should keep it, but hide it when no secret key exists or
maybe simply comment it with an explanation.
was (Author: jacques.le.roux):
Michael,
In the discussion you started on dev ML [[DISCUSSION] turn off OOTB JWT
authorization/SSO functionality|https://markmail.org/message/guk2orpnxulzrj3l]
I replied to you about the case in example:
{quote}> 2. the functionality to have a single sign on between two OFBiz
> instances will only be used in rare cases (I think). It is only designed
> for this special case and cannot be used for standard single sign on
> scenarios with other systems.
If we make this feature implicitly non-operational, what about showing it in
example?
I guess showing it should depend of the property which switch on/off the JWT
feature.
{quote}
But in the patch you did not address this issue. So it's ineffective when the
patch is applied. We should keep it, but hide it when no secret key exists or
maybe simply comment it with an explanation.
> Error parsing JWT
> -
>
> Key: OFBIZ-10814
> URL: https://issues.apache.org/jira/browse/OFBIZ-10814
> Project: OFBiz
> Issue Type: Bug
> Components: framework
>Affects Versions: Trunk
>Reporter: Michael Brohl
>Assignee: Michael Brohl
>Priority: Major
> Attachments: Apache OFBiz JWT Test.postman_collection.json,
> OFBIZ-10814_JWT_parsing_error.patch,
> OFBIZ-10814_JWT_parsing_error_and_refactoring.patch
>
>
> I have problems using the Authorization: Bearer header value for requests
> towards OFBiz. OFBiz has problems parsing externally generated JSON Web
> Tokens.
> I have generated them using both [1] and [2] using HS512 and the default
> secret.
> The JWT check fails because of a parsing error:
> {noformat}
> 2019-01-17 16:48:36,233 |jsse-nio-8443-exec-7 |JavaEventHandler
> |E| Problems Processing Event
> io.jsonwebtoken.MalformedJwtException: Unable to read JSON value:
> �z��'G�#�$�uB"�&�r#�$�3S"
> at
> io.jsonwebtoken.impl.DefaultJwtParser.readValue(DefaultJwtParser.java:554)
> ~[jjwt-0.9.1.jar:0.9.1]
> at io.jsonwebtoken.impl.DefaultJwtParser.parse(DefaultJwtParser.java:252)
> ~[jjwt-0.9.1.jar:0.9.1]
> at io.jsonwebtoken.impl.DefaultJwtParser.parse(DefaultJwtParser.java:481)
> ~[jjwt-0.9.1.jar:0.9.1]
> at
> io.jsonwebtoken.impl.DefaultJwtParser.parseClaimsJws(DefaultJwtParser.java:541)
> ~[jjwt-0.9.1.jar:0.9.1]
> at
> org.apache.ofbiz.webapp.control.JWTManager.validateToken(JWTManager.java:124)
> ~[ofbiz.jar:?]
> at
> org.apache.ofbiz.webapp.control.ExternalLoginKeysManager.jwtValidation(ExternalLoginKeysManager.java:292)
> ~[ofbiz.jar:?]
> at
> org.apache.ofbiz.webapp.control.ExternalLoginKeysManager.checkJWTLogin(ExternalLoginKeysManager.java:196)
> ~[ofbiz.jar:?]
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> ~[?:1.8.0_152]
> at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> ~[?:1.8.0_152]
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> ~[?:1.8.0_152]
> at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_152]
> at
> org.apache.ofbiz.webapp.event.JavaEventHandler.invoke(JavaEventHandler.java:86)
> [ofbiz.jar:?]
> at
> org.apache.ofbiz.webapp.control.RequestHandler.runEvent(RequestHandler.java:774)
> [ofbiz.jar:?]
> at
> org.apache.ofbiz.webapp.control.RequestHandler.doRequest(RequestHandler.java:407)
> [ofbiz.jar:?]
> at
> org.apache.ofbiz.webapp.control.ControlServlet.doGet(ControlServlet.java:208)
> [ofbiz.jar:?]
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:645)
> [javax.servlet-api-4.0.1.jar:4.0.1]
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:750)
> [javax.servlet-api-4.0.1.jar:4.0.1]
> at
>
[jira] [Comment Edited] (OFBIZ-10814) Error parsing JWT
[
https://issues.apache.org/jira/browse/OFBIZ-10814?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16748664#comment-16748664
]
Deepak Dixit edited comment on OFBIZ-10814 at 1/22/19 12:12 PM:
Hi [~mbrohl],
Its filter and if we want to use token for authentication then we need to add
this filter in web.xml
was (Author: deepak.dixit):
Hi [~mbrohl],
Its filter and if we want to user token as authentication then we need to add
this filter in web.xml
> Error parsing JWT
> -
>
> Key: OFBIZ-10814
> URL: https://issues.apache.org/jira/browse/OFBIZ-10814
> Project: OFBiz
> Issue Type: Bug
> Components: framework
>Affects Versions: Trunk
>Reporter: Michael Brohl
>Assignee: Michael Brohl
>Priority: Major
> Attachments: Apache OFBiz JWT Test.postman_collection.json,
> OFBIZ-10814_JWT_parsing_error.patch
>
>
> I have problems using the Authorization: Bearer header value for requests
> towards OFBiz. OFBiz has problems parsing externally generated JSON Web
> Tokens.
> I have generated them using both [1] and [2] using HS512 and the default
> secret.
> The JWT check fails because of a parsing error:
> {noformat}
> 2019-01-17 16:48:36,233 |jsse-nio-8443-exec-7 |JavaEventHandler
> |E| Problems Processing Event
> io.jsonwebtoken.MalformedJwtException: Unable to read JSON value:
> �z��'G�#�$�uB"�&�r#�$�3S"
> at
> io.jsonwebtoken.impl.DefaultJwtParser.readValue(DefaultJwtParser.java:554)
> ~[jjwt-0.9.1.jar:0.9.1]
> at io.jsonwebtoken.impl.DefaultJwtParser.parse(DefaultJwtParser.java:252)
> ~[jjwt-0.9.1.jar:0.9.1]
> at io.jsonwebtoken.impl.DefaultJwtParser.parse(DefaultJwtParser.java:481)
> ~[jjwt-0.9.1.jar:0.9.1]
> at
> io.jsonwebtoken.impl.DefaultJwtParser.parseClaimsJws(DefaultJwtParser.java:541)
> ~[jjwt-0.9.1.jar:0.9.1]
> at
> org.apache.ofbiz.webapp.control.JWTManager.validateToken(JWTManager.java:124)
> ~[ofbiz.jar:?]
> at
> org.apache.ofbiz.webapp.control.ExternalLoginKeysManager.jwtValidation(ExternalLoginKeysManager.java:292)
> ~[ofbiz.jar:?]
> at
> org.apache.ofbiz.webapp.control.ExternalLoginKeysManager.checkJWTLogin(ExternalLoginKeysManager.java:196)
> ~[ofbiz.jar:?]
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> ~[?:1.8.0_152]
> at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> ~[?:1.8.0_152]
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> ~[?:1.8.0_152]
> at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_152]
> at
> org.apache.ofbiz.webapp.event.JavaEventHandler.invoke(JavaEventHandler.java:86)
> [ofbiz.jar:?]
> at
> org.apache.ofbiz.webapp.control.RequestHandler.runEvent(RequestHandler.java:774)
> [ofbiz.jar:?]
> at
> org.apache.ofbiz.webapp.control.RequestHandler.doRequest(RequestHandler.java:407)
> [ofbiz.jar:?]
> at
> org.apache.ofbiz.webapp.control.ControlServlet.doGet(ControlServlet.java:208)
> [ofbiz.jar:?]
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:645)
> [javax.servlet-api-4.0.1.jar:4.0.1]
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:750)
> [javax.servlet-api-4.0.1.jar:4.0.1]
> at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231)
> [tomcat-catalina-9.0.13.jar:9.0.13]
> at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
> [tomcat-catalina-9.0.13.jar:9.0.13]
> at
> org.apache.ofbiz.webapp.control.ContextFilter.doFilter(ContextFilter.java:191)
> [ofbiz.jar:?]
> at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
> [tomcat-catalina-9.0.13.jar:9.0.13]
> at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
> [tomcat-catalina-9.0.13.jar:9.0.13]
> at
> org.apache.ofbiz.webapp.control.ControlFilter.doFilter(ControlFilter.java:156)
> [ofbiz.jar:?]
> at javax.servlet.http.HttpFilter.doFilter(HttpFilter.java:127)
> [javax.servlet-api-4.0.1.jar:4.0.1]
> at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
> [tomcat-catalina-9.0.13.jar:9.0.13]
> at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
> [tomcat-catalina-9.0.13.jar:9.0.13]
> at
> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:199)
> [tomcat-catalina-9.0.13.jar:9.0.13]
> at
> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
> [tomcat-catalina-9.0.13.jar:9.0.13]
> at
> org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:490)
>
[jira] [Comment Edited] (OFBIZ-10814) Error parsing JWT
[
https://issues.apache.org/jira/browse/OFBIZ-10814?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16747006#comment-16747006
]
Jacques Le Roux edited comment on OFBIZ-10814 at 1/19/19 10:17 AM:
---
Thanks Michael,
You said.
bq. In current OOTB OFBiz, the secret key is read from the
database/security.properties with a default, which anyone can read.
Yes so far we agreed on that. I guess you know I created OFBIZ-10751 as a
necessary preamble to any customised (as in custom projects) usage of the JWT
feature. The idea is to allow users to easily test the JWT feature, like w/ the
case example, and let them know that this feature should be *secured for a
production usage.* It's easier to follow how it's done and used OOTB when you
have an example accessible.
So your 3 propositions make sense but I don't agree that we should prohibit the
usage of JWT OOTB. Anyway it's not ours to decide alone, this discussion should
be done on the dev ML. I suggest to continue
https://markmail.org/message/dtjnu7fdi5noeagk
was (Author: jacques.le.roux):
Thanks Michael,
You said.
bq. In current OOTB OFBiz, the secret key is read from the
database/security.properties with a default, which anyone can read.
Yes so far we agreed on that. I guess you know I created OFBIZ-10751 as a
necessary preamble to any customised (as in custom projects) usage of the JWT
feature. The idea is to allow users to easily test the JWT feature, like w/ the
case example, and let them know that this feature should be *secured for a
production usage.* It's then easier to follow how it's done and used OOTB when
you have an example accessible.
So your 3 propositions make sense but I don't agree that we should prohibit the
usage of JWT OOTB. Anyway it's not ours to decide alone, this discussion should
be done on the dev ML. I suggest to continue
https://markmail.org/message/dtjnu7fdi5noeagk
> Error parsing JWT
> -
>
> Key: OFBIZ-10814
> URL: https://issues.apache.org/jira/browse/OFBIZ-10814
> Project: OFBiz
> Issue Type: Bug
> Components: framework
>Affects Versions: Trunk
>Reporter: Michael Brohl
>Assignee: Michael Brohl
>Priority: Major
> Attachments: Apache OFBiz JWT Test.postman_collection.json,
> OFBIZ-10814_JWT_parsing_error.patch
>
>
> I have problems using the Authorization: Bearer header value for requests
> towards OFBiz. OFBiz has problems parsing externally generated JSON Web
> Tokens.
> I have generated them using both [1] and [2] using HS512 and the default
> secret.
> The JWT check fails because of a parsing error:
> {noformat}
> 2019-01-17 16:48:36,233 |jsse-nio-8443-exec-7 |JavaEventHandler
> |E| Problems Processing Event
> io.jsonwebtoken.MalformedJwtException: Unable to read JSON value:
> �z��'G�#�$�uB"�&�r#�$�3S"
> at
> io.jsonwebtoken.impl.DefaultJwtParser.readValue(DefaultJwtParser.java:554)
> ~[jjwt-0.9.1.jar:0.9.1]
> at io.jsonwebtoken.impl.DefaultJwtParser.parse(DefaultJwtParser.java:252)
> ~[jjwt-0.9.1.jar:0.9.1]
> at io.jsonwebtoken.impl.DefaultJwtParser.parse(DefaultJwtParser.java:481)
> ~[jjwt-0.9.1.jar:0.9.1]
> at
> io.jsonwebtoken.impl.DefaultJwtParser.parseClaimsJws(DefaultJwtParser.java:541)
> ~[jjwt-0.9.1.jar:0.9.1]
> at
> org.apache.ofbiz.webapp.control.JWTManager.validateToken(JWTManager.java:124)
> ~[ofbiz.jar:?]
> at
> org.apache.ofbiz.webapp.control.ExternalLoginKeysManager.jwtValidation(ExternalLoginKeysManager.java:292)
> ~[ofbiz.jar:?]
> at
> org.apache.ofbiz.webapp.control.ExternalLoginKeysManager.checkJWTLogin(ExternalLoginKeysManager.java:196)
> ~[ofbiz.jar:?]
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> ~[?:1.8.0_152]
> at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> ~[?:1.8.0_152]
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> ~[?:1.8.0_152]
> at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_152]
> at
> org.apache.ofbiz.webapp.event.JavaEventHandler.invoke(JavaEventHandler.java:86)
> [ofbiz.jar:?]
> at
> org.apache.ofbiz.webapp.control.RequestHandler.runEvent(RequestHandler.java:774)
> [ofbiz.jar:?]
> at
> org.apache.ofbiz.webapp.control.RequestHandler.doRequest(RequestHandler.java:407)
> [ofbiz.jar:?]
> at
> org.apache.ofbiz.webapp.control.ControlServlet.doGet(ControlServlet.java:208)
> [ofbiz.jar:?]
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:645)
> [javax.servlet-api-4.0.1.jar:4.0.1]
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:750)
> [javax.servlet-api-4.0.1.jar:4.0.1]
> at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231)
>
[jira] [Comment Edited] (OFBIZ-10814) Error parsing JWT
[
https://issues.apache.org/jira/browse/OFBIZ-10814?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16746926#comment-16746926
]
Jacques Le Roux edited comment on OFBIZ-10814 at 1/19/19 3:13 AM:
--
Yes, that's what I saw: refactoring in ExternalLoginKeysManager. Now about:
bq. I also think that we should disable this feature OOTB because it allows a
login using a generated JWT and the default secret along with well known
userLoginId's. This should be switched on by an administrator, with a
configured secret. We cannot rely on the assumption that users find this
functionality and secure their platform accordingly.
At what feature do you specifically think? The one in example component which
allows to jump from a localhost to the demo trunk instance w/ a kind of SSO?
was (Author: jacques.le.roux):
Yes, that's what I saw refactoring in ExternalLoginKeysManager. Now about
bq. I also think that we should disable this feature OOTB because it allows a
login using a generated JWT and the default secret along with well known
userLoginId's. This should be switched on by an administrator, with a
configured secret. We cannot rely on the assumption that users find this
functionality and secure their platform accordingly.
At what feature do you specifically think? The one in example component which
allows to jump from a localhost to the demo trunk instance w/ a kind of SSO?
> Error parsing JWT
> -
>
> Key: OFBIZ-10814
> URL: https://issues.apache.org/jira/browse/OFBIZ-10814
> Project: OFBiz
> Issue Type: Bug
> Components: framework
>Affects Versions: Trunk
>Reporter: Michael Brohl
>Assignee: Michael Brohl
>Priority: Major
> Attachments: Apache OFBiz JWT Test.postman_collection.json,
> OFBIZ-10814_JWT_parsing_error.patch
>
>
> I have problems using the Authorization: Bearer header value for requests
> towards OFBiz. OFBiz has problems parsing externally generated JSON Web
> Tokens.
> I have generated them using both [1] and [2] using HS512 and the default
> secret.
> The JWT check fails because of a parsing error:
> {noformat}
> 2019-01-17 16:48:36,233 |jsse-nio-8443-exec-7 |JavaEventHandler
> |E| Problems Processing Event
> io.jsonwebtoken.MalformedJwtException: Unable to read JSON value:
> �z��'G�#�$�uB"�&�r#�$�3S"
> at
> io.jsonwebtoken.impl.DefaultJwtParser.readValue(DefaultJwtParser.java:554)
> ~[jjwt-0.9.1.jar:0.9.1]
> at io.jsonwebtoken.impl.DefaultJwtParser.parse(DefaultJwtParser.java:252)
> ~[jjwt-0.9.1.jar:0.9.1]
> at io.jsonwebtoken.impl.DefaultJwtParser.parse(DefaultJwtParser.java:481)
> ~[jjwt-0.9.1.jar:0.9.1]
> at
> io.jsonwebtoken.impl.DefaultJwtParser.parseClaimsJws(DefaultJwtParser.java:541)
> ~[jjwt-0.9.1.jar:0.9.1]
> at
> org.apache.ofbiz.webapp.control.JWTManager.validateToken(JWTManager.java:124)
> ~[ofbiz.jar:?]
> at
> org.apache.ofbiz.webapp.control.ExternalLoginKeysManager.jwtValidation(ExternalLoginKeysManager.java:292)
> ~[ofbiz.jar:?]
> at
> org.apache.ofbiz.webapp.control.ExternalLoginKeysManager.checkJWTLogin(ExternalLoginKeysManager.java:196)
> ~[ofbiz.jar:?]
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> ~[?:1.8.0_152]
> at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> ~[?:1.8.0_152]
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> ~[?:1.8.0_152]
> at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_152]
> at
> org.apache.ofbiz.webapp.event.JavaEventHandler.invoke(JavaEventHandler.java:86)
> [ofbiz.jar:?]
> at
> org.apache.ofbiz.webapp.control.RequestHandler.runEvent(RequestHandler.java:774)
> [ofbiz.jar:?]
> at
> org.apache.ofbiz.webapp.control.RequestHandler.doRequest(RequestHandler.java:407)
> [ofbiz.jar:?]
> at
> org.apache.ofbiz.webapp.control.ControlServlet.doGet(ControlServlet.java:208)
> [ofbiz.jar:?]
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:645)
> [javax.servlet-api-4.0.1.jar:4.0.1]
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:750)
> [javax.servlet-api-4.0.1.jar:4.0.1]
> at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231)
> [tomcat-catalina-9.0.13.jar:9.0.13]
> at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
> [tomcat-catalina-9.0.13.jar:9.0.13]
> at
> org.apache.ofbiz.webapp.control.ContextFilter.doFilter(ContextFilter.java:191)
> [ofbiz.jar:?]
> at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
> [tomcat-catalina-9.0.13.jar:9.0.13]
> at
>
[jira] [Comment Edited] (OFBIZ-10814) Error parsing JWT
[
https://issues.apache.org/jira/browse/OFBIZ-10814?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16746660#comment-16746660
]
Jacques Le Roux edited comment on OFBIZ-10814 at 1/19/19 3:09 AM:
--
Hi Michael,
>From my review of ExternalLoginKeysManager changes this should work. But it
>can't be tested OOTB (and that's the difficulty of testing this feature)
>because the changes must be also applied on the trunk demo instance. We could
>though apply them temporarily just for the test and revert. _Disclaimer I only
>reviewed ExternalLoginKeysManager changes so far_
You said
{quote}I wonder how this could have been working with several bugs in the code.
{quote}
I did not see any bug fixed in ExternalLoginKeysManager, what do you think
about? If you think about having a bearer, it was an initial way I picked for
simplicity. It's not a bug but I agree it's best to follow the standard.
was (Author: jacques.le.roux):
Hi Michael,
>From my review of ExternalLoginKeysManager changes this should work. But it
>can be tested OOTB (and that's the difficulty of testing this feature) because
>the changes must be also applied on the trunk demo server. We could though
>apply them temporarily just for the test and revert. _Disclaimer I only
>reviewed ExternalLoginKeysManager changes so far_
You said
{quote}I wonder how this could have been working with several bugs in the code.
{quote}
I did not see any bug fixed in ExternalLoginKeysManager, what do you think
about? If you think about having a bearer, it was an initial way I picked for
simplicity. It's not a bug but I agree it's best to follow the standard.
> Error parsing JWT
> -
>
> Key: OFBIZ-10814
> URL: https://issues.apache.org/jira/browse/OFBIZ-10814
> Project: OFBiz
> Issue Type: Bug
> Components: framework
>Affects Versions: Trunk
>Reporter: Michael Brohl
>Assignee: Michael Brohl
>Priority: Major
> Attachments: Apache OFBiz JWT Test.postman_collection.json,
> OFBIZ-10814_JWT_parsing_error.patch
>
>
> I have problems using the Authorization: Bearer header value for requests
> towards OFBiz. OFBiz has problems parsing externally generated JSON Web
> Tokens.
> I have generated them using both [1] and [2] using HS512 and the default
> secret.
> The JWT check fails because of a parsing error:
> {noformat}
> 2019-01-17 16:48:36,233 |jsse-nio-8443-exec-7 |JavaEventHandler
> |E| Problems Processing Event
> io.jsonwebtoken.MalformedJwtException: Unable to read JSON value:
> �z��'G�#�$�uB"�&�r#�$�3S"
> at
> io.jsonwebtoken.impl.DefaultJwtParser.readValue(DefaultJwtParser.java:554)
> ~[jjwt-0.9.1.jar:0.9.1]
> at io.jsonwebtoken.impl.DefaultJwtParser.parse(DefaultJwtParser.java:252)
> ~[jjwt-0.9.1.jar:0.9.1]
> at io.jsonwebtoken.impl.DefaultJwtParser.parse(DefaultJwtParser.java:481)
> ~[jjwt-0.9.1.jar:0.9.1]
> at
> io.jsonwebtoken.impl.DefaultJwtParser.parseClaimsJws(DefaultJwtParser.java:541)
> ~[jjwt-0.9.1.jar:0.9.1]
> at
> org.apache.ofbiz.webapp.control.JWTManager.validateToken(JWTManager.java:124)
> ~[ofbiz.jar:?]
> at
> org.apache.ofbiz.webapp.control.ExternalLoginKeysManager.jwtValidation(ExternalLoginKeysManager.java:292)
> ~[ofbiz.jar:?]
> at
> org.apache.ofbiz.webapp.control.ExternalLoginKeysManager.checkJWTLogin(ExternalLoginKeysManager.java:196)
> ~[ofbiz.jar:?]
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> ~[?:1.8.0_152]
> at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> ~[?:1.8.0_152]
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> ~[?:1.8.0_152]
> at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_152]
> at
> org.apache.ofbiz.webapp.event.JavaEventHandler.invoke(JavaEventHandler.java:86)
> [ofbiz.jar:?]
> at
> org.apache.ofbiz.webapp.control.RequestHandler.runEvent(RequestHandler.java:774)
> [ofbiz.jar:?]
> at
> org.apache.ofbiz.webapp.control.RequestHandler.doRequest(RequestHandler.java:407)
> [ofbiz.jar:?]
> at
> org.apache.ofbiz.webapp.control.ControlServlet.doGet(ControlServlet.java:208)
> [ofbiz.jar:?]
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:645)
> [javax.servlet-api-4.0.1.jar:4.0.1]
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:750)
> [javax.servlet-api-4.0.1.jar:4.0.1]
> at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231)
> [tomcat-catalina-9.0.13.jar:9.0.13]
> at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
> [tomcat-catalina-9.0.13.jar:9.0.13]
> at
> org.apache.ofbiz.webapp.control.ContextFilter.doFilter(ContextFilter.java:191)
>
[jira] [Comment Edited] (OFBIZ-10814) Error parsing JWT
[
https://issues.apache.org/jira/browse/OFBIZ-10814?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16746413#comment-16746413
]
Michael Brohl edited comment on OFBIZ-10814 at 1/18/19 3:45 PM:
I have attached a patch fixing which contains the following changes:
* Fixes incorrect retrieval of the Authorization header JWT token.
* Fixes wrong API usage for the key parameter which assumed the key is
provided in BASE64 format.
* Refactored the code to use helper methods for key and auth header retrieval.
* Javadoc corrections and enhancements.
The key is provided to the API as is, just using the API expecting a byte array
instead of a BASE64 encoded string. It was falsely being decoded before.
I've tested with both an invalid JWT which does not contain a userLoginId as
well as with a valid userLoginId (see attached postman collections).
I did not test single sign on between two OFBiz instances.
Please review the changes and test the single sign on between two instances, if
possible.
I wonder how this could have been working with several bugs in the code.
{quote}I also think that we should disable this feature OOTB because it allows
a login using a generated JWT and the default secret along with well known
userLoginId's.
This should be switched on by an administrator, with a configured secret. We
cannot rely on the assumption that users find this functionality and secure
their platform accordingly.
{quote}
was (Author: mbrohl):
I have attached a patch fixing which contains the following changes:
* Fixes incorrect retrieval of the Authorization header JWT token.
* Fixes wrong API usage for the key parameter which assumed the key is
provided in BAS64 format.
* Refactored the code to use helper methods for key and auth header retrieval.
* Javadoc corrections and enhancements.
The key is provided to the API as is, just using the API expecting a byte array
instead of a BASE64 encoded string. It was falsely being decoded before.
I've tested with both an invalid JWT which does not contain a userLoginId as
well as with a valid userLoginId (see attached postman collections).
I did not test single sign on between two OFBiz instances.
Please review the changes and test the single sign on between two instances, if
possible.
I wonder how this could have been working with several bugs in the code.
{quote}I also think that we should disable this feature OOTB because it allows
a login using a generated JWT and the default secret along with well known
userLoginId's.
This should be switched on by an administrator, with a configured secret. We
cannot rely on the assumption that users find this functionality and secure
their platform accordingly.
{quote}
> Error parsing JWT
> -
>
> Key: OFBIZ-10814
> URL: https://issues.apache.org/jira/browse/OFBIZ-10814
> Project: OFBiz
> Issue Type: Bug
> Components: framework
>Affects Versions: Trunk
>Reporter: Michael Brohl
>Priority: Major
> Attachments: Apache OFBiz JWT Test.postman_collection.json,
> OFBIZ-10814_JWT_parsing_error.patch
>
>
> I have problems using the Authorization: Bearer header value for requests
> towards OFBiz. OFBiz has problems parsing externally generated JSON Web
> Tokens.
> I have generated them using both [1] and [2] using HS512 and the default
> secret.
> The JWT check fails because of a parsing error:
> {noformat}
> 2019-01-17 16:48:36,233 |jsse-nio-8443-exec-7 |JavaEventHandler
> |E| Problems Processing Event
> io.jsonwebtoken.MalformedJwtException: Unable to read JSON value:
> �z��'G�#�$�uB"�&�r#�$�3S"
> at
> io.jsonwebtoken.impl.DefaultJwtParser.readValue(DefaultJwtParser.java:554)
> ~[jjwt-0.9.1.jar:0.9.1]
> at io.jsonwebtoken.impl.DefaultJwtParser.parse(DefaultJwtParser.java:252)
> ~[jjwt-0.9.1.jar:0.9.1]
> at io.jsonwebtoken.impl.DefaultJwtParser.parse(DefaultJwtParser.java:481)
> ~[jjwt-0.9.1.jar:0.9.1]
> at
> io.jsonwebtoken.impl.DefaultJwtParser.parseClaimsJws(DefaultJwtParser.java:541)
> ~[jjwt-0.9.1.jar:0.9.1]
> at
> org.apache.ofbiz.webapp.control.JWTManager.validateToken(JWTManager.java:124)
> ~[ofbiz.jar:?]
> at
> org.apache.ofbiz.webapp.control.ExternalLoginKeysManager.jwtValidation(ExternalLoginKeysManager.java:292)
> ~[ofbiz.jar:?]
> at
> org.apache.ofbiz.webapp.control.ExternalLoginKeysManager.checkJWTLogin(ExternalLoginKeysManager.java:196)
> ~[ofbiz.jar:?]
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> ~[?:1.8.0_152]
> at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> ~[?:1.8.0_152]
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> ~[?:1.8.0_152]
> at java.lang.reflect.Method.invoke(Method.java:498)
