[jira] [Comment Edited] (OFBIZ-10814) Error parsing JWT
[ https://issues.apache.org/jira/browse/OFBIZ-10814?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16759345#comment-16759345 ] Michael Brohl edited comment on OFBIZ-10814 at 2/3/19 9:39 AM: --- {quote}Should we not use HttpHeaders.AUTHORIZATION in JWTManager::checkJWTLogin? {quote} Do you use the right patch? The 1st patch is outdated. I think that I've used it instead of a string value. {quote}Also, please add a new line at the end of security.properties, it's else sometimes difficult to read (got issue in Eclipse Photon) {quote} What do you mean? What is the issue? was (Author: mbrohl): {quote}Should we not use HttpHeaders.AUTHORIZATION in JWTManager::checkJWTLogin? {quote} Do you use the right patch? I think that I've used it instead of a string value. {quote}Also, please add a new line at the end of security.properties, it's else sometimes difficult to read (got issue in Eclipse Photon) {quote} What do you mean? What is the issue? > Error parsing JWT > - > > Key: OFBIZ-10814 > URL: https://issues.apache.org/jira/browse/OFBIZ-10814 > Project: OFBiz > Issue Type: Bug > Components: framework >Affects Versions: Trunk >Reporter: Michael Brohl >Assignee: Michael Brohl >Priority: Major > Attachments: Apache OFBiz JWT Test.postman_collection.json, > OFBIZ-10814_JWT_parsing_error.patch, > OFBIZ-10814_JWT_parsing_error_and_refactoring.patch, > OFBIZ-10814_JWT_parsing_error_examples.patch > > > I have problems using the Authorization: Bearer header value for requests > towards OFBiz. OFBiz has problems parsing externally generated JSON Web > Tokens. > I have generated them using both [1] and [2] using HS512 and the default > secret. > The JWT check fails because of a parsing error: > {noformat} > 2019-01-17 16:48:36,233 |jsse-nio-8443-exec-7 |JavaEventHandler > |E| Problems Processing Event > io.jsonwebtoken.MalformedJwtException: Unable to read JSON value: > �z��'G�#�$�uB"�&�r#�$�3S" > at > io.jsonwebtoken.impl.DefaultJwtParser.readValue(DefaultJwtParser.java:554) > ~[jjwt-0.9.1.jar:0.9.1] > at io.jsonwebtoken.impl.DefaultJwtParser.parse(DefaultJwtParser.java:252) > ~[jjwt-0.9.1.jar:0.9.1] > at io.jsonwebtoken.impl.DefaultJwtParser.parse(DefaultJwtParser.java:481) > ~[jjwt-0.9.1.jar:0.9.1] > at > io.jsonwebtoken.impl.DefaultJwtParser.parseClaimsJws(DefaultJwtParser.java:541) > ~[jjwt-0.9.1.jar:0.9.1] > at > org.apache.ofbiz.webapp.control.JWTManager.validateToken(JWTManager.java:124) > ~[ofbiz.jar:?] > at > org.apache.ofbiz.webapp.control.ExternalLoginKeysManager.jwtValidation(ExternalLoginKeysManager.java:292) > ~[ofbiz.jar:?] > at > org.apache.ofbiz.webapp.control.ExternalLoginKeysManager.checkJWTLogin(ExternalLoginKeysManager.java:196) > ~[ofbiz.jar:?] > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > ~[?:1.8.0_152] > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > ~[?:1.8.0_152] > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > ~[?:1.8.0_152] > at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_152] > at > org.apache.ofbiz.webapp.event.JavaEventHandler.invoke(JavaEventHandler.java:86) > [ofbiz.jar:?] > at > org.apache.ofbiz.webapp.control.RequestHandler.runEvent(RequestHandler.java:774) > [ofbiz.jar:?] > at > org.apache.ofbiz.webapp.control.RequestHandler.doRequest(RequestHandler.java:407) > [ofbiz.jar:?] > at > org.apache.ofbiz.webapp.control.ControlServlet.doGet(ControlServlet.java:208) > [ofbiz.jar:?] > at javax.servlet.http.HttpServlet.service(HttpServlet.java:645) > [javax.servlet-api-4.0.1.jar:4.0.1] > at javax.servlet.http.HttpServlet.service(HttpServlet.java:750) > [javax.servlet-api-4.0.1.jar:4.0.1] > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231) > [tomcat-catalina-9.0.13.jar:9.0.13] > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) > [tomcat-catalina-9.0.13.jar:9.0.13] > at > org.apache.ofbiz.webapp.control.ContextFilter.doFilter(ContextFilter.java:191) > [ofbiz.jar:?] > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) > [tomcat-catalina-9.0.13.jar:9.0.13] > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) > [tomcat-catalina-9.0.13.jar:9.0.13] > at > org.apache.ofbiz.webapp.control.ControlFilter.doFilter(ControlFilter.java:156) > [ofbiz.jar:?] > at javax.servlet.http.HttpFilter.doFilter(HttpFilter.java:127) > [javax.servlet-api-4.0.1.jar:4.0.1] > at >
[jira] [Comment Edited] (OFBIZ-10814) Error parsing JWT
[ https://issues.apache.org/jira/browse/OFBIZ-10814?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16753047#comment-16753047 ] Jacques Le Roux edited comment on OFBIZ-10814 at 1/26/19 1:52 PM: -- When OFBIZ-10751 will be done, in security.properties I will replace _"Configuration in the SystemProperty entity is recommended for security reasons."_ {quote}\# – The secret key for the JWT token signature. Configuration in the SystemProperty entity is recommended for security reasons. {quote} by a short explanation and a link to the file where things will be explained in details, based on our previous discussion, mostly with Jacopo and Taher. was (Author: jacques.le.roux): When OFBIZ-10751 will be done, in security.properties I will replace _"Configuration in the SystemProperty entity is recommended for security reasons."_ {quote}# – The secret key for the JWT token signature. Configuration in the SystemProperty entity is recommended for security reasons. {quote} by a short explanation and a link to the file where things will be explained in details, based on our previous discussion, mostly with Jacopo and Taher. > Error parsing JWT > - > > Key: OFBIZ-10814 > URL: https://issues.apache.org/jira/browse/OFBIZ-10814 > Project: OFBiz > Issue Type: Bug > Components: framework >Affects Versions: Trunk >Reporter: Michael Brohl >Assignee: Michael Brohl >Priority: Major > Attachments: Apache OFBiz JWT Test.postman_collection.json, > OFBIZ-10814_JWT_parsing_error.patch, > OFBIZ-10814_JWT_parsing_error_and_refactoring.patch > > > I have problems using the Authorization: Bearer header value for requests > towards OFBiz. OFBiz has problems parsing externally generated JSON Web > Tokens. > I have generated them using both [1] and [2] using HS512 and the default > secret. > The JWT check fails because of a parsing error: > {noformat} > 2019-01-17 16:48:36,233 |jsse-nio-8443-exec-7 |JavaEventHandler > |E| Problems Processing Event > io.jsonwebtoken.MalformedJwtException: Unable to read JSON value: > �z��'G�#�$�uB"�&�r#�$�3S" > at > io.jsonwebtoken.impl.DefaultJwtParser.readValue(DefaultJwtParser.java:554) > ~[jjwt-0.9.1.jar:0.9.1] > at io.jsonwebtoken.impl.DefaultJwtParser.parse(DefaultJwtParser.java:252) > ~[jjwt-0.9.1.jar:0.9.1] > at io.jsonwebtoken.impl.DefaultJwtParser.parse(DefaultJwtParser.java:481) > ~[jjwt-0.9.1.jar:0.9.1] > at > io.jsonwebtoken.impl.DefaultJwtParser.parseClaimsJws(DefaultJwtParser.java:541) > ~[jjwt-0.9.1.jar:0.9.1] > at > org.apache.ofbiz.webapp.control.JWTManager.validateToken(JWTManager.java:124) > ~[ofbiz.jar:?] > at > org.apache.ofbiz.webapp.control.ExternalLoginKeysManager.jwtValidation(ExternalLoginKeysManager.java:292) > ~[ofbiz.jar:?] > at > org.apache.ofbiz.webapp.control.ExternalLoginKeysManager.checkJWTLogin(ExternalLoginKeysManager.java:196) > ~[ofbiz.jar:?] > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > ~[?:1.8.0_152] > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > ~[?:1.8.0_152] > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > ~[?:1.8.0_152] > at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_152] > at > org.apache.ofbiz.webapp.event.JavaEventHandler.invoke(JavaEventHandler.java:86) > [ofbiz.jar:?] > at > org.apache.ofbiz.webapp.control.RequestHandler.runEvent(RequestHandler.java:774) > [ofbiz.jar:?] > at > org.apache.ofbiz.webapp.control.RequestHandler.doRequest(RequestHandler.java:407) > [ofbiz.jar:?] > at > org.apache.ofbiz.webapp.control.ControlServlet.doGet(ControlServlet.java:208) > [ofbiz.jar:?] > at javax.servlet.http.HttpServlet.service(HttpServlet.java:645) > [javax.servlet-api-4.0.1.jar:4.0.1] > at javax.servlet.http.HttpServlet.service(HttpServlet.java:750) > [javax.servlet-api-4.0.1.jar:4.0.1] > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231) > [tomcat-catalina-9.0.13.jar:9.0.13] > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) > [tomcat-catalina-9.0.13.jar:9.0.13] > at > org.apache.ofbiz.webapp.control.ContextFilter.doFilter(ContextFilter.java:191) > [ofbiz.jar:?] > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) > [tomcat-catalina-9.0.13.jar:9.0.13] > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) > [tomcat-catalina-9.0.13.jar:9.0.13] > at > org.apache.ofbiz.webapp.control.ControlFilter.doFilter(ControlFilter.java:156) > [ofbiz.jar:?] > at
[jira] [Comment Edited] (OFBIZ-10814) Error parsing JWT
[ https://issues.apache.org/jira/browse/OFBIZ-10814?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16751594#comment-16751594 ] Jacques Le Roux edited comment on OFBIZ-10814 at 1/26/19 12:36 PM: --- Michael, In the discussion you started on dev ML [\[DISCUSSION\] turn off OOTB JWT authorization/SSO functionality|https://markmail.org/message/guk2orpnxulzrj3l] I replied to you about the case in example: {quote}> 2. the functionality to have a single sign on between two OFBiz > instances will only be used in rare cases (I think). It is only designed > for this special case and cannot be used for standard single sign on > scenarios with other systems. If we make this feature implicitly non-operational, what about showing it in example? I guess showing it should depend of the property which switch on/off the JWT feature. {quote} But in the patch you did not address this issue. So it's ineffective when the patch is applied. We should keep it, but hide it when no secret key exists or maybe simply comment it with an explanation. was (Author: jacques.le.roux): Michael, In the discussion you started on dev ML [[DISCUSSION] turn off OOTB JWT authorization/SSO functionality|https://markmail.org/message/guk2orpnxulzrj3l] I replied to you about the case in example: {quote}> 2. the functionality to have a single sign on between two OFBiz > instances will only be used in rare cases (I think). It is only designed > for this special case and cannot be used for standard single sign on > scenarios with other systems. If we make this feature implicitly non-operational, what about showing it in example? I guess showing it should depend of the property which switch on/off the JWT feature. {quote} But in the patch you did not address this issue. So it's ineffective when the patch is applied. We should keep it, but hide it when no secret key exists or maybe simply comment it with an explanation. > Error parsing JWT > - > > Key: OFBIZ-10814 > URL: https://issues.apache.org/jira/browse/OFBIZ-10814 > Project: OFBiz > Issue Type: Bug > Components: framework >Affects Versions: Trunk >Reporter: Michael Brohl >Assignee: Michael Brohl >Priority: Major > Attachments: Apache OFBiz JWT Test.postman_collection.json, > OFBIZ-10814_JWT_parsing_error.patch, > OFBIZ-10814_JWT_parsing_error_and_refactoring.patch > > > I have problems using the Authorization: Bearer header value for requests > towards OFBiz. OFBiz has problems parsing externally generated JSON Web > Tokens. > I have generated them using both [1] and [2] using HS512 and the default > secret. > The JWT check fails because of a parsing error: > {noformat} > 2019-01-17 16:48:36,233 |jsse-nio-8443-exec-7 |JavaEventHandler > |E| Problems Processing Event > io.jsonwebtoken.MalformedJwtException: Unable to read JSON value: > �z��'G�#�$�uB"�&�r#�$�3S" > at > io.jsonwebtoken.impl.DefaultJwtParser.readValue(DefaultJwtParser.java:554) > ~[jjwt-0.9.1.jar:0.9.1] > at io.jsonwebtoken.impl.DefaultJwtParser.parse(DefaultJwtParser.java:252) > ~[jjwt-0.9.1.jar:0.9.1] > at io.jsonwebtoken.impl.DefaultJwtParser.parse(DefaultJwtParser.java:481) > ~[jjwt-0.9.1.jar:0.9.1] > at > io.jsonwebtoken.impl.DefaultJwtParser.parseClaimsJws(DefaultJwtParser.java:541) > ~[jjwt-0.9.1.jar:0.9.1] > at > org.apache.ofbiz.webapp.control.JWTManager.validateToken(JWTManager.java:124) > ~[ofbiz.jar:?] > at > org.apache.ofbiz.webapp.control.ExternalLoginKeysManager.jwtValidation(ExternalLoginKeysManager.java:292) > ~[ofbiz.jar:?] > at > org.apache.ofbiz.webapp.control.ExternalLoginKeysManager.checkJWTLogin(ExternalLoginKeysManager.java:196) > ~[ofbiz.jar:?] > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > ~[?:1.8.0_152] > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > ~[?:1.8.0_152] > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > ~[?:1.8.0_152] > at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_152] > at > org.apache.ofbiz.webapp.event.JavaEventHandler.invoke(JavaEventHandler.java:86) > [ofbiz.jar:?] > at > org.apache.ofbiz.webapp.control.RequestHandler.runEvent(RequestHandler.java:774) > [ofbiz.jar:?] > at > org.apache.ofbiz.webapp.control.RequestHandler.doRequest(RequestHandler.java:407) > [ofbiz.jar:?] > at > org.apache.ofbiz.webapp.control.ControlServlet.doGet(ControlServlet.java:208) > [ofbiz.jar:?] > at javax.servlet.http.HttpServlet.service(HttpServlet.java:645) > [javax.servlet-api-4.0.1.jar:4.0.1] > at javax.servlet.http.HttpServlet.service(HttpServlet.java:750) > [javax.servlet-api-4.0.1.jar:4.0.1] > at >
[jira] [Comment Edited] (OFBIZ-10814) Error parsing JWT
[ https://issues.apache.org/jira/browse/OFBIZ-10814?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16748664#comment-16748664 ] Deepak Dixit edited comment on OFBIZ-10814 at 1/22/19 12:12 PM: Hi [~mbrohl], Its filter and if we want to use token for authentication then we need to add this filter in web.xml was (Author: deepak.dixit): Hi [~mbrohl], Its filter and if we want to user token as authentication then we need to add this filter in web.xml > Error parsing JWT > - > > Key: OFBIZ-10814 > URL: https://issues.apache.org/jira/browse/OFBIZ-10814 > Project: OFBiz > Issue Type: Bug > Components: framework >Affects Versions: Trunk >Reporter: Michael Brohl >Assignee: Michael Brohl >Priority: Major > Attachments: Apache OFBiz JWT Test.postman_collection.json, > OFBIZ-10814_JWT_parsing_error.patch > > > I have problems using the Authorization: Bearer header value for requests > towards OFBiz. OFBiz has problems parsing externally generated JSON Web > Tokens. > I have generated them using both [1] and [2] using HS512 and the default > secret. > The JWT check fails because of a parsing error: > {noformat} > 2019-01-17 16:48:36,233 |jsse-nio-8443-exec-7 |JavaEventHandler > |E| Problems Processing Event > io.jsonwebtoken.MalformedJwtException: Unable to read JSON value: > �z��'G�#�$�uB"�&�r#�$�3S" > at > io.jsonwebtoken.impl.DefaultJwtParser.readValue(DefaultJwtParser.java:554) > ~[jjwt-0.9.1.jar:0.9.1] > at io.jsonwebtoken.impl.DefaultJwtParser.parse(DefaultJwtParser.java:252) > ~[jjwt-0.9.1.jar:0.9.1] > at io.jsonwebtoken.impl.DefaultJwtParser.parse(DefaultJwtParser.java:481) > ~[jjwt-0.9.1.jar:0.9.1] > at > io.jsonwebtoken.impl.DefaultJwtParser.parseClaimsJws(DefaultJwtParser.java:541) > ~[jjwt-0.9.1.jar:0.9.1] > at > org.apache.ofbiz.webapp.control.JWTManager.validateToken(JWTManager.java:124) > ~[ofbiz.jar:?] > at > org.apache.ofbiz.webapp.control.ExternalLoginKeysManager.jwtValidation(ExternalLoginKeysManager.java:292) > ~[ofbiz.jar:?] > at > org.apache.ofbiz.webapp.control.ExternalLoginKeysManager.checkJWTLogin(ExternalLoginKeysManager.java:196) > ~[ofbiz.jar:?] > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > ~[?:1.8.0_152] > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > ~[?:1.8.0_152] > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > ~[?:1.8.0_152] > at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_152] > at > org.apache.ofbiz.webapp.event.JavaEventHandler.invoke(JavaEventHandler.java:86) > [ofbiz.jar:?] > at > org.apache.ofbiz.webapp.control.RequestHandler.runEvent(RequestHandler.java:774) > [ofbiz.jar:?] > at > org.apache.ofbiz.webapp.control.RequestHandler.doRequest(RequestHandler.java:407) > [ofbiz.jar:?] > at > org.apache.ofbiz.webapp.control.ControlServlet.doGet(ControlServlet.java:208) > [ofbiz.jar:?] > at javax.servlet.http.HttpServlet.service(HttpServlet.java:645) > [javax.servlet-api-4.0.1.jar:4.0.1] > at javax.servlet.http.HttpServlet.service(HttpServlet.java:750) > [javax.servlet-api-4.0.1.jar:4.0.1] > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231) > [tomcat-catalina-9.0.13.jar:9.0.13] > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) > [tomcat-catalina-9.0.13.jar:9.0.13] > at > org.apache.ofbiz.webapp.control.ContextFilter.doFilter(ContextFilter.java:191) > [ofbiz.jar:?] > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) > [tomcat-catalina-9.0.13.jar:9.0.13] > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) > [tomcat-catalina-9.0.13.jar:9.0.13] > at > org.apache.ofbiz.webapp.control.ControlFilter.doFilter(ControlFilter.java:156) > [ofbiz.jar:?] > at javax.servlet.http.HttpFilter.doFilter(HttpFilter.java:127) > [javax.servlet-api-4.0.1.jar:4.0.1] > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) > [tomcat-catalina-9.0.13.jar:9.0.13] > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) > [tomcat-catalina-9.0.13.jar:9.0.13] > at > org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:199) > [tomcat-catalina-9.0.13.jar:9.0.13] > at > org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96) > [tomcat-catalina-9.0.13.jar:9.0.13] > at > org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:490) >
[jira] [Comment Edited] (OFBIZ-10814) Error parsing JWT
[ https://issues.apache.org/jira/browse/OFBIZ-10814?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16747006#comment-16747006 ] Jacques Le Roux edited comment on OFBIZ-10814 at 1/19/19 10:17 AM: --- Thanks Michael, You said. bq. In current OOTB OFBiz, the secret key is read from the database/security.properties with a default, which anyone can read. Yes so far we agreed on that. I guess you know I created OFBIZ-10751 as a necessary preamble to any customised (as in custom projects) usage of the JWT feature. The idea is to allow users to easily test the JWT feature, like w/ the case example, and let them know that this feature should be *secured for a production usage.* It's easier to follow how it's done and used OOTB when you have an example accessible. So your 3 propositions make sense but I don't agree that we should prohibit the usage of JWT OOTB. Anyway it's not ours to decide alone, this discussion should be done on the dev ML. I suggest to continue https://markmail.org/message/dtjnu7fdi5noeagk was (Author: jacques.le.roux): Thanks Michael, You said. bq. In current OOTB OFBiz, the secret key is read from the database/security.properties with a default, which anyone can read. Yes so far we agreed on that. I guess you know I created OFBIZ-10751 as a necessary preamble to any customised (as in custom projects) usage of the JWT feature. The idea is to allow users to easily test the JWT feature, like w/ the case example, and let them know that this feature should be *secured for a production usage.* It's then easier to follow how it's done and used OOTB when you have an example accessible. So your 3 propositions make sense but I don't agree that we should prohibit the usage of JWT OOTB. Anyway it's not ours to decide alone, this discussion should be done on the dev ML. I suggest to continue https://markmail.org/message/dtjnu7fdi5noeagk > Error parsing JWT > - > > Key: OFBIZ-10814 > URL: https://issues.apache.org/jira/browse/OFBIZ-10814 > Project: OFBiz > Issue Type: Bug > Components: framework >Affects Versions: Trunk >Reporter: Michael Brohl >Assignee: Michael Brohl >Priority: Major > Attachments: Apache OFBiz JWT Test.postman_collection.json, > OFBIZ-10814_JWT_parsing_error.patch > > > I have problems using the Authorization: Bearer header value for requests > towards OFBiz. OFBiz has problems parsing externally generated JSON Web > Tokens. > I have generated them using both [1] and [2] using HS512 and the default > secret. > The JWT check fails because of a parsing error: > {noformat} > 2019-01-17 16:48:36,233 |jsse-nio-8443-exec-7 |JavaEventHandler > |E| Problems Processing Event > io.jsonwebtoken.MalformedJwtException: Unable to read JSON value: > �z��'G�#�$�uB"�&�r#�$�3S" > at > io.jsonwebtoken.impl.DefaultJwtParser.readValue(DefaultJwtParser.java:554) > ~[jjwt-0.9.1.jar:0.9.1] > at io.jsonwebtoken.impl.DefaultJwtParser.parse(DefaultJwtParser.java:252) > ~[jjwt-0.9.1.jar:0.9.1] > at io.jsonwebtoken.impl.DefaultJwtParser.parse(DefaultJwtParser.java:481) > ~[jjwt-0.9.1.jar:0.9.1] > at > io.jsonwebtoken.impl.DefaultJwtParser.parseClaimsJws(DefaultJwtParser.java:541) > ~[jjwt-0.9.1.jar:0.9.1] > at > org.apache.ofbiz.webapp.control.JWTManager.validateToken(JWTManager.java:124) > ~[ofbiz.jar:?] > at > org.apache.ofbiz.webapp.control.ExternalLoginKeysManager.jwtValidation(ExternalLoginKeysManager.java:292) > ~[ofbiz.jar:?] > at > org.apache.ofbiz.webapp.control.ExternalLoginKeysManager.checkJWTLogin(ExternalLoginKeysManager.java:196) > ~[ofbiz.jar:?] > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > ~[?:1.8.0_152] > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > ~[?:1.8.0_152] > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > ~[?:1.8.0_152] > at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_152] > at > org.apache.ofbiz.webapp.event.JavaEventHandler.invoke(JavaEventHandler.java:86) > [ofbiz.jar:?] > at > org.apache.ofbiz.webapp.control.RequestHandler.runEvent(RequestHandler.java:774) > [ofbiz.jar:?] > at > org.apache.ofbiz.webapp.control.RequestHandler.doRequest(RequestHandler.java:407) > [ofbiz.jar:?] > at > org.apache.ofbiz.webapp.control.ControlServlet.doGet(ControlServlet.java:208) > [ofbiz.jar:?] > at javax.servlet.http.HttpServlet.service(HttpServlet.java:645) > [javax.servlet-api-4.0.1.jar:4.0.1] > at javax.servlet.http.HttpServlet.service(HttpServlet.java:750) > [javax.servlet-api-4.0.1.jar:4.0.1] > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231) >
[jira] [Comment Edited] (OFBIZ-10814) Error parsing JWT
[ https://issues.apache.org/jira/browse/OFBIZ-10814?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16746926#comment-16746926 ] Jacques Le Roux edited comment on OFBIZ-10814 at 1/19/19 3:13 AM: -- Yes, that's what I saw: refactoring in ExternalLoginKeysManager. Now about: bq. I also think that we should disable this feature OOTB because it allows a login using a generated JWT and the default secret along with well known userLoginId's. This should be switched on by an administrator, with a configured secret. We cannot rely on the assumption that users find this functionality and secure their platform accordingly. At what feature do you specifically think? The one in example component which allows to jump from a localhost to the demo trunk instance w/ a kind of SSO? was (Author: jacques.le.roux): Yes, that's what I saw refactoring in ExternalLoginKeysManager. Now about bq. I also think that we should disable this feature OOTB because it allows a login using a generated JWT and the default secret along with well known userLoginId's. This should be switched on by an administrator, with a configured secret. We cannot rely on the assumption that users find this functionality and secure their platform accordingly. At what feature do you specifically think? The one in example component which allows to jump from a localhost to the demo trunk instance w/ a kind of SSO? > Error parsing JWT > - > > Key: OFBIZ-10814 > URL: https://issues.apache.org/jira/browse/OFBIZ-10814 > Project: OFBiz > Issue Type: Bug > Components: framework >Affects Versions: Trunk >Reporter: Michael Brohl >Assignee: Michael Brohl >Priority: Major > Attachments: Apache OFBiz JWT Test.postman_collection.json, > OFBIZ-10814_JWT_parsing_error.patch > > > I have problems using the Authorization: Bearer header value for requests > towards OFBiz. OFBiz has problems parsing externally generated JSON Web > Tokens. > I have generated them using both [1] and [2] using HS512 and the default > secret. > The JWT check fails because of a parsing error: > {noformat} > 2019-01-17 16:48:36,233 |jsse-nio-8443-exec-7 |JavaEventHandler > |E| Problems Processing Event > io.jsonwebtoken.MalformedJwtException: Unable to read JSON value: > �z��'G�#�$�uB"�&�r#�$�3S" > at > io.jsonwebtoken.impl.DefaultJwtParser.readValue(DefaultJwtParser.java:554) > ~[jjwt-0.9.1.jar:0.9.1] > at io.jsonwebtoken.impl.DefaultJwtParser.parse(DefaultJwtParser.java:252) > ~[jjwt-0.9.1.jar:0.9.1] > at io.jsonwebtoken.impl.DefaultJwtParser.parse(DefaultJwtParser.java:481) > ~[jjwt-0.9.1.jar:0.9.1] > at > io.jsonwebtoken.impl.DefaultJwtParser.parseClaimsJws(DefaultJwtParser.java:541) > ~[jjwt-0.9.1.jar:0.9.1] > at > org.apache.ofbiz.webapp.control.JWTManager.validateToken(JWTManager.java:124) > ~[ofbiz.jar:?] > at > org.apache.ofbiz.webapp.control.ExternalLoginKeysManager.jwtValidation(ExternalLoginKeysManager.java:292) > ~[ofbiz.jar:?] > at > org.apache.ofbiz.webapp.control.ExternalLoginKeysManager.checkJWTLogin(ExternalLoginKeysManager.java:196) > ~[ofbiz.jar:?] > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > ~[?:1.8.0_152] > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > ~[?:1.8.0_152] > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > ~[?:1.8.0_152] > at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_152] > at > org.apache.ofbiz.webapp.event.JavaEventHandler.invoke(JavaEventHandler.java:86) > [ofbiz.jar:?] > at > org.apache.ofbiz.webapp.control.RequestHandler.runEvent(RequestHandler.java:774) > [ofbiz.jar:?] > at > org.apache.ofbiz.webapp.control.RequestHandler.doRequest(RequestHandler.java:407) > [ofbiz.jar:?] > at > org.apache.ofbiz.webapp.control.ControlServlet.doGet(ControlServlet.java:208) > [ofbiz.jar:?] > at javax.servlet.http.HttpServlet.service(HttpServlet.java:645) > [javax.servlet-api-4.0.1.jar:4.0.1] > at javax.servlet.http.HttpServlet.service(HttpServlet.java:750) > [javax.servlet-api-4.0.1.jar:4.0.1] > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231) > [tomcat-catalina-9.0.13.jar:9.0.13] > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) > [tomcat-catalina-9.0.13.jar:9.0.13] > at > org.apache.ofbiz.webapp.control.ContextFilter.doFilter(ContextFilter.java:191) > [ofbiz.jar:?] > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) > [tomcat-catalina-9.0.13.jar:9.0.13] > at >
[jira] [Comment Edited] (OFBIZ-10814) Error parsing JWT
[ https://issues.apache.org/jira/browse/OFBIZ-10814?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16746660#comment-16746660 ] Jacques Le Roux edited comment on OFBIZ-10814 at 1/19/19 3:09 AM: -- Hi Michael, >From my review of ExternalLoginKeysManager changes this should work. But it >can't be tested OOTB (and that's the difficulty of testing this feature) >because the changes must be also applied on the trunk demo instance. We could >though apply them temporarily just for the test and revert. _Disclaimer I only >reviewed ExternalLoginKeysManager changes so far_ You said {quote}I wonder how this could have been working with several bugs in the code. {quote} I did not see any bug fixed in ExternalLoginKeysManager, what do you think about? If you think about having a bearer, it was an initial way I picked for simplicity. It's not a bug but I agree it's best to follow the standard. was (Author: jacques.le.roux): Hi Michael, >From my review of ExternalLoginKeysManager changes this should work. But it >can be tested OOTB (and that's the difficulty of testing this feature) because >the changes must be also applied on the trunk demo server. We could though >apply them temporarily just for the test and revert. _Disclaimer I only >reviewed ExternalLoginKeysManager changes so far_ You said {quote}I wonder how this could have been working with several bugs in the code. {quote} I did not see any bug fixed in ExternalLoginKeysManager, what do you think about? If you think about having a bearer, it was an initial way I picked for simplicity. It's not a bug but I agree it's best to follow the standard. > Error parsing JWT > - > > Key: OFBIZ-10814 > URL: https://issues.apache.org/jira/browse/OFBIZ-10814 > Project: OFBiz > Issue Type: Bug > Components: framework >Affects Versions: Trunk >Reporter: Michael Brohl >Assignee: Michael Brohl >Priority: Major > Attachments: Apache OFBiz JWT Test.postman_collection.json, > OFBIZ-10814_JWT_parsing_error.patch > > > I have problems using the Authorization: Bearer header value for requests > towards OFBiz. OFBiz has problems parsing externally generated JSON Web > Tokens. > I have generated them using both [1] and [2] using HS512 and the default > secret. > The JWT check fails because of a parsing error: > {noformat} > 2019-01-17 16:48:36,233 |jsse-nio-8443-exec-7 |JavaEventHandler > |E| Problems Processing Event > io.jsonwebtoken.MalformedJwtException: Unable to read JSON value: > �z��'G�#�$�uB"�&�r#�$�3S" > at > io.jsonwebtoken.impl.DefaultJwtParser.readValue(DefaultJwtParser.java:554) > ~[jjwt-0.9.1.jar:0.9.1] > at io.jsonwebtoken.impl.DefaultJwtParser.parse(DefaultJwtParser.java:252) > ~[jjwt-0.9.1.jar:0.9.1] > at io.jsonwebtoken.impl.DefaultJwtParser.parse(DefaultJwtParser.java:481) > ~[jjwt-0.9.1.jar:0.9.1] > at > io.jsonwebtoken.impl.DefaultJwtParser.parseClaimsJws(DefaultJwtParser.java:541) > ~[jjwt-0.9.1.jar:0.9.1] > at > org.apache.ofbiz.webapp.control.JWTManager.validateToken(JWTManager.java:124) > ~[ofbiz.jar:?] > at > org.apache.ofbiz.webapp.control.ExternalLoginKeysManager.jwtValidation(ExternalLoginKeysManager.java:292) > ~[ofbiz.jar:?] > at > org.apache.ofbiz.webapp.control.ExternalLoginKeysManager.checkJWTLogin(ExternalLoginKeysManager.java:196) > ~[ofbiz.jar:?] > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > ~[?:1.8.0_152] > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > ~[?:1.8.0_152] > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > ~[?:1.8.0_152] > at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_152] > at > org.apache.ofbiz.webapp.event.JavaEventHandler.invoke(JavaEventHandler.java:86) > [ofbiz.jar:?] > at > org.apache.ofbiz.webapp.control.RequestHandler.runEvent(RequestHandler.java:774) > [ofbiz.jar:?] > at > org.apache.ofbiz.webapp.control.RequestHandler.doRequest(RequestHandler.java:407) > [ofbiz.jar:?] > at > org.apache.ofbiz.webapp.control.ControlServlet.doGet(ControlServlet.java:208) > [ofbiz.jar:?] > at javax.servlet.http.HttpServlet.service(HttpServlet.java:645) > [javax.servlet-api-4.0.1.jar:4.0.1] > at javax.servlet.http.HttpServlet.service(HttpServlet.java:750) > [javax.servlet-api-4.0.1.jar:4.0.1] > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231) > [tomcat-catalina-9.0.13.jar:9.0.13] > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) > [tomcat-catalina-9.0.13.jar:9.0.13] > at > org.apache.ofbiz.webapp.control.ContextFilter.doFilter(ContextFilter.java:191) >
[jira] [Comment Edited] (OFBIZ-10814) Error parsing JWT
[ https://issues.apache.org/jira/browse/OFBIZ-10814?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16746413#comment-16746413 ] Michael Brohl edited comment on OFBIZ-10814 at 1/18/19 3:45 PM: I have attached a patch fixing which contains the following changes: * Fixes incorrect retrieval of the Authorization header JWT token. * Fixes wrong API usage for the key parameter which assumed the key is provided in BASE64 format. * Refactored the code to use helper methods for key and auth header retrieval. * Javadoc corrections and enhancements. The key is provided to the API as is, just using the API expecting a byte array instead of a BASE64 encoded string. It was falsely being decoded before. I've tested with both an invalid JWT which does not contain a userLoginId as well as with a valid userLoginId (see attached postman collections). I did not test single sign on between two OFBiz instances. Please review the changes and test the single sign on between two instances, if possible. I wonder how this could have been working with several bugs in the code. {quote}I also think that we should disable this feature OOTB because it allows a login using a generated JWT and the default secret along with well known userLoginId's. This should be switched on by an administrator, with a configured secret. We cannot rely on the assumption that users find this functionality and secure their platform accordingly. {quote} was (Author: mbrohl): I have attached a patch fixing which contains the following changes: * Fixes incorrect retrieval of the Authorization header JWT token. * Fixes wrong API usage for the key parameter which assumed the key is provided in BAS64 format. * Refactored the code to use helper methods for key and auth header retrieval. * Javadoc corrections and enhancements. The key is provided to the API as is, just using the API expecting a byte array instead of a BASE64 encoded string. It was falsely being decoded before. I've tested with both an invalid JWT which does not contain a userLoginId as well as with a valid userLoginId (see attached postman collections). I did not test single sign on between two OFBiz instances. Please review the changes and test the single sign on between two instances, if possible. I wonder how this could have been working with several bugs in the code. {quote}I also think that we should disable this feature OOTB because it allows a login using a generated JWT and the default secret along with well known userLoginId's. This should be switched on by an administrator, with a configured secret. We cannot rely on the assumption that users find this functionality and secure their platform accordingly. {quote} > Error parsing JWT > - > > Key: OFBIZ-10814 > URL: https://issues.apache.org/jira/browse/OFBIZ-10814 > Project: OFBiz > Issue Type: Bug > Components: framework >Affects Versions: Trunk >Reporter: Michael Brohl >Priority: Major > Attachments: Apache OFBiz JWT Test.postman_collection.json, > OFBIZ-10814_JWT_parsing_error.patch > > > I have problems using the Authorization: Bearer header value for requests > towards OFBiz. OFBiz has problems parsing externally generated JSON Web > Tokens. > I have generated them using both [1] and [2] using HS512 and the default > secret. > The JWT check fails because of a parsing error: > {noformat} > 2019-01-17 16:48:36,233 |jsse-nio-8443-exec-7 |JavaEventHandler > |E| Problems Processing Event > io.jsonwebtoken.MalformedJwtException: Unable to read JSON value: > �z��'G�#�$�uB"�&�r#�$�3S" > at > io.jsonwebtoken.impl.DefaultJwtParser.readValue(DefaultJwtParser.java:554) > ~[jjwt-0.9.1.jar:0.9.1] > at io.jsonwebtoken.impl.DefaultJwtParser.parse(DefaultJwtParser.java:252) > ~[jjwt-0.9.1.jar:0.9.1] > at io.jsonwebtoken.impl.DefaultJwtParser.parse(DefaultJwtParser.java:481) > ~[jjwt-0.9.1.jar:0.9.1] > at > io.jsonwebtoken.impl.DefaultJwtParser.parseClaimsJws(DefaultJwtParser.java:541) > ~[jjwt-0.9.1.jar:0.9.1] > at > org.apache.ofbiz.webapp.control.JWTManager.validateToken(JWTManager.java:124) > ~[ofbiz.jar:?] > at > org.apache.ofbiz.webapp.control.ExternalLoginKeysManager.jwtValidation(ExternalLoginKeysManager.java:292) > ~[ofbiz.jar:?] > at > org.apache.ofbiz.webapp.control.ExternalLoginKeysManager.checkJWTLogin(ExternalLoginKeysManager.java:196) > ~[ofbiz.jar:?] > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > ~[?:1.8.0_152] > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > ~[?:1.8.0_152] > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > ~[?:1.8.0_152] > at java.lang.reflect.Method.invoke(Method.java:498)