在 Payara 5.183 上使用 MicroProfile JWT Auth 1.1 注入的 JsonWebToken 为空
Injected JsonWebToken is empty with MicroProfile JWT Auth 1.1 on Payara 5.183
我在使用 Payara 5.183 上的 decoding/using/verifying 传递给我的 Java EE 8 和 MicroProfile 2.0.1 后端 运行 时遇到问题。 React 前端应用程序将从 Keycloak 获得的 JWT 令牌传递给后端 Authorization: Bearer eyXJS... 后端配置为使用以下 microprofile-config.properties 验证 MicroProfile JWT Auth Spec 1.1 中定义的 JWT 令牌在 src/main/resources/META-INF:
mp.jwt.verify.publickey.location=/META-INF/orange.pem
mp.jwt.verify.issuer=http://localhost:8282/auth/realms/MicroProfile
Keycloak 中的 public 密钥存储在 orange.pem 文件中。 JAX-RS 配置如下所示:
@LoginConfig(authMethod = "MP-JWT")
@ApplicationPath("resources")
public class JAXRSConfiguration extends Application {
}
我正在尝试在端点之一中使用 JWT:
@Path("secure")
@Stateless
public class VerySecureResource {
@Inject
@ConfigProperty(name = "message")
private String message;
@Inject
private JsonWebToken callerPrincipal;
@GET
public Response message() {
System.out.println(callerPrincipal.getIssuer());
System.out.println(callerPrincipal.getRawToken());
System.out.println(callerPrincipal.getTokenID());
return Response.ok(callerPrincipal.getName() + " is allowed to read message: " + message).build();
}
}
应用程序部署没有任何错误,我在 Payara 的 server.log 中没有获得任何关于失败的 JWT 验证的日志记录信息。我什至打开了 fish.payara.microprofile.jwtauth 的日志记录。
[2018-12-26T17:06:20.835+0100] [Payara 5.183] [INFORMATION] [] [org.glassfish.soteria.servlet.SamRegistrationInstaller] [tid: _ThreadID=196 _ThreadName=admin-thread-pool::admin-listener(6)] [timeMillis: 1545840380835] [levelValue: 800] [[
Initializing Soteria 1.1-b01 for context '/microprofile-jwt-keycloak-auth']]
[2018-12-26T17:06:20.841+0100] [Payara 5.183] [INFORMATION] [] [fish.payara.microprofile.jwtauth.servlet.RolesDeclarationInitializer] [tid: _ThreadID=196 _ThreadName=admin-thread-pool::admin-listener(6)] [timeMillis: 1545840380841] [levelValue: 800] [[
Initializing MP-JWT 5.183 for context '/microprofile-jwt-keycloak-auth']]
[2018-12-26T17:06:20.933+0100] [Payara 5.183] [INFORMATION] [AS-WEB-GLUE-00172] [javax.enterprise.web] [tid: _ThreadID=196 _ThreadName=admin-thread-pool::admin-listener(6)] [timeMillis: 1545840380933] [levelValue: 800] [[
Loading application [microprofile-jwt-keycloak-auth] at [/microprofile-jwt-keycloak-auth]]]
[2018-12-26T17:06:20.949+0100] [Payara 5.183] [INFORMATION] [] [javax.enterprise.system.core] [tid: _ThreadID=196 _ThreadName=admin-thread-pool::admin-listener(6)] [timeMillis: 1545840380949] [levelValue: 800] [[
microprofile-jwt-keycloak-auth was successfully deployed in 954 milliseconds.]]
[2018-12-26T17:06:26.428+0100] [Payara 5.183] [INFORMATION] [] [] [tid: _ThreadID=42 _ThreadName=http-thread-pool::http-listener-1(3)] [timeMillis: 1545840386428] [levelValue: 800] [[
null]]
[2018-12-26T17:06:26.428+0100] [Payara 5.183] [INFORMATION] [] [] [tid: _ThreadID=42 _ThreadName=http-thread-pool::http-listener-1(3)] [timeMillis: 1545840386428] [levelValue: 800] [[
null]]
[2018-12-26T17:06:26.428+0100] [Payara 5.183] [INFORMATION] [] [] [tid: _ThreadID=42 _ThreadName=http-thread-pool::http-listener-1(3)] [timeMillis: 1545840386428] [levelValue: 800] [[
null]]
解码后的 JWT 如下所示:
{
"jti": "5a3c600e-95ea-41cb-8e65-8342a3b867bc",
"exp": 1545840603,
"nbf": 0,
"iat": 1545840303,
"iss": "http://localhost:8282/auth/realms/MicroProfile",
"aud": "account",
"sub": "f2a492cb-cf9f-46ac-8f04-941601c6574b",
"typ": "Bearer",
"azp": "react-webapp",
"nonce": "f650eb68-611f-4bd9-97a7-d07f1b3e29de",
"auth_time": 1545840302,
"session_state": "f6627b25-b089-4234-b25c-bffa67a9a8f7",
"acr": "1",
"allowed-origins": [
"http://localhost:3000"
],
"realm_access": {
"roles": [
"offline_access",
"uma_authorization",
"USER"
]
},
"resource_access": {
"account": {
"roles": [
"manage-account",
"manage-account-links",
"view-profile"
]
}
},
"scope": "openid profile email",
"email_verified": false,
"name": "duke duke",
"groups": [
"/USER"
],
"preferred_username": "duke",
"given_name": "duke",
"family_name": "duke",
"email": "duke@jakarta.ee"
}
整个代码库在 GitHub
上可用
我看到你刚刚在JAX-RS应用程序上添加了@LoginConf注解,但这还不足以保护资源。
这是一种标记,表明所有受保护的端点都将使用来自身份验证的 JWT header。
因此您需要将端点定义为
@GET
@RolesAllowed("/USER")
public Response message() {
只有这样,来自 JWT 的身份验证才会生效。
您需要在应用程序 bean(或任何其他 CDI bean)web.xml 中或使用 DeclaresRoles 声明所有角色
@ApplicationPath("/data")
@LoginConfig(authMethod = "MP-JWT")
@DeclareRoles({"/USER"})
public class Keycloack_jwtRestApplication extends Application {
我在使用 Payara 5.183 上的 decoding/using/verifying 传递给我的 Java EE 8 和 MicroProfile 2.0.1 后端 运行 时遇到问题。 React 前端应用程序将从 Keycloak 获得的 JWT 令牌传递给后端 Authorization: Bearer eyXJS... 后端配置为使用以下 microprofile-config.properties 验证 MicroProfile JWT Auth Spec 1.1 中定义的 JWT 令牌在 src/main/resources/META-INF:
mp.jwt.verify.publickey.location=/META-INF/orange.pem
mp.jwt.verify.issuer=http://localhost:8282/auth/realms/MicroProfile
Keycloak 中的 public 密钥存储在 orange.pem 文件中。 JAX-RS 配置如下所示:
@LoginConfig(authMethod = "MP-JWT")
@ApplicationPath("resources")
public class JAXRSConfiguration extends Application {
}
我正在尝试在端点之一中使用 JWT:
@Path("secure")
@Stateless
public class VerySecureResource {
@Inject
@ConfigProperty(name = "message")
private String message;
@Inject
private JsonWebToken callerPrincipal;
@GET
public Response message() {
System.out.println(callerPrincipal.getIssuer());
System.out.println(callerPrincipal.getRawToken());
System.out.println(callerPrincipal.getTokenID());
return Response.ok(callerPrincipal.getName() + " is allowed to read message: " + message).build();
}
}
应用程序部署没有任何错误,我在 Payara 的 server.log 中没有获得任何关于失败的 JWT 验证的日志记录信息。我什至打开了 fish.payara.microprofile.jwtauth 的日志记录。
[2018-12-26T17:06:20.835+0100] [Payara 5.183] [INFORMATION] [] [org.glassfish.soteria.servlet.SamRegistrationInstaller] [tid: _ThreadID=196 _ThreadName=admin-thread-pool::admin-listener(6)] [timeMillis: 1545840380835] [levelValue: 800] [[
Initializing Soteria 1.1-b01 for context '/microprofile-jwt-keycloak-auth']]
[2018-12-26T17:06:20.841+0100] [Payara 5.183] [INFORMATION] [] [fish.payara.microprofile.jwtauth.servlet.RolesDeclarationInitializer] [tid: _ThreadID=196 _ThreadName=admin-thread-pool::admin-listener(6)] [timeMillis: 1545840380841] [levelValue: 800] [[
Initializing MP-JWT 5.183 for context '/microprofile-jwt-keycloak-auth']]
[2018-12-26T17:06:20.933+0100] [Payara 5.183] [INFORMATION] [AS-WEB-GLUE-00172] [javax.enterprise.web] [tid: _ThreadID=196 _ThreadName=admin-thread-pool::admin-listener(6)] [timeMillis: 1545840380933] [levelValue: 800] [[
Loading application [microprofile-jwt-keycloak-auth] at [/microprofile-jwt-keycloak-auth]]]
[2018-12-26T17:06:20.949+0100] [Payara 5.183] [INFORMATION] [] [javax.enterprise.system.core] [tid: _ThreadID=196 _ThreadName=admin-thread-pool::admin-listener(6)] [timeMillis: 1545840380949] [levelValue: 800] [[
microprofile-jwt-keycloak-auth was successfully deployed in 954 milliseconds.]]
[2018-12-26T17:06:26.428+0100] [Payara 5.183] [INFORMATION] [] [] [tid: _ThreadID=42 _ThreadName=http-thread-pool::http-listener-1(3)] [timeMillis: 1545840386428] [levelValue: 800] [[
null]]
[2018-12-26T17:06:26.428+0100] [Payara 5.183] [INFORMATION] [] [] [tid: _ThreadID=42 _ThreadName=http-thread-pool::http-listener-1(3)] [timeMillis: 1545840386428] [levelValue: 800] [[
null]]
[2018-12-26T17:06:26.428+0100] [Payara 5.183] [INFORMATION] [] [] [tid: _ThreadID=42 _ThreadName=http-thread-pool::http-listener-1(3)] [timeMillis: 1545840386428] [levelValue: 800] [[
null]]
解码后的 JWT 如下所示:
{
"jti": "5a3c600e-95ea-41cb-8e65-8342a3b867bc",
"exp": 1545840603,
"nbf": 0,
"iat": 1545840303,
"iss": "http://localhost:8282/auth/realms/MicroProfile",
"aud": "account",
"sub": "f2a492cb-cf9f-46ac-8f04-941601c6574b",
"typ": "Bearer",
"azp": "react-webapp",
"nonce": "f650eb68-611f-4bd9-97a7-d07f1b3e29de",
"auth_time": 1545840302,
"session_state": "f6627b25-b089-4234-b25c-bffa67a9a8f7",
"acr": "1",
"allowed-origins": [
"http://localhost:3000"
],
"realm_access": {
"roles": [
"offline_access",
"uma_authorization",
"USER"
]
},
"resource_access": {
"account": {
"roles": [
"manage-account",
"manage-account-links",
"view-profile"
]
}
},
"scope": "openid profile email",
"email_verified": false,
"name": "duke duke",
"groups": [
"/USER"
],
"preferred_username": "duke",
"given_name": "duke",
"family_name": "duke",
"email": "duke@jakarta.ee"
}
整个代码库在 GitHub
上可用我看到你刚刚在JAX-RS应用程序上添加了@LoginConf注解,但这还不足以保护资源。
这是一种标记,表明所有受保护的端点都将使用来自身份验证的 JWT header。
因此您需要将端点定义为
@GET
@RolesAllowed("/USER")
public Response message() {
只有这样,来自 JWT 的身份验证才会生效。
您需要在应用程序 bean(或任何其他 CDI bean)web.xml 中或使用 DeclaresRoles 声明所有角色
@ApplicationPath("/data")
@LoginConfig(authMethod = "MP-JWT")
@DeclareRoles({"/USER"})
public class Keycloack_jwtRestApplication extends Application {