Uploaded image for project: 'Thorntail'
  1. Thorntail
  2. THORN-1951

MP JWT: have to specify "rolesProperties" for the "JWTLoginModule" even if I don't need it

    Details

      Description

      When using MP JWT, I have to configure the login module like this (pasting the full security config for reference):

      swarm:
        security:
          security-domains:
            test-realm:
              jaspi-authentication:
                login-module-stacks:
                  test-login-module-stack:
                    login-modules:
                    - login-module: jwt-login-module
                      code: org.wildfly.swarm.microprofile.jwtauth.deployment.auth.jaas.JWTLoginModule
                      flag: required
                      module-options:
                        rolesProperties: roles-mapping.properties
                auth-modules:
                  http:
                    code: org.wildfly.extension.undertow.security.jaspi.modules.HTTPSchemeServerAuthModule
                    module: org.wildfly.extension.undertow
                    flag: required
                    login-module-stack-ref: test-login-module-stack
      

      I absolutely must add the rolesProperties option, even if I don't actually need it. Without the option, the JWTLoginModule doesn't work, even though there's no reasonable error message. (There's a LoginException thrown from RoleMappingLoginModule.getRoleSets, but it gets swallowed somewhere!) As a workaround, I can specify a name of a non-existing file – the login module is fine with that.

      The ultimate cause is that RoleMappingLoginModule, which is a parent class of JWTLoginModule, insists on providing the rolesProperties without it actually being necessary. (If I look into the source, it seems the check was added later; the code was clearly originally written with rolesProperties being optional.)

      What I think we could do is override the getRoleSets method in JWTLoginModule and before delegating to the parent, check if the option is set, and if it isn't, set it to some random value that is guaranteed not to exist. That's obviously a hack which depends on an implementation detail of the parent class. If we don't do that, we should at least document that the option is mandatory.

        Gliffy Diagrams

          Attachments

            Activity

              People

              • Assignee:
                sbiarozk Sergey Beryozkin
                Reporter:
                lthon Ladislav Thon
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: