Uploaded image for project: 'Thorntail'
  1. Thorntail
  2. THORN-2323

After upgrade from 2018.5.0 Security Context is not working anymore

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Major
    • Resolution: Cannot Reproduce
    • Affects Version/s: 2.3.0.Final
    • Fix Version/s: 2.6.0.Final
    • Component/s: microprofile
    • Labels:
      None
    • Story Points:
      5
    • Steps to Reproduce:
      Hide

      pom.xml

      <project xmlns="http://maven.apache.org/POM/4.0.0"
      	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
      	xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
      	<modelVersion>4.0.0</modelVersion>
      
      	<groupId>de.fe.sab.kitty.service.demo</groupId>
      	<artifactId>jwt-demo-service</artifactId>
      	<version>1.1-SNAPSHOT</version>
      
      	<packaging>war</packaging>
      	<name>jwt-demo-service</name>
      
      	<properties>
      		<maven.compiler.source>1.8</maven.compiler.source>
      		<maven.compiler.target>1.8</maven.compiler.target>
      		<failOnMissingWebXml>false</failOnMissingWebXml>
      		<version.thorntail>2.3.0.Final</version.thorntail>
      	</properties>
      
      	<dependencies>
      		<dependency>
      			<groupId>io.thorntail</groupId>
      			<artifactId>microprofile</artifactId>
      			<version>${version.thorntail}</version>
      			<exclusions>
      				<exclusion>
      					<groupId>io.thorntail</groupId>
      					<artifactId>config-api-runtime</artifactId>
      				</exclusion>
      			</exclusions>
      		</dependency>
      		<dependency>
      			<groupId>io.thorntail</groupId>
      			<artifactId>jpa</artifactId>
      			<version>${version.thorntail}</version>
      		</dependency>
      		<dependency>
      			<groupId>junit</groupId>
      			<artifactId>junit</artifactId>
      			<version>3.8.1</version>
      			<scope>test</scope>
      		</dependency>
      	</dependencies>
      	<build>
      
      		<finalName>jwt-demo-service-${project.version}</finalName>
      		<plugins>
      			<plugin>
      				<groupId>io.thorntail</groupId>
      				<artifactId>thorntail-maven-plugin</artifactId>
      				<version>${version.thorntail}</version>
      				<executions>
      					<execution>
      						<goals>
      							<goal>package</goal>
      						</goals>
      					</execution>
      				</executions>
      			</plugin>
      
      			<plugin>
      				<groupId>org.apache.maven.plugins</groupId>
      				<artifactId>maven-dependency-plugin</artifactId>
      				<version>2.10</version>
      			</plugin>
      			<plugin>
      				<groupId>org.apache.maven.plugins</groupId>
      				<artifactId>maven-checkstyle-plugin</artifactId>
      				<version>3.0.0</version>
      			</plugin>
      		</plugins>
      	</build>
      </project>
      

      project-stages.yaml

      thorntail:
      
        https:
          only: true
          key:
           alias: jwt-demo-service
          keystore:
            path: /opt/service/security/keystore.p12
            password: changeit
      
        undertow:
          filter-configuration:
            response-headers:
              access-control-allow-origin:
                header-name: Access-Control-Allow-Origin
                header-value: "*"
              access-control-allow-methods:
                header-name: Access-Control-Allow-Methods
                header-value: GET, POST, PUT, DELETE, OPTIONS
              access-control-max-age:
                header-name: Access-Control-Max-Age
                header-value: -1
              access-control-allow-headers:
                header-name: Access-Control-Allow-Headers
                header-value: Origin, X-Requested-With, Content-Type, Accept
      
          servers:
            default-server:
              hosts:
                default-host:
                  filter-refs:
                    access-control-allow-origin:
                      priority: 1
                    access-control-allow-methods:
                      priority: 1
                    access-control-max-age:
                      priority: 1
                    access-control-allow-headers:
                      priority: 1
      
        security:
          security-domains:
            sab-realm:
              jaspi-authentication:
                login-module-stacks:
                  sab-login-module-stack:
                    login-modules:
                      - login-module: sab-role-login-module
                        code: org.wildfly.swarm.microprofile.jwtauth.deployment.auth.jaas.JWTLoginModule
                        flag: required
                        module-options:
                          logExceptions: true
                auth-modules:
                  http:
                    code: org.wildfly.extension.undertow.security.jaspi.modules.HTTPSchemeServerAuthModule
                    module: org.wildfly.extension.undertow
                    flag: required
                    login-module-stack-ref: sab-login-module-stack
      
        microprofile:
          jwt:
            token:
              issued-by: "https://test.com"
              jwks-uri: "https://test.com/f5-oauth2/v1/jwks"
              jwks-refresh-interval: 60
      
      javax:
        net:
          ssl:
            trustStoreType: PKCS12
            trustStore: /opt/service/security/truststore.p12
            trustStorePassword: changeit
            
      ---
      
      project:
        stage: local
      thorntail:
        bind:
          address: 127.0.0.1
        logging: INFO
        https:
          only: true
          port: 8443
          certificate:
            generate: true
          key:
            alias: rsa
          keystore:
            path: keystore.jks
      javax:
        net:
          ssl:
            trustStoreType: JKS
            trustStore: truststore.jks
            trustStorePassword: changeit
      

      RestApplication.java

      package de.fc.sab.kitty.service.demo.jwt.rest;
      
      import javax.enterprise.context.ApplicationScoped;
      import javax.ws.rs.ApplicationPath;
      import javax.ws.rs.core.Application;
      
      import org.eclipse.microprofile.auth.LoginConfig;
      
      
      @LoginConfig(authMethod = "MP-JWT", realmName = "sab-realm")
      @ApplicationPath("/jwtdemo")
      @ApplicationScoped
      public class RestApplication extends Application {
      }
      

      DemoPrivateEndpoint.java

      package de.fc.sab.kitty.service.demo.jwt.rest;
      
      import javax.annotation.security.DeclareRoles;
      import javax.annotation.security.DenyAll;
      import javax.annotation.security.RolesAllowed;
      import javax.ws.rs.GET;
      import javax.ws.rs.Path;
      import javax.ws.rs.Produces;
      
      import de.fc.sab.kitty.service.demo.jwt.domain.DemoData;
      
      @Path("/demodata")
      @DeclareRoles({ "ReadPrivateDemoData" })
      @DenyAll
      public class DemoPrivateEndpoint {
      
          @GET
          @Path("/private")
          @Produces("application/json")
          @RolesAllowed({ "ReadPrivateDemoData" })
          public DemoData getPrivateDemoData() {
      
              DemoData demoData = new DemoData("Private Data");
      
              return demoData;
          }
      
      }
      
      Show
      pom.xml <project xmlns= "http: //maven.apache.org/POM/4.0.0" xmlns:xsi= "http: //www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation= "http: //maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd" > <modelVersion>4.0.0</modelVersion> <groupId>de.fe.sab.kitty.service.demo</groupId> <artifactId>jwt-demo-service</artifactId> <version>1.1-SNAPSHOT</version> <packaging>war</packaging> <name>jwt-demo-service</name> <properties> <maven.compiler.source>1.8</maven.compiler.source> <maven.compiler.target>1.8</maven.compiler.target> <failOnMissingWebXml> false </failOnMissingWebXml> <version.thorntail>2.3.0.Final</version.thorntail> </properties> <dependencies> <dependency> <groupId>io.thorntail</groupId> <artifactId>microprofile</artifactId> <version>${version.thorntail}</version> <exclusions> <exclusion> <groupId>io.thorntail</groupId> <artifactId>config-api-runtime</artifactId> </exclusion> </exclusions> </dependency> <dependency> <groupId>io.thorntail</groupId> <artifactId>jpa</artifactId> <version>${version.thorntail}</version> </dependency> <dependency> <groupId>junit</groupId> <artifactId>junit</artifactId> <version>3.8.1</version> <scope>test</scope> </dependency> </dependencies> <build> <finalName>jwt-demo-service-${project.version}</finalName> <plugins> <plugin> <groupId>io.thorntail</groupId> <artifactId>thorntail-maven-plugin</artifactId> <version>${version.thorntail}</version> <executions> <execution> <goals> <goal> package </goal> </goals> </execution> </executions> </plugin> <plugin> <groupId>org.apache.maven.plugins</groupId> <artifactId>maven-dependency-plugin</artifactId> <version>2.10</version> </plugin> <plugin> <groupId>org.apache.maven.plugins</groupId> <artifactId>maven-checkstyle-plugin</artifactId> <version>3.0.0</version> </plugin> </plugins> </build> </project> project-stages.yaml thorntail: https: only: true key: alias: jwt-demo-service keystore: path: /opt/service/security/keystore.p12 password: changeit undertow: filter-configuration: response-headers: access-control-allow-origin: header-name: Access-Control-Allow-Origin header-value: "*" access-control-allow-methods: header-name: Access-Control-Allow-Methods header-value: GET, POST, PUT, DELETE, OPTIONS access-control-max-age: header-name: Access-Control-Max-Age header-value: -1 access-control-allow-headers: header-name: Access-Control-Allow-Headers header-value: Origin, X-Requested-With, Content-Type, Accept servers: default -server: hosts: default -host: filter-refs: access-control-allow-origin: priority: 1 access-control-allow-methods: priority: 1 access-control-max-age: priority: 1 access-control-allow-headers: priority: 1 security: security-domains: sab-realm: jaspi-authentication: login-module-stacks: sab-login-module-stack: login-modules: - login-module: sab-role-login-module code: org.wildfly.swarm.microprofile.jwtauth.deployment.auth.jaas.JWTLoginModule flag: required module-options: logExceptions: true auth-modules: http: code: org.wildfly.extension.undertow.security.jaspi.modules.HTTPSchemeServerAuthModule module: org.wildfly.extension.undertow flag: required login-module-stack-ref: sab-login-module-stack microprofile: jwt: token: issued-by: "https: //test.com" jwks-uri: "https: //test.com/f5-oauth2/v1/jwks" jwks-refresh-interval: 60 javax: net: ssl: trustStoreType: PKCS12 trustStore: /opt/service/security/truststore.p12 trustStorePassword: changeit --- project: stage: local thorntail: bind: address: 127.0.0.1 logging: INFO https: only: true port: 8443 certificate: generate: true key: alias: rsa keystore: path: keystore.jks javax: net: ssl: trustStoreType: JKS trustStore: truststore.jks trustStorePassword: changeit RestApplication.java package de.fc.sab.kitty.service.demo.jwt. rest ; import javax.enterprise.context.ApplicationScoped; import javax.ws.rs.ApplicationPath; import javax.ws.rs.core.Application; import org.eclipse.microprofile.auth.LoginConfig; @LoginConfig(authMethod = "MP-JWT" , realmName = "sab-realm" ) @ApplicationPath( "/jwtdemo" ) @ApplicationScoped public class RestApplication extends Application { } DemoPrivateEndpoint.java package de.fc.sab.kitty.service.demo.jwt. rest ; import javax.annotation.security.DeclareRoles; import javax.annotation.security.DenyAll; import javax.annotation.security.RolesAllowed; import javax.ws.rs.GET; import javax.ws.rs.Path; import javax.ws.rs.Produces; import de.fc.sab.kitty.service.demo.jwt.domain.DemoData; @Path( "/demodata" ) @DeclareRoles({ "ReadPrivateDemoData" }) @DenyAll public class DemoPrivateEndpoint { @GET @Path( "/ private " ) @Produces( "application/json" ) @RolesAllowed({ "ReadPrivateDemoData" }) public DemoData getPrivateDemoData() { DemoData demoData = new DemoData( "Private Data" ); return demoData; } }

      Description

      We have a so called jwt-demo-service that was running fine with 2018.5.0 but after we upgraded to 2.3.0 Requests to a secured method are allowed even the token fails to validate.

      The server console output a token validation error like it did before but the server output a 200 response with "Private Data" response.

      We tried different thorntail versions and configurations but nothing seems to work.

      rejected due to invalid claims. Additional details: [[1] The JWT is no longer valid - the evaluation time NumericDate{1548928007 -> 31.01.2019 10:46:47 MEZ} is on or after the Expiration Time (exp=NumericDate{1547722387 -> 17.01.2019 11:53:07 MEZ}) claim value (even when providing 60 seconds of leeway to account for clock skew).]
      	at org.jose4j.jwt.consumer.JwtConsumer.validate(JwtConsumer.java:449)
      	at org.jose4j.jwt.consumer.JwtConsumer.processContext(JwtConsumer.java:294)
      	at org.jose4j.jwt.consumer.JwtConsumer.process(JwtConsumer.java:416)
      	at io.smallrye.jwt.auth.principal.DefaultJWTCallerPrincipalFactory.parse(DefaultJWTCallerPrincipalFactory.java:64)
      	... 65 more
      
      2019-01-31 10:46:47,356 INFO  [io.undertow.request.security] (default task-1) Failed to authenticate JWT bearer token
      

        Gliffy Diagrams

          Attachments

            Activity

              People

              • Assignee:
                sbiarozk Sergey Beryozkin
                Reporter:
                schnueggel99 Christian Steinmann
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: