在Payara 5.183上使用MicroProfile JWT Auth 1.1注入的JsonWebToken为空

时间:2018-12-26 16:22:32

标签: java jwt keycloak payara microprofile

我在使用在Payara 5.183上运行的MicroProfile 2.0.1后端解码/使用/验证传递到我的Java EE 8的JWT时遇到问题。 React前端应用程序将从Keycloak获得的JWT令牌作为Authorization: Bearer eyXJS...传递给后端。后端被配置为使用以下microprofile-config.properties来验证MicroProfile JWT Auth Spec 1.1中定义的JWT令牌。在src/main/resources/META-INF中:

mp.jwt.verify.publickey.location=/META-INF/orange.pem
mp.jwt.verify.issuer=http://localhost:8282/auth/realms/MicroProfile

,来自Keycloak的公钥存储在orange.pem文件中。 JAX-RS配置如下所示:

@LoginConfig(authMethod = "MP-JWT")
@ApplicationPath("resources")
public class JAXRSConfiguration extends Application {

}

并且我正在尝试在端点之一中使用JWT:

@Path("secure")
@Stateless
public class VerySecureResource {

    @Inject
    @ConfigProperty(name = "message")
    private String message;

    @Inject
    private JsonWebToken callerPrincipal;

    @GET
    public Response message() {

        System.out.println(callerPrincipal.getIssuer());
        System.out.println(callerPrincipal.getRawToken());
        System.out.println(callerPrincipal.getTokenID());

        return Response.ok(callerPrincipal.getName() + " is allowed to read message: " + message).build();
    }

}

该应用程序已部署,没有任何错误,并且在Payara的server.log中没有收到有关JWT验证失败的任何日志记录信息。我什至打开了fish.payara.microprofile.jwtauth的日志记录。 

[2018-12-26T17:06:20.835+0100] [Payara 5.183] [INFORMATION] [] [org.glassfish.soteria.servlet.SamRegistrationInstaller] [tid: _ThreadID=196 _ThreadName=admin-thread-pool::admin-listener(6)] [timeMillis: 1545840380835] [levelValue: 800] [[
  Initializing Soteria 1.1-b01 for context '/microprofile-jwt-keycloak-auth']]

[2018-12-26T17:06:20.841+0100] [Payara 5.183] [INFORMATION] [] [fish.payara.microprofile.jwtauth.servlet.RolesDeclarationInitializer] [tid: _ThreadID=196 _ThreadName=admin-thread-pool::admin-listener(6)] [timeMillis: 1545840380841] [levelValue: 800] [[
  Initializing MP-JWT 5.183 for context '/microprofile-jwt-keycloak-auth']]

[2018-12-26T17:06:20.933+0100] [Payara 5.183] [INFORMATION] [AS-WEB-GLUE-00172] [javax.enterprise.web] [tid: _ThreadID=196 _ThreadName=admin-thread-pool::admin-listener(6)] [timeMillis: 1545840380933] [levelValue: 800] [[
  Loading application [microprofile-jwt-keycloak-auth] at [/microprofile-jwt-keycloak-auth]]]

[2018-12-26T17:06:20.949+0100] [Payara 5.183] [INFORMATION] [] [javax.enterprise.system.core] [tid: _ThreadID=196 _ThreadName=admin-thread-pool::admin-listener(6)] [timeMillis: 1545840380949] [levelValue: 800] [[
  microprofile-jwt-keycloak-auth was successfully deployed in 954 milliseconds.]]

[2018-12-26T17:06:26.428+0100] [Payara 5.183] [INFORMATION] [] [] [tid: _ThreadID=42 _ThreadName=http-thread-pool::http-listener-1(3)] [timeMillis: 1545840386428] [levelValue: 800] [[
  null]]

[2018-12-26T17:06:26.428+0100] [Payara 5.183] [INFORMATION] [] [] [tid: _ThreadID=42 _ThreadName=http-thread-pool::http-listener-1(3)] [timeMillis: 1545840386428] [levelValue: 800] [[
  null]]

[2018-12-26T17:06:26.428+0100] [Payara 5.183] [INFORMATION] [] [] [tid: _ThreadID=42 _ThreadName=http-thread-pool::http-listener-1(3)] [timeMillis: 1545840386428] [levelValue: 800] [[
  null]]

解码后的JWT如下所示:

{
    "jti": "5a3c600e-95ea-41cb-8e65-8342a3b867bc",
    "exp": 1545840603,
    "nbf": 0,
    "iat": 1545840303,
    "iss": "http://localhost:8282/auth/realms/MicroProfile",
    "aud": "account",
    "sub": "f2a492cb-cf9f-46ac-8f04-941601c6574b",
    "typ": "Bearer",
    "azp": "react-webapp",
    "nonce": "f650eb68-611f-4bd9-97a7-d07f1b3e29de",
    "auth_time": 1545840302,
    "session_state": "f6627b25-b089-4234-b25c-bffa67a9a8f7",
    "acr": "1",
    "allowed-origins": [
        "http://localhost:3000"
    ],
    "realm_access": {
        "roles": [
            "offline_access",
            "uma_authorization",
            "USER"
        ]
    },
    "resource_access": {
        "account": {
            "roles": [
                "manage-account",
                "manage-account-links",
                "view-profile"
            ]
        }
    },
    "scope": "openid profile email",
    "email_verified": false,
    "name": "duke duke",
    "groups": [
        "/USER"
    ],
    "preferred_username": "duke",
    "given_name": "duke",
    "family_name": "duke",
    "email": "duke@jakarta.ee"
}

可以在GitHub

上找到整个代码库

1 个答案:

答案 0 :(得分:2)

我看到您刚刚在JAX-RS应用程序上添加了@LoginConf注释,但这不足以保护资源。

这是一种标记,所有受保护的端点都将使用Authentication标头中的JWT。

因此您需要将端点定义为

@GET
@RolesAllowed("/USER")
public Response message() {

只有这样,JWT的身份验证才会生效。

您需要声明web.xml中的所有角色,或使用Application Bean(或任何其他CDI Bean)上的 DeclaresRoles 声明所有角色

@ApplicationPath("/data")
@LoginConfig(authMethod = "MP-JWT")
@DeclareRoles({"/USER"})
public class Keycloack_jwtRestApplication extends Application {
相关问题
最新问题