Java 注入的JsonWebToken在Payara 5.183上的JWT Auth 1.1文件中为空
在Payara 5.183上运行MicroProfile 2.0.1后端时,我在解码/使用/验证传递给Java EE 8的JWT时遇到问题。React前端应用程序传递JWT令牌,JWT令牌从KeyClope获得,作为Java 注入的JsonWebToken在Payara 5.183上的JWT Auth 1.1文件中为空,java,jwt,keycloak,payara,microprofile,Java,Jwt,Keycloak,Payara,Microprofile,在Payara 5.183上运行MicroProfile 2.0.1后端时,我在解码/使用/验证传递给Java EE 8的JWT时遇到问题。React前端应用程序传递JWT令牌,JWT令牌从KeyClope获得,作为Authorization:Bearer eyXJS…将后端配置为使用src/main/resources/META-INF中的以下微文件配置属性验证微文件JWT Auth Spec 1.1中定义的JWT令牌: mp.jwt.verify.publickey.location=/ME
Authorization:Bearer eyXJS…src/main/resources/META-INF微文件配置属性验证微文件JWT Auth Spec 1.1中定义的JWT令牌:
mp.jwt.verify.publickey.location=/META-INF/orange.pem
mp.jwt.verify.issuer=http://localhost:8282/auth/realms/MicroProfile
keydepot的公钥存储在orange.pem
文件中。JAX-RS配置如下所示:
@LoginConfig(authMethod = "MP-JWT")
@ApplicationPath("resources")
public class JAXRSConfiguration extends Application {
}
我试图在其中一个端点中使用JWT:
@Path("secure")
@Stateless
public class VerySecureResource {
@Inject
@ConfigProperty(name = "message")
private String message;
@Inject
private JsonWebToken callerPrincipal;
@GET
public Response message() {
System.out.println(callerPrincipal.getIssuer());
System.out.println(callerPrincipal.getRawToken());
System.out.println(callerPrincipal.getTokenID());
return Response.ok(callerPrincipal.getName() + " is allowed to read message: " + message).build();
}
}
应用程序部署时没有任何错误,我在Payara的server.log
中没有得到任何关于JWT验证失败的日志信息。我甚至打开了fish.payara.microfile.jwtauth
的日志记录
[2018-12-26T17:06:20.835+0100] [Payara 5.183] [INFORMATION] [] [org.glassfish.soteria.servlet.SamRegistrationInstaller] [tid: _ThreadID=196 _ThreadName=admin-thread-pool::admin-listener(6)] [timeMillis: 1545840380835] [levelValue: 800] [[
Initializing Soteria 1.1-b01 for context '/microprofile-jwt-keycloak-auth']]
[2018-12-26T17:06:20.841+0100] [Payara 5.183] [INFORMATION] [] [fish.payara.microprofile.jwtauth.servlet.RolesDeclarationInitializer] [tid: _ThreadID=196 _ThreadName=admin-thread-pool::admin-listener(6)] [timeMillis: 1545840380841] [levelValue: 800] [[
Initializing MP-JWT 5.183 for context '/microprofile-jwt-keycloak-auth']]
[2018-12-26T17:06:20.933+0100] [Payara 5.183] [INFORMATION] [AS-WEB-GLUE-00172] [javax.enterprise.web] [tid: _ThreadID=196 _ThreadName=admin-thread-pool::admin-listener(6)] [timeMillis: 1545840380933] [levelValue: 800] [[
Loading application [microprofile-jwt-keycloak-auth] at [/microprofile-jwt-keycloak-auth]]]
[2018-12-26T17:06:20.949+0100] [Payara 5.183] [INFORMATION] [] [javax.enterprise.system.core] [tid: _ThreadID=196 _ThreadName=admin-thread-pool::admin-listener(6)] [timeMillis: 1545840380949] [levelValue: 800] [[
microprofile-jwt-keycloak-auth was successfully deployed in 954 milliseconds.]]
[2018-12-26T17:06:26.428+0100] [Payara 5.183] [INFORMATION] [] [] [tid: _ThreadID=42 _ThreadName=http-thread-pool::http-listener-1(3)] [timeMillis: 1545840386428] [levelValue: 800] [[
null]]
[2018-12-26T17:06:26.428+0100] [Payara 5.183] [INFORMATION] [] [] [tid: _ThreadID=42 _ThreadName=http-thread-pool::http-listener-1(3)] [timeMillis: 1545840386428] [levelValue: 800] [[
null]]
[2018-12-26T17:06:26.428+0100] [Payara 5.183] [INFORMATION] [] [] [tid: _ThreadID=42 _ThreadName=http-thread-pool::http-listener-1(3)] [timeMillis: 1545840386428] [levelValue: 800] [[
null]]
解码后的JWT如下所示:
{
"jti": "5a3c600e-95ea-41cb-8e65-8342a3b867bc",
"exp": 1545840603,
"nbf": 0,
"iat": 1545840303,
"iss": "http://localhost:8282/auth/realms/MicroProfile",
"aud": "account",
"sub": "f2a492cb-cf9f-46ac-8f04-941601c6574b",
"typ": "Bearer",
"azp": "react-webapp",
"nonce": "f650eb68-611f-4bd9-97a7-d07f1b3e29de",
"auth_time": 1545840302,
"session_state": "f6627b25-b089-4234-b25c-bffa67a9a8f7",
"acr": "1",
"allowed-origins": [
"http://localhost:3000"
],
"realm_access": {
"roles": [
"offline_access",
"uma_authorization",
"USER"
]
},
"resource_access": {
"account": {
"roles": [
"manage-account",
"manage-account-links",
"view-profile"
]
}
},
"scope": "openid profile email",
"email_verified": false,
"name": "duke duke",
"groups": [
"/USER"
],
"preferred_username": "duke",
"given_name": "duke",
"family_name": "duke",
"email": "duke@jakarta.ee"
}
整个代码库在上可用。我看到您刚刚在JAX-RS应用程序上添加了@LoginConf注释,但这还不足以保护资源
这是一种标记,所有受保护的端点都将使用来自身份验证头的JWT
因此,您需要将端点定义为
@GET
@RolesAllowed("/USER")
public Response message() {
只有这样,来自JWT的身份验证才会生效
您需要在web.xml中声明所有角色,或使用应用程序bean(或任何其他CDIBean)上的DeclaresRoles声明所有角色
您能指出您已将密钥斗篷中的哪个公钥放入orange.pem吗。?它是该领域RSA密钥的公钥吗?能否在标头中验证keyId是否与域中RSA密钥定义的id匹配。(您在令牌配置的签名算法中指定了RSA256)是的,我验证了RSA签名,它是我的领域的公钥。您得到了什么HTTP状态?401403200?如果JAX-RS端点是安全的,我将得到401
@ApplicationPath("/data")
@LoginConfig(authMethod = "MP-JWT")
@DeclareRoles({"/USER"})
public class Keycloack_jwtRestApplication extends Application {