update jwt #245
update jwt #245
Conversation
| @@ -45,7 +48,7 @@ public JwtManagerImpl() { | |||
| public Jws<Claims> decode(String jwt) { | |||
|
|
|||
| PublicKey key = this.keyStoreAccess.getPublicKey(this.jwtConfig.getAlias()); | |||
| Jws<Claims> token = Jwts.parser().setSigningKey(key).parseClaimsJws(jwt); | |||
| Jws<Claims> token = Jwts.parser().setSigningKey(key).parseClaimsJws(jwt.replace(JwtConstants.TOKEN_PREFIX, "")); | |||
There was a problem hiding this comment.
I am not sure about this. Actually the provided jwt argument should be the JWT itself. The code I provided already removes the "Bearer" prefix elsewhere. Surely it wont hurt to also do it here but what if there are multiple whitespaces around or the Upper/Lower-Case does not match the TOKEN_PREFIX. Therefore it would IMHO be better to have only one place in the code that does this. If you want to reuse here, you could expose as static mehtod in the other impl and reuse here... WDYT?
There was a problem hiding this comment.
I think you are right, problem is that i test this with mtsj. while debugging i found , there multipe (two) Bearer in token
Bearer Bearer eyJhbGciOiJSUzI1NiJ9.eyJzdWIiOiJ3YWl0ZXIiLCJyb2xlcyI6IlJPTEVfV2FpdGVyLG10cy5GaW5kQm9va2luZyxtdHMuRmluZE9yZGVyIiwiaXNzIjoiZGV2b25mdyIsImlhdCI6MTU4NzY1OTg5NywibmJmI-----------
basically mtsj angular adds this extra Bearer keyword to the token
latMap((token) => {
const authReq = !!token
? req.clone({
setHeaders: { Authorization: 'Bearer ' + token },
})
I will remove the code (jwt.replace(JwtConstants.TOKEN_PREFIX, "")) from JwtManagerImpl
There was a problem hiding this comment.
Than angular client also is correct. The token itself should not contain Bearer. Maybe the code to extract the token on the client is broken or I did something wrong in JwtLoginFilter so we added Bearer prefix twice (or maybe it does not belong to response header at all)? This part is new to me, however I did not intend to change anything of this behaviour from your code. Maybe it was wrong before or I messed something during refactoring.
| @@ -25,6 +27,7 @@ | |||
| * | |||
| * @since 2020.04.001 | |||
| */ | |||
| @Named | |||
There was a problem hiding this comment.
My vision was that we also create a spring-boot starter.
The @Named only helps if the user does a component-scan in this package within its spring-config.
A spring-starter would therefore much better.
Anyhow good that you readded this annotation here. It can only help but not hurt! So thanks for this fix.
There was a problem hiding this comment.
In documentation
<dependency>
<groupId>com.devonfw.java.modules</groupId>
<artifactId>devon4j-starter-security-jwt</artifactId>
</dependency>
it should be
<dependency>
<groupId>com.devonfw.java.starters</groupId>
<artifactId>devon4j-starter-security-jwt</artifactId>
</dependency>
Also
http.addFilterBefore(getJwtAuthenticationFilter(), UsernamePasswordAuthenticationFilter.class);
it should be getJwtLoginFilter()
You can fix this directly next time. |
hohwille
added
documentation
identified few issues while integrating with mtsj , please see mtsj PR for the same devonfw/my-thai-star#334