Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unauthorized response on a unprotected endpoint, when a JWT is sent but not injected /FISH-6022 #5582

Open
fschuerer opened this issue Jan 26, 2022 · 3 comments
Open

Unauthorized response on a unprotected endpoint, when a JWT is sent but not injected /FISH-6022 #5582

fschuerer opened this issue Jan 26, 2022 · 3 comments
Assignees
@fturizo
Labels
Status: Accepted Confirmed defect or accepted improvement to implement, issue has been escalated to Platform Dev Type: Bug Label issue as a bug defect

Comments

@fschuerer
Copy link

Description

Unauthorized response on a unprotected endpoint when a JWT is sent, without token injection.
See also microprofile-jwt-auth issue response

Expected Outcome

The endpoint is called and responds

Current Outcome

Status code 401

Steps to reproduce

@Path("ping")
public class PingResource    {
    
   @GET
    public String ping() {
        return "everybody is authorized";
    }

Environment

Payara Version: 5.2021.7
Edition: Full
JDK Version: OpenJDK 11
Operating System: Windows 10
@fschuerer fschuerer added Status: Open Issue has been triaged by the front-line engineers and is being worked on verification Type: Bug Label issue as a bug defect labels Jan 26, 2022
@fturizo fturizo self-assigned this Jan 28, 2022
@fturizo
Copy link
Contributor

fturizo commented Jan 28, 2022

@fschuerer, sorry but a quick test on 5.2021.10 doesn't yield any errors from calling un-restricted (i.e, no authorization constraints present) JAX-RS endpoints, all calls execute without problems. Please make sure to test your scenario on this release to confirm that this is the case, and if the issue is present on your end, please share a complete self-contained reproducer that we can test on our end.

@fturizo fturizo added Status: Pending Waiting on the issue requester to give more details or share a reproducer and removed Status: Open Issue has been triaged by the front-line engineers and is being worked on verification labels Jan 28, 2022
@fschuerer
Copy link
Author

Hello @fturizo,

I created a small sample https://github.com/fschuerer/payara-5582 and testet it on 5.2021.10.
The public key was created with JWTenizr.

Request without a token: Response 200
curl `http://localhost:8080/payara-5582/resources/ping

Request with an invalid token: Response 401
curl -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c' http://localhost:8080/payara-5582/resources/ping

@fschuerer fschuerer mentioned this issue Feb 2, 2022
Closed
@fturizo
Copy link
Contributor

fturizo commented Feb 2, 2022

Greetings @fschuerer, thanks for sharing more details as requested, they helped clarify the issue. Indeed, it seems that the server runtime is triggering the token validation when it shouldn't, since the endpoints do not require authentication/authorization.

I have escalated this issue with the ID FISH-6022 so that our Platform Developers are able to fix it in a future release. Keep in mind that this issue is of low priority for the moment, so it'll take some time until a fix is available.

@fturizo fturizo changed the title Unauthorized response on a unprotected endpoint, when a JWT is sent but not injected Unauthorized response on a unprotected endpoint, when a JWT is sent but not injected /FISH-6022 Feb 2, 2022
@fturizo fturizo added Status: Accepted Confirmed defect or accepted improvement to implement, issue has been escalated to Platform Dev and removed Status: Pending Waiting on the issue requester to give more details or share a reproducer labels Feb 2, 2022
@pdudits pdudits mentioned this issue Nov 9, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@fturizo fturizo

Labels
Status: Accepted Confirmed defect or accepted improvement to implement, issue has been escalated to Platform Dev Type: Bug Label issue as a bug defect
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@fturizo @fschuerer