jdmcclur
commented
1 year ago I think I'll move forward with my quick change to try to authenticate if there is a Bearer cookie. This should cover most customer cases. We will look into gathering the actual name of the cookie later.
In my mpJWT primitive, I see a decent difference when sending a JWT as an Authorization Header compared to sending in the Bearer Cookie. (
mp.jwt.token.header=Cookie). This is a primitive, so problems are exaggerated, and not what you would see in a normal application.In the Header case, it is authenticated early here:
https://github.com/OpenLiberty/open-liberty/blob/ea5d868a49bc46aa983d4d1fdf335fc8677066a8/dev/com.ibm.ws.webcontainer.security/src/com/ibm/ws/webcontainer/security/WebAppSecurityCollaboratorImpl.java#L832
because this returns true because it finds the "Bearer" in a Header https://github.com/OpenLiberty/open-liberty/blob/ea5d868a49bc46aa983d4d1fdf335fc8677066a8/dev/com.ibm.ws.webcontainer.security/src/com/ibm/ws/webcontainer/security/WebRequestImpl.java#L156
In the Cookie case, it does not get handled early, so it is authenticated here after it fails initially and throws/catches an exception - (not great for performance).
https://github.com/OpenLiberty/open-liberty/blob/ea5d868a49bc46aa983d4d1fdf335fc8677066a8/dev/io.openliberty.restfulWS30.appSecurity/src/io/openliberty/restfulWS30/appSecurity/LibertyAuthFilter.java#L70
I prototyped finding the "Bearer Cookie" early, which gets it pretty close to the header case (there is some unrelated overhead to having a cookie on the request), but this doesn't account for the case where the customer is using a different cookie name (
mp.jwt.token.cookie=NotBearer). I am not sure how to handle that. https://github.com/OpenLiberty/open-liberty/compare/integration...jdmcclur:open-liberty:jwt-cookieI also did a quick hack where I call authenticate() before handleMessage() in LibertyAuthFilter, which helps but still not as good (I don't totally understand why yet).