Bug Report: Payara 6 won't allow EJB Jakarta REST endpoints protected by @RolesAllowed using MP JWT spec/FISH-9072

[CarlosMOGoncalves]

Brief Summary

I have just upgraded some of my projects to Jakarta EE 10, from Payara 5 to the latest Payara 6.2024.6 and some functionality related to MP JWT validation stopped working correctly.

In short: most of my Jakarta REST endpoints are @Stateless EJBs. They are protected by the @RolesAllowed annotation and I am using a JWT based authorization.

Now, on Payara 5 all works fine: I try to reach one endpoint using a JWT token with the needed groups and if it matches those in the @RolesAllowed it will go through.

On Payara 6 though I find out that these endpoints will fail with an error 403 - Forbidden.

This happens unless I have at least one CDI bean with a @RolesAllowed annotation, even if that bean is not registered as an endpoint on the Application class. In that case, any Resource, whether it it EJB-based or CDI-based will perform authorization just fine.

I did some digging and I am not entirely sure where this issue comes from, although I did notice how different the code path is to finding whether a Principal has the roles for the endpoint or not, from Payara 5 to Payara 6. Meaning I did notice that a lot more Exousia is now at play, but I really am not sure why is not behaving correctly.

Using:

• Payara Micro 6.2024.6
• Eclipse Temurin OpenJDK 21.0.3+9
• Maven 3.9.7
• Windows 11 Pro

Expected Outcome

Any Jakarta REST endpoint, regardless of it being an EJB or CDI bean, will be able to have its authorization checked when using MP-JWT tokens.

Current Outcome

1. Endpoint Resource classes which are @Stateless EJBs will not have their @RolesAllowed honoured for accessing the endpoint, resulting in an Error 403 - Forbidden
2. Endpoint Resource classes which are CDI beans will work fine. I tested the obvious @RequestScoped
3. If there is at least one CDI bean with a @RolesAllowed annotation in the application everything will work fine, including the EJB resources
4. beans.xml discovery mode seems to have nothing to do with it (I checked because of the update do Jakarta EE 10)

Reproducer

A reproducer can be found here: cdijwt

To use it:

1. checkout this project. It has 3 classes, an Application.java class, one @Stateless REST resource and one @RequestScoped bean which is not even declared as an endpoint resource.
2. mvc clean package
3. Either mvn payara-micro:start -DuseUberJar=true or java -jar target/cdijwt-1.0.0-microbundle.jar, I usually go for the first
4. When the application is up curl it: curl -X GET -H "Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJ1cG4iOiJEYXZpZCBHaWxtb3VyIiwic3ViIjoiMSIsImlzcyI6InJhbmRvbS1pc3N1ZXIiLCJqdGkiOiJ4LWF0bS0wOTIiLCJpYXQiOjE3MjAyMjM2NjEsImV4cCI6MjAzNTU4MzY2MSwiZ3JvdXBzIjpbIkFETUlOIl19.oh4yUiJqkhU_KAHx7kTCA_GJyPn-T0Yimnn-od85BXW8TVCKG0AVHpOofaWaUlyZn6gSwfB7qROP6wPef5WQJiXyq6Zd2zdBbS1U4RtKHvQoqczBWDndaiJSJZrkE2FfWqf9HMkZFl94-PMyST6EJqvdO0R7oUEZXIrrOqYMg3M81V1gDER2EGcQv2nJHpmsFdgwQDiOlPmwl-dKW3o1w6ZJosgky4z3yzqUSAWeyg0RjM2lgYzBu8ui5PRbXQBxEIrBSnkuaxnA12kfVrLVA2pIg3W_8r4Ykd_E3DJeWK0AlLFCEKZdr8vg3FBcG21ZRd4mdySqpFAESohPGWotWQ" http://localhost:30000/ejb
5. There should be a log saying "EJB endpoint invoked" and a Response 200 should occur

To trigger the issue:

1. Delete the class CDIResource.java
2. perform all the steps above
3. An error 403 - Forbidden will be thrown

Operating System

Windows 11 Pro

JDK Version

OpenJDK 64-Bit Server VM Temurin-21.0.3+9

Payara Distribution

Payara Micro

[felixif]

Hello @CarlosMOGoncalves,

I can confirm that the reproducer works as expected and it highlights the issue described. I have escalated this issue to the Platform Development team, with the codename FISH-9072, and they will start working on a fix in due course. Thank you very much for reporting this bug,

Best regards, Felix