Open CarlosMOGoncalves opened 4 months ago
Hello @CarlosMOGoncalves,
I can confirm that the reproducer works as expected and it highlights the issue described. I have escalated this issue to the Platform Development team, with the codename FISH-9072
, and they will start working on a fix in due course. Thank you very much for reporting this bug,
Best regards, Felix
Brief Summary
I have just upgraded some of my projects to Jakarta EE 10, from Payara 5 to the latest Payara 6.2024.6 and some functionality related to MP JWT validation stopped working correctly.
In short: most of my Jakarta REST endpoints are
@Stateless
EJBs. They are protected by the@RolesAllowed
annotation and I am using a JWT based authorization.Now, on Payara 5 all works fine: I try to reach one endpoint using a JWT token with the needed groups and if it matches those in the
@RolesAllowed
it will go through.On Payara 6 though I find out that these endpoints will fail with an error 403 - Forbidden.
This happens unless I have at least one CDI bean with a
@RolesAllowed
annotation, even if that bean is not registered as an endpoint on the Application class. In that case, any Resource, whether it it EJB-based or CDI-based will perform authorization just fine.I did some digging and I am not entirely sure where this issue comes from, although I did notice how different the code path is to finding whether a Principal has the roles for the endpoint or not, from Payara 5 to Payara 6. Meaning I did notice that a lot more Exousia is now at play, but I really am not sure why is not behaving correctly.
Using:
Expected Outcome
Any Jakarta REST endpoint, regardless of it being an EJB or CDI bean, will be able to have its authorization checked when using MP-JWT tokens.
Current Outcome
@Stateless
EJBs will not have their@RolesAllowed
honoured for accessing the endpoint, resulting in an Error 403 - Forbidden@RequestScoped
@RolesAllowed
annotation in the application everything will work fine, including the EJB resourcesReproducer
A reproducer can be found here: cdijwt
To use it:
@Stateless
REST resource and one@RequestScoped
bean which is not even declared as an endpoint resource.mvc clean package
mvn payara-micro:start -DuseUberJar=true
orjava -jar target/cdijwt-1.0.0-microbundle.jar
, I usually go for the firstcurl -X GET -H "Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJ1cG4iOiJEYXZpZCBHaWxtb3VyIiwic3ViIjoiMSIsImlzcyI6InJhbmRvbS1pc3N1ZXIiLCJqdGkiOiJ4LWF0bS0wOTIiLCJpYXQiOjE3MjAyMjM2NjEsImV4cCI6MjAzNTU4MzY2MSwiZ3JvdXBzIjpbIkFETUlOIl19.oh4yUiJqkhU_KAHx7kTCA_GJyPn-T0Yimnn-od85BXW8TVCKG0AVHpOofaWaUlyZn6gSwfB7qROP6wPef5WQJiXyq6Zd2zdBbS1U4RtKHvQoqczBWDndaiJSJZrkE2FfWqf9HMkZFl94-PMyST6EJqvdO0R7oUEZXIrrOqYMg3M81V1gDER2EGcQv2nJHpmsFdgwQDiOlPmwl-dKW3o1w6ZJosgky4z3yzqUSAWeyg0RjM2lgYzBu8ui5PRbXQBxEIrBSnkuaxnA12kfVrLVA2pIg3W_8r4Ykd_E3DJeWK0AlLFCEKZdr8vg3FBcG21ZRd4mdySqpFAESohPGWotWQ" http://localhost:30000/ejb
Response 200
should occurTo trigger the issue:
CDIResource.java
Operating System
Windows 11 Pro
JDK Version
OpenJDK 64-Bit Server VM Temurin-21.0.3+9
Payara Distribution
Payara Micro