1 2 Previous Next 27 Replies Latest reply on Mar 30, 2016 10:58 AM by assistenza.bss

JWT example for Picketlink 2.6.0

esteveavi Jul 4, 2014 6:40 AM

Hi,

We are interested in using picketlink-json package to implenent JWT. We have seen that the documentation is not ready. Is there any example out there showing how to use this package?

Does this package implements the filter to allow Stateless Rest Web services?

Thanks in advance,

Regards,

Esteve

1. Re: JWT example for Picketlink 2.6.0

jgurda Jul 18, 2014 5:50 AM (in response to esteveavi)

Please check AngularJS quick start under https://github.com/jboss-developer/jboss-picketlink-quickstarts/tree/master/picketlink-angularjs-rest
After I digged into details I understand that initial authentication request is performed with BASIC authentication (check servlet filter class defined in web.xml) and then token is generated. That token is exchanged between client and servier in HTTP header. For your use case it would be good to use stateless Identity which also is available in Picketlink 2.6.0.Final.

I have spent some time recently to find out how JWT is implemented in Picketlink and realized that JWT and JWS (signed token) is implemented but there are still some things to implement for example JWE (check class JsonWebEncryption).

I'm currently working on stateless token-based authentication for REST services too. Will put some code later.

I encourage you to check Picketlink source code. It's well written and easy to understand.
Actions
2. Re: JWT example for Picketlink 2.6.0

pcraveiro Jul 31, 2014 7:32 PM (in response to esteveavi)

Hi Esteve,

There is not docs for PicketLink JSON, yet. We're working to support JWE and JWK. Once we finish that we're going to provide more docs.

For now, I would suggest you to take a look at the test cases provided by this module. I think they are a useful source to understand and see how to use it.

Thanks.
Actions
3. Re: JWT example for Picketlink 2.6.0

pcraveiro Aug 14, 2014 8:12 PM (in response to esteveavi)

Hey Esteve,

You can check an initial documentation for the PicketLink JSON API here.

It still need a review before push that to our official documentation. But it can help you meanwhile.

Regards.
Actions
4. Re: JWT example for Picketlink 2.6.0

lovem Aug 17, 2014 2:40 PM (in response to jgurda)

Hi,
The picketlink-angularjs-rest quickstart has provided good insights to the JSON implementation and usage. During signin, a POST to <contextRoot>/authc is sent from the angular app using the LoginResource

I have been selectively adding components from the quickstart to ensure understanding of implementation in the quickstart and where likely to enhance, etc within my add. Registration and activation services are working as expected. /authc returns a 404 in my app
No such endpoint in the quickstart, so can only assume it is being contributed by picketlink-json. Initial investigation of source has not made me any the wiser.

My question is what is contributing this REST endpoint.

Thanks
Actions
5. Re: JWT example for Picketlink 2.6.0

pcraveiro Aug 19, 2014 8:30 AM (in response to lovem)

Hey Mike,

The "/authc/" does not exists. You may notice that the security filter is intercepting every single URL from "/rest/private/*.

What the filter does is check if the request is authenticated, if not try to extract credentials from it. In this case, BASIC credentials. Once the user provides valid credentials, the filter will validate them and issue a token accordingly. The token is written to the response. All that is done by a specific authentication scheme, the TokenAuthenticationScheme.

Regards.
Pedro Igor
Actions
6. Re: JWT example for Picketlink 2.6.0

trumanustm Oct 8, 2014 10:50 AM (in response to pcraveiro)

Dear Pedro,

I have a problem that i don't understand... when i try to use your code for picketlink-angularjs app i'm aple to register and autentichate the token..
but if i try to log in.. i have this error :
16:48:50,540 ERROR [io.undertow.request] (default task-1) UT005023: Exception handling request to /A3iuNxt-web/rest/private/authc: org.jboss.resteasy.spi.UnhandledException: org.jboss.resteasy.core.NoMessageBodyWriterFoundFailure: Could not find MessageBodyWriter for response object of type: java.util.HashMap of media type: application/octet-stream
    at org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:157) [resteasy-jaxrs-3.0.8.Final.jar:]
    at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:176) [resteasy-jaxrs-3.0.8.Final.jar:]
    at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:220) [resteasy-jaxrs-3.0.8.Final.jar:]
    at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) [resteasy-jaxrs-3.0.8.Final.jar:]
    at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) [resteasy-jaxrs-3.0.8.Final.jar:]
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) [jboss-servlet-api_3.1_spec-1.0.0.Final.jar:1.0.0.Final]
    at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
    at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:61) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
    at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
    at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
    at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
    at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:113) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
    at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:56) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
    at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
    at io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:51) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
    at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:45) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
    at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:61) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
    at io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:56) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
    at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
    at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:70) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
    at io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
    at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
    at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
    at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
    at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
    at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:240) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
    at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:227) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
    at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:73) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
    at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:146) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
    at io.undertow.server.Connectors.executeRootHandler(Connectors.java:177) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
    at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:727) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [rt.jar:1.8.0_20]
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [rt.jar:1.8.0_20]
    at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_20]
Caused by: org.jboss.resteasy.core.NoMessageBodyWriterFoundFailure: Could not find MessageBodyWriter for response object of type: java.util.HashMap of media type: application/octet-stream
    at org.jboss.resteasy.core.ServerResponseWriter.writeNomapResponse(ServerResponseWriter.java:67) [resteasy-jaxrs-3.0.8.Final.jar:]
    at org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:153) [resteasy-jaxrs-3.0.8.Final.jar:]
    ... 33 more

i'm going mad... do you have any idea ?

i tryed to debug all the steps and i noticed that the security listners seem not be called !

and
Actions
7. Re: JWT example for Picketlink 2.6.0

pcraveiro Oct 10, 2014 12:55 PM (in response to trumanustm)

Hey,

Which version of WildFly are you using ?
Actions
8. Re: JWT example for Picketlink 2.6.0

trumanustm Oct 10, 2014 1:22 PM (in response to pcraveiro)

Hi Pedro,

I found the problem, i'm using an EAR application derived from your example picketlink-angularjs-rest 2.7.0 CR1.
i have the ejb part with the logic into the jar and all the web in war.
i'm using wildfly 8.1 final.

I think there are some problems in the listener, so if i put all the jars into the war, everything is correctly running, if i move the picketlink jars
and the code from web to ejb jar, i have that problem...

any ideas?

and
Actions
9. Re: JWT example for Picketlink 2.6.0

pcraveiro Oct 10, 2014 1:34 PM (in response to trumanustm)

I know Resteasy provides some default provider implementation to transform basic types such as Map and List. Maybe you are missing some resteasy dependency in your EAR's jboss-deployment-structure.xml.
Actions

10. Re: JWT example for Picketlink 2.6.0

trumanustm Oct 14, 2014 8:58 AM (in response to pcraveiro)

Pedro,

i'm using maven insted jboss-deployment-structure.xml

this is the maven ear plugin congif

<plugins>
	<plugin>
		<artifactId>maven-ear-plugin</artifactId>
		<version>${version.ear.plugin}</version>

		<configuration>
			<!-- Java EE 7 doesn't require web.xml, Maven needs to catch up! -->
			<failOnMissingWebXml>false</failOnMissingWebXml>
			<archive>
				<manifestEntries>
<!--					<Dependencies>org.jboss.resteasy.resteasy-jaxrs meta-inf,org.slf4j,org.infinispan,org.picketlink meta-inf,org.picketlink.idm meta-inf,org.picketlink.core meta-inf,org.picketlink.core.api meta-inf,org.picketlink.idm.api meta-inf,org.picketlink.idm.schema meta-inf</Dependencies> -->
	<Dependencies>org.picketlink.config meta-inf,org.picketlink.idm.api meta-inf,org.picketlink.idm meta-inf,org.picketlink.core meta-inf,org.picketlink.core.api meta-inf,org.picketlink.common meta-inf,org.picketlink.idm.schema meta-inf,org.jboss.resteasy.jose-jwt meta-inf,org.jboss.resteasy.resteasy-atom-provider meta-inf,org.jboss.resteasy.resteasy-cdi meta-inf,org.jboss.resteasy.resteasy-crypto meta-inf,org.jboss.resteasy.resteasy-jettison-provider meta-inf,org.jboss.resteasy.resteasy-multipart-provider meta-inf,org.jboss.resteasy.resteasy-jaxb-provider meta-inf,org.jboss.resteasy.resteasy-jackson-provider meta-inf,org.glassfish.javax.json meta-inf,org.jboss.resteasy.resteasy-json-p-provider meta-inf,org.jboss.resteasy.resteasy-jaxrs meta-inf,org.slf4j,org.infinispan</Dependencies>

		</manifestEntries>
		</archive>
	</configuration>
</plugin>

I put inside all the possible modules.. but there is no possibility to solve this problem, in Ear configuration, the security in not catch...

i think is a problem on the listenrs is it possible?

andrea

11. Re: JWT example for Picketlink 2.6.0

trumanustm Oct 16, 2014 1:10 PM (in response to pcraveiro)

Dear Pedro
Unfortunally, this kind of application ONLY works if you put all the requestet jars into WEB-INF/lib folder... if you try to migrate from Uber picketlink jar to Wildfly/picketlink/module and import it with jboss-deployment-structure.xml or maven manifest import, simply you receive back the problem that i have...

I tryed to debug a lot wildfly and picketlink to find the problem but is too deep ..

did you never try to migrate Rest Picketlink security into and EAR project with module dependencies?

andrea
Actions
12. Re: JWT example for Picketlink 2.6.0

pcraveiro Oct 16, 2014 5:41 PM (in response to trumanustm)

Hey Andrea,

   I have reproduced your issue. You are not alone

   However, I don't have a solution for that yet. I'm trying to get some feedback from Resteasy team and check if we're missing something when using dependencies from modules.

   This is probably a classloader issue when using modules, not sure if it is related with PL.

Regards.
Actions
13. Re: JWT example for Picketlink 2.6.0

hodrigohamalho Oct 31, 2014 8:14 AM (in response to esteveavi)

I'm facing the same problem on JBoss EAP 6.3.

Caused by: org.jboss.resteasy.core.NoMessageBodyWriterFoundFailure: Could not find MessageBodyWriter for response object of type: java.util.HashMap of media type: application/octet-stream

In my case it occurs when a REST method that return a List is accessed .

pcraveiro I think is related to picketlink because before setup Picketlink token authentication on my project all rest resources are ok.
Actions
14. Re: JWT example for Picketlink 2.6.0

pcraveiro Oct 31, 2014 9:26 AM (in response to hodrigohamalho)

Are you using PL from modules as well ?
Actions

1 2 Previous Next

Go to original post