FISH-1520 parse JWT even for unprotected pages if provided

Fixes EmptyTokenTest
payara · Aug 5, 2021 · 93ecc43 · 93ecc43
1 parent 05efba5
commit 93ecc43
Show file tree

Hide file tree

Showing 2 changed files with 24 additions and 22 deletions.
diff --git a/...src/main/java/fish/payara/microprofile/jwtauth/eesecurity/JWTAuthenticationMechanism.java b/...src/main/java/fish/payara/microprofile/jwtauth/eesecurity/JWTAuthenticationMechanism.java
@@ -89,24 +89,25 @@ public JWTAuthenticationMechanism() {
     @Override
     public AuthenticationStatus validateRequest(HttpServletRequest request, HttpServletResponse response, HttpMessageContext httpMessageContext) throws AuthenticationException {
 
-        if (httpMessageContext.isProtected()) {
-            IdentityStoreHandler identityStoreHandler = CDI.current().select(IdentityStoreHandler.class).get();
-
-            SignedJWTCredential credential = getCredential(request);
-
-            if (credential != null) {
-
-                CredentialValidationResult result = identityStoreHandler.validate(credential);
-                if (result.getStatus() == VALID) {
-                    httpMessageContext.getClientSubject()
-                                      .getPrincipals()
-                                      .add(result.getCallerPrincipal());
-                }
-
+        // Don't limit processing of JWT to protected pages (httpMessageContext.isProtected())
+        // as MP TCK requires JWT being parsed (if provided) even if not in protected pages.
+        IdentityStoreHandler identityStoreHandler = CDI.current().select(IdentityStoreHandler.class).get();
+
+        SignedJWTCredential credential = getCredential(request);
+
+        if (credential != null) {
+
+            CredentialValidationResult result = identityStoreHandler.validate(credential);
+            if (result.getStatus() == VALID) {
+                httpMessageContext.getClientSubject()
+                        .getPrincipals()
+                        .add(result.getCallerPrincipal());
                 return httpMessageContext.notifyContainerAboutLogin(result);
             }
+
+            return httpMessageContext.responseUnauthorized();
         }
-        
+
         return httpMessageContext.doNothing();
     }
 

diff --git a/...profile/jwt-auth/src/main/java/fish/payara/microprofile/jwtauth/jwt/JsonWebTokenImpl.java b/...profile/jwt-auth/src/main/java/fish/payara/microprofile/jwtauth/jwt/JsonWebTokenImpl.java
@@ -40,18 +40,15 @@
 package fish.payara.microprofile.jwtauth.jwt;
 
 import static java.util.Collections.singleton;
-import static java.util.stream.Collectors.toSet;
-
 import java.util.HashSet;
 import java.util.Map;
 import java.util.Set;
-
+import static java.util.stream.Collectors.toSet;
 import javax.json.JsonArray;
 import javax.json.JsonNumber;
 import javax.json.JsonString;
 import javax.json.JsonValue;
 import javax.security.enterprise.CallerPrincipal;
-
 import org.eclipse.microprofile.jwt.Claims;
 import org.eclipse.microprofile.jwt.JsonWebToken;
 
@@ -77,7 +74,7 @@ public Map<String, JsonValue> getClaims() {
     @SuppressWarnings("unchecked")
     public <T> T getClaim(String claimName) {
 
-        JsonValue claimValue = getClaims().get(claimName);
+        JsonValue claimValue = claims.get(claimName);
         if (claimValue == null) {
             return null;
         }
@@ -108,12 +105,16 @@ public <T> T getClaim(String claimName) {
             return (T) ((JsonString) claimValue).getString();
         }
 
-        return (T) getClaims().get(claimName);
+        return (T) claims.get(claimName);
     }
 
     @Override
     public Set<String> getClaimNames() {
-        return getClaims().keySet();
+        if (claims.isEmpty()) {
+            // TCK tests require to return null if there are no claims
+            return null;
+        }
+        return claims.keySet();
     }
 
     private static Set<String> asStringSet(JsonArray jsonArray) {