Search code examples
javajboss

Java EE (JBoss EAP) custom auth-method JWT

I'm looking to implement JWT authentication and to grab some extra information too from the token on Java EE.

The issue is that I need a custom auth-method of "jwt" in my web.xml file but this isn't supported apart from BASIC, DIGEST, FORM, CLIENT-CERT.

Is there a way to achieve a custom login method to start the authentication process?

I require no client interaction and the Authorization header will be populated from the calling application using a Bearer realm.

Ie Authorization : Bearer cn389ncoiwuencr

Solution

  • Note this is tested on 6.4 EAP, changes may be required for v7 in particular with the use of valves.

    You need to write a custom xx.Authentication mechanism. You can do this by extending org.apache.catalina.authenticator.FormAuthenticator and overriding the authenticate method.

    The authenticate method will perform 

    Principal principal = request.getUserPrincipal();
if (principal != null) {
 logger.trace("User already authenticated");
 return true;
}

Realm realm = context.getRealm();

principal = realm.authenticate("user", (String) null);

register(request, response, principal, "Bearer", "user", null);

return true;

    The realm can then be configured in standalone-xml under your security subsystem. 

    <security-domain name="JWT">
    <authentication>
        <login-module code="xx.xx.xx.JWTLoginModule" flag="required">
        </login-module>
    </authentication>
</security-domain>

    The JWTLoginModule is a custom LoginModule which uses the https://github.com/jwtk/jjwt library. Information on login modules can be found at https://access.redhat.com/documentation/en-US/JBoss_Enterprise_Application_Platform/6.3/html/Security_Guide/chap-Login_Modules.html. To create your own extend org.jboss.security.auth.spi.AbstractServerLoginModule.

    You then need to add these extensions to the modules directory of your eap server with the same module dependencies of org.picketbox module.

    This completes the server setup. Now you need to instruct your application to use this setup:

    In your WEB-INF directory create: jboss-web.xml as 

    <jboss-web>
    <security-domain>JWT</security-domain>
    <valve>
        <class-name>xx.Authentication</class-name>
    </valve>
</jboss-web>

    and jboss-deployment-structure which loads in the custom module

    <jboss-deployment-structure>
    <deployment>
        <dependencies>
            <module name="xx.custom"/>
        </dependencies>
    </deployment>
</jboss-deployment-structure>

    Finally in your web.xml file change your auth-method to "JWT".

    Intending on creating a open source version of this but until then this will have to do.