i'm working on a small backend. To secure that thing I want to use JWT. My Tech-Stack is: Payara & Keycloak Fortunately I found a great tutorial (https://kodnito.com/posts/microprofile-jwt-with-keycloak/)
Against the suggestion of the author I want to protect all endpoints underneath /resources/* by web.xml.
This is my web.xml:
...
<security-constraint>
<display-name>App-Name</display-name>
<web-resource-collection>
<web-resource-name>App-Name</web-resource-name>
<description/>
<url-pattern>/resources/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<description/>
<role-name>mysimplerole</role-name>
</auth-constraint>
</security-constraint>
<security-role>
<description/>
<role-name>mysimplerole</role-name>
</security-role>
...
So far so good. If I send a Request to a endpoint e.g. http://localhost:8080/resources/test I receive a 401 as expected.
If I add @LoginConfig(authMethod = "MP-JWT") to my JAXRSConfiguration.java and call the endpoint again. I receive a 200 but no content is sent, I would expect a 401 to come up. If I add a JWT-Token to my request, then the 200 + the expected content show up.
TestResource.java:
@Path("test")
public class TestResource {
@GET
public Response test() {
return Response.ok("HI").build();
}
}
JAXRSConfiguration.java
@ApplicationPath("/resources")
@LoginConfig(authMethod = "MP-JWT")
public class JAXRSConfiguration extends Application {
}
So the question is, what do I have to do to receive a 401 if no/or a invalid token is append to the request?
Your JAX-RS configuration class is missing the @DeclareRoles({ "mysimplerole", "USER" }) annotation to specify all available roles in your application.
@ApplicationPath("/resources")
@LoginConfig(authMethod = "MP-JWT")
@DeclareRoles({ "mysimplerole", "USER" })
public class JAXRSConfiguration extends Application {
}