OFBiz OFBiz - Notifications

[jira] [Comment Edited] (OFBIZ-10814) Error parsing JWT

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Nicolas Malin (Jira)
Reply | Threaded
Open this post in threaded view
|

[jira] [Comment Edited] (OFBIZ-10814) Error parsing JWT

Nicolas Malin (Jira)

    [ https://issues.apache.org/jira/browse/OFBIZ-10814?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16746660#comment-16746660 ]

Jacques Le Roux edited comment on OFBIZ-10814 at 1/19/19 3:09 AM:
------------------------------------------------------------------

Hi Michael,

From my review of ExternalLoginKeysManager changes this should work. But it can't be tested OOTB (and that's the difficulty of testing this feature) because the changes must be also applied on the trunk demo instance. We could though apply them temporarily just for the test and revert. _Disclaimer I only reviewed ExternalLoginKeysManager changes so far_

You said
{quote}I wonder how this could have been working with several bugs in the code.
{quote}
I did not see any bug fixed in ExternalLoginKeysManager, what do you think about? If you think about having a bearer, it was an initial way I picked for simplicity. It's not a bug but I agree it's best to follow the standard.


was (Author: jacques.le.roux):
Hi Michael,

From my review of ExternalLoginKeysManager changes this should work. But it can be tested OOTB (and that's the difficulty of testing this feature) because the changes must be also applied on the trunk demo server. We could though apply them temporarily just for the test and revert. _Disclaimer I only reviewed ExternalLoginKeysManager changes so far_

You said
{quote}I wonder how this could have been working with several bugs in the code.
{quote}
I did not see any bug fixed in ExternalLoginKeysManager, what do you think about? If you think about having a bearer, it was an initial way I picked for simplicity. It's not a bug but I agree it's best to follow the standard.

> Error parsing JWT
> -----------------
>
>                 Key: OFBIZ-10814
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-10814
>             Project: OFBiz
>          Issue Type: Bug
>          Components: framework
>    Affects Versions: Trunk
>            Reporter: Michael Brohl
>            Assignee: Michael Brohl
>            Priority: Major
>         Attachments: Apache OFBiz JWT Test.postman_collection.json, OFBIZ-10814_JWT_parsing_error.patch
>
>
> I have problems using the Authorization: Bearer header value for requests towards OFBiz. OFBiz has problems parsing externally generated JSON Web Tokens.
> I have generated them using both [1] and [2] using HS512 and the default secret.
> The JWT check fails because of a parsing error:
> {noformat}
> 2019-01-17 16:48:36,233 |jsse-nio-8443-exec-7 |JavaEventHandler              |E| Problems Processing Event
> io.jsonwebtoken.MalformedJwtException: Unable to read JSON value: �z��'G�#�$�uB"�&�r#�$�3S"
>     at io.jsonwebtoken.impl.DefaultJwtParser.readValue(DefaultJwtParser.java:554) ~[jjwt-0.9.1.jar:0.9.1]
>     at io.jsonwebtoken.impl.DefaultJwtParser.parse(DefaultJwtParser.java:252) ~[jjwt-0.9.1.jar:0.9.1]
>     at io.jsonwebtoken.impl.DefaultJwtParser.parse(DefaultJwtParser.java:481) ~[jjwt-0.9.1.jar:0.9.1]
>     at io.jsonwebtoken.impl.DefaultJwtParser.parseClaimsJws(DefaultJwtParser.java:541) ~[jjwt-0.9.1.jar:0.9.1]
>     at org.apache.ofbiz.webapp.control.JWTManager.validateToken(JWTManager.java:124) ~[ofbiz.jar:?]
>     at org.apache.ofbiz.webapp.control.ExternalLoginKeysManager.jwtValidation(ExternalLoginKeysManager.java:292) ~[ofbiz.jar:?]
>     at org.apache.ofbiz.webapp.control.ExternalLoginKeysManager.checkJWTLogin(ExternalLoginKeysManager.java:196) ~[ofbiz.jar:?]
>     at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:1.8.0_152]
>     at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[?:1.8.0_152]
>     at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:1.8.0_152]
>     at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_152]
>     at org.apache.ofbiz.webapp.event.JavaEventHandler.invoke(JavaEventHandler.java:86) [ofbiz.jar:?]
>     at org.apache.ofbiz.webapp.control.RequestHandler.runEvent(RequestHandler.java:774) [ofbiz.jar:?]
>     at org.apache.ofbiz.webapp.control.RequestHandler.doRequest(RequestHandler.java:407) [ofbiz.jar:?]
>     at org.apache.ofbiz.webapp.control.ControlServlet.doGet(ControlServlet.java:208) [ofbiz.jar:?]
>     at javax.servlet.http.HttpServlet.service(HttpServlet.java:645) [javax.servlet-api-4.0.1.jar:4.0.1]
>     at javax.servlet.http.HttpServlet.service(HttpServlet.java:750) [javax.servlet-api-4.0.1.jar:4.0.1]
>     at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231) [tomcat-catalina-9.0.13.jar:9.0.13]
>     at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [tomcat-catalina-9.0.13.jar:9.0.13]
>     at org.apache.ofbiz.webapp.control.ContextFilter.doFilter(ContextFilter.java:191) [ofbiz.jar:?]
>     at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) [tomcat-catalina-9.0.13.jar:9.0.13]
>     at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [tomcat-catalina-9.0.13.jar:9.0.13]
>     at org.apache.ofbiz.webapp.control.ControlFilter.doFilter(ControlFilter.java:156) [ofbiz.jar:?]
>     at javax.servlet.http.HttpFilter.doFilter(HttpFilter.java:127) [javax.servlet-api-4.0.1.jar:4.0.1]
>     at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) [tomcat-catalina-9.0.13.jar:9.0.13]
>     at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [tomcat-catalina-9.0.13.jar:9.0.13]
>     at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:199) [tomcat-catalina-9.0.13.jar:9.0.13]
>     at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96) [tomcat-catalina-9.0.13.jar:9.0.13]
>     at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:490) [tomcat-catalina-9.0.13.jar:9.0.13]
>     at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139) [tomcat-catalina-9.0.13.jar:9.0.13]
>     at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92) [tomcat-catalina-9.0.13.jar:9.0.13]
>     at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74) [tomcat-catalina-9.0.13.jar:9.0.13]
>     at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:668) [tomcat-catalina-9.0.13.jar:9.0.13]
>     at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343) [tomcat-catalina-9.0.13.jar:9.0.13]
>     at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:408) [tomcat-coyote-9.0.13.jar:9.0.13]
>     at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66) [tomcat-coyote-9.0.13.jar:9.0.13]
>     at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:791) [tomcat-coyote-9.0.13.jar:9.0.13]
>     at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1417) [tomcat-coyote-9.0.13.jar:9.0.13]
>     at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) [tomcat-coyote-9.0.13.jar:9.0.13]
>     at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [?:1.8.0_152]
>     at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [?:1.8.0_152]
>     at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) [tomcat-util-9.0.13.jar:9.0.13]
>     at java.lang.Thread.run(Thread.java:748) [?:1.8.0_152]
> Caused by: com.fasterxml.jackson.core.JsonParseException: Illegal character ((CTRL-CHAR, code 5)): only regular white space (\r, \n, \t) is allowed between tokens
>  at [Source: (String)"�z��'G�#�$�uB"�&�r#�$�3S""; line: 1, column: 2]
>     at com.fasterxml.jackson.core.JsonParser._constructError(JsonParser.java:1804) ~[jackson-core-2.9.6.jar:2.9.6]
>     at com.fasterxml.jackson.core.base.ParserMinimalBase._reportError(ParserMinimalBase.java:669) ~[jackson-core-2.9.6.jar:2.9.6]
>     at com.fasterxml.jackson.core.base.ParserMinimalBase._throwInvalidSpace(ParserMinimalBase.java:620) ~[jackson-core-2.9.6.jar:2.9.6]
>     at com.fasterxml.jackson.core.json.ReaderBasedJsonParser._skipWSOrEnd(ReaderBasedJsonParser.java:2350) ~[jackson-core-2.9.6.jar:2.9.6]
>     at com.fasterxml.jackson.core.json.ReaderBasedJsonParser.nextToken(ReaderBasedJsonParser.java:646) ~[jackson-core-2.9.6.jar:2.9.6]
>     at com.fasterxml.jackson.databind.ObjectMapper._initForReading(ObjectMapper.java:4141) ~[jackson-databind-2.9.6.jar:2.9.6]
>     at com.fasterxml.jackson.databind.ObjectMapper._readMapAndClose(ObjectMapper.java:4000) ~[jackson-databind-2.9.6.jar:2.9.6]
>     at com.fasterxml.jackson.databind.ObjectMapper.readValue(ObjectMapper.java:3004) ~[jackson-databind-2.9.6.jar:2.9.6]
>     at io.jsonwebtoken.impl.DefaultJwtParser.readValue(DefaultJwtParser.java:552) ~[jjwt-0.9.1.jar:0.9.1]
>     ... 42 more
> 2019-01-17 16:48:36,237 |jsse-nio-8443-exec-7 |RequestHandler                |E| null
> org.apache.ofbiz.webapp.event.EventHandlerException: Problems processing event: io.jsonwebtoken.MalformedJwtException: Unable to read JSON value: �z��'G�#�$�uB"�&�r#�$�3S" (Unable to read JSON value: �z��'G�#�$�uB"�&�r#�$�3S")
>     at org.apache.ofbiz.webapp.event.JavaEventHandler.invoke(JavaEventHandler.java:94) ~[ofbiz.jar:?]
>     at org.apache.ofbiz.webapp.control.RequestHandler.runEvent(RequestHandler.java:774) ~[ofbiz.jar:?]
>     at org.apache.ofbiz.webapp.control.RequestHandler.doRequest(RequestHandler.java:407) [ofbiz.jar:?]
>     at org.apache.ofbiz.webapp.control.ControlServlet.doGet(ControlServlet.java:208) [ofbiz.jar:?]
>     at javax.servlet.http.HttpServlet.service(HttpServlet.java:645) [javax.servlet-api-4.0.1.jar:4.0.1]
>     at javax.servlet.http.HttpServlet.service(HttpServlet.java:750) [javax.servlet-api-4.0.1.jar:4.0.1]
>     at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231) [tomcat-catalina-9.0.13.jar:9.0.13]
>     at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [tomcat-catalina-9.0.13.jar:9.0.13]
>     at org.apache.ofbiz.webapp.control.ContextFilter.doFilter(ContextFilter.java:191) [ofbiz.jar:?]
>     at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) [tomcat-catalina-9.0.13.jar:9.0.13]
>     at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [tomcat-catalina-9.0.13.jar:9.0.13]
>     at org.apache.ofbiz.webapp.control.ControlFilter.doFilter(ControlFilter.java:156) [ofbiz.jar:?]
>     at javax.servlet.http.HttpFilter.doFilter(HttpFilter.java:127) [javax.servlet-api-4.0.1.jar:4.0.1]
>     at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) [tomcat-catalina-9.0.13.jar:9.0.13]
>     at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [tomcat-catalina-9.0.13.jar:9.0.13]
>     at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:199) [tomcat-catalina-9.0.13.jar:9.0.13]
>     at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96) [tomcat-catalina-9.0.13.jar:9.0.13]
>     at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:490) [tomcat-catalina-9.0.13.jar:9.0.13]
>     at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139) [tomcat-catalina-9.0.13.jar:9.0.13]
>     at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92) [tomcat-catalina-9.0.13.jar:9.0.13]
>     at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74) [tomcat-catalina-9.0.13.jar:9.0.13]
>     at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:668) [tomcat-catalina-9.0.13.jar:9.0.13]
>     at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343) [tomcat-catalina-9.0.13.jar:9.0.13]
>     at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:408) [tomcat-coyote-9.0.13.jar:9.0.13]
>     at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66) [tomcat-coyote-9.0.13.jar:9.0.13]
>     at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:791) [tomcat-coyote-9.0.13.jar:9.0.13]
>     at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1417) [tomcat-coyote-9.0.13.jar:9.0.13]
>     at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) [tomcat-coyote-9.0.13.jar:9.0.13]
>     at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [?:1.8.0_152]
>     at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [?:1.8.0_152]
>     at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) [tomcat-util-9.0.13.jar:9.0.13]
>     at java.lang.Thread.run(Thread.java:748) [?:1.8.0_152]
> Caused by: io.jsonwebtoken.MalformedJwtException: Unable to read JSON value: �z��'G�#�$�uB"�&�r#�$�3S"
>     at io.jsonwebtoken.impl.DefaultJwtParser.readValue(DefaultJwtParser.java:554) ~[jjwt-0.9.1.jar:0.9.1]
>     at io.jsonwebtoken.impl.DefaultJwtParser.parse(DefaultJwtParser.java:252) ~[jjwt-0.9.1.jar:0.9.1]
>     at io.jsonwebtoken.impl.DefaultJwtParser.parse(DefaultJwtParser.java:481) ~[jjwt-0.9.1.jar:0.9.1]
>     at io.jsonwebtoken.impl.DefaultJwtParser.parseClaimsJws(DefaultJwtParser.java:541) ~[jjwt-0.9.1.jar:0.9.1]
>     at org.apache.ofbiz.webapp.control.JWTManager.validateToken(JWTManager.java:124) ~[ofbiz.jar:?]
>     at org.apache.ofbiz.webapp.control.ExternalLoginKeysManager.jwtValidation(ExternalLoginKeysManager.java:292) ~[ofbiz.jar:?]
>     at org.apache.ofbiz.webapp.control.ExternalLoginKeysManager.checkJWTLogin(ExternalLoginKeysManager.java:196) ~[ofbiz.jar:?]
>     at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:1.8.0_152]
>     at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[?:1.8.0_152]
>     at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:1.8.0_152]
>     at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_152]
>     at org.apache.ofbiz.webapp.event.JavaEventHandler.invoke(JavaEventHandler.java:86) ~[ofbiz.jar:?]
>     ... 31 more
> Caused by: com.fasterxml.jackson.core.JsonParseException: Illegal character ((CTRL-CHAR, code 5)): only regular white space (\r, \n, \t) is allowed between tokens
>  at [Source: (String)"�z��'G�#�$�uB"�&�r#�$�3S""; line: 1, column: 2]
>     at com.fasterxml.jackson.core.JsonParser._constructError(JsonParser.java:1804) ~[jackson-core-2.9.6.jar:2.9.6]
>     at com.fasterxml.jackson.core.base.ParserMinimalBase._reportError(ParserMinimalBase.java:669) ~[jackson-core-2.9.6.jar:2.9.6]
>     at com.fasterxml.jackson.core.base.ParserMinimalBase._throwInvalidSpace(ParserMinimalBase.java:620) ~[jackson-core-2.9.6.jar:2.9.6]
>     at com.fasterxml.jackson.core.json.ReaderBasedJsonParser._skipWSOrEnd(ReaderBasedJsonParser.java:2350) ~[jackson-core-2.9.6.jar:2.9.6]
>     at com.fasterxml.jackson.core.json.ReaderBasedJsonParser.nextToken(ReaderBasedJsonParser.java:646) ~[jackson-core-2.9.6.jar:2.9.6]
>     at com.fasterxml.jackson.databind.ObjectMapper._initForReading(ObjectMapper.java:4141) ~[jackson-databind-2.9.6.jar:2.9.6]
>     at com.fasterxml.jackson.databind.ObjectMapper._readMapAndClose(ObjectMapper.java:4000) ~[jackson-databind-2.9.6.jar:2.9.6]
>     at com.fasterxml.jackson.databind.ObjectMapper.readValue(ObjectMapper.java:3004) ~[jackson-databind-2.9.6.jar:2.9.6]
>     at io.jsonwebtoken.impl.DefaultJwtParser.readValue(DefaultJwtParser.java:552) ~[jjwt-0.9.1.jar:0.9.1]
>     at io.jsonwebtoken.impl.DefaultJwtParser.parse(DefaultJwtParser.java:252) ~[jjwt-0.9.1.jar:0.9.1]
>     at io.jsonwebtoken.impl.DefaultJwtParser.parse(DefaultJwtParser.java:481) ~[jjwt-0.9.1.jar:0.9.1]
>     at io.jsonwebtoken.impl.DefaultJwtParser.parseClaimsJws(DefaultJwtParser.java:541) ~[jjwt-0.9.1.jar:0.9.1]
>     at org.apache.ofbiz.webapp.control.JWTManager.validateToken(JWTManager.java:124) ~[ofbiz.jar:?]
>     at org.apache.ofbiz.webapp.control.ExternalLoginKeysManager.jwtValidation(ExternalLoginKeysManager.java:292) ~[ofbiz.jar:?]
>     at org.apache.ofbiz.webapp.control.ExternalLoginKeysManager.checkJWTLogin(ExternalLoginKeysManager.java:196) ~[ofbiz.jar:?]
>     at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:1.8.0_152]
>     at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[?:1.8.0_152]
>     at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:1.8.0_152]
>     at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_152]
>     at org.apache.ofbiz.webapp.event.JavaEventHandler.invoke(JavaEventHandler.java:86) ~[ofbiz.jar:?]
>     ... 31 more{noformat}
> If I create a JWT in [2] and paste it in [1] with a not Base64 encoded secret, the JWT claims are displayed fine so I think they are correct and parsable.
> You can test using
> {noformat}
> eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJpc3MiOiJPbmxpbmUgSldUIEJ1aWxkZXIiLCJpYXQiOjE1NDc3MzkzNDgsImV4cCI6MTU3OTI3NTM0OCwiYXVkIjoid3d3LmV4YW1wbGUuY29tIiwic3ViIjoianJvY2tldEBleGFtcGxlLmNvbSIsIkdpdmVuTmFtZSI6IkpvaG5ueSIsIlN1cm5hbWUiOiJSb2NrZXQiLCJFbWFpbCI6Impyb2NrZXRAZXhhbXBsZS5jb20iLCJSb2xlIjpbIk1hbmFnZXIiLCJQcm9qZWN0IEFkbWluaXN0cmF0b3IiXX0.KTZOnBj_GlZw5btWc8_8xau3pqs685idQGta9WC3WEJzk4AEeOhjyDCbT6AbOsaLcu5uKDHDphdsq9Tiea_Hpg{noformat}
>  
> Any ideas what could be wrong?
>  
> [1] [https://jwt.io/]
> [2] [http://jwtbuilder.jamiekurtz.com/]
>  



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
Free forum by Nabble Edit this page