OFBiz OFBiz - Notifications

[jira] [Commented] (OFBIZ-10814) Error parsing JWT

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Nicolas Malin (Jira)
Reply | Threaded
Open this post in threaded view
|

[jira] [Commented] (OFBIZ-10814) Error parsing JWT

Nicolas Malin (Jira)

    [ https://issues.apache.org/jira/browse/OFBIZ-10814?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16754772#comment-16754772 ]

Jacopo Cappellato commented on OFBIZ-10814:
-------------------------------------------

Michael wrote:
{quote}if I understand it correctly, the token based authentication is processed through the preprocessor checkJWTLogin and the TokenFilter is not used currently.

I see the filter as a good way to have a token based authentication for single webapps instead of using the preprocessor for all through the common-controller.xml.
{quote}
If I am not wrong the original design by Deepak was to provide JWT authentication using a web filter (the preprocessor event is not needed if the filter is added to the web.xml file); then Jacques refactored his SSO code to leverage this JWT authentication and implemented the preprocessor for this.

In my opinion, in the longer term, we should move some of the logic in custom classes like OFBiz preprocessors and handlers (that in order to be used require the full adoption of various components of OFBiz as a monolith) to the more standard web filters (I have started this effort some time ago by cleaning and refactoring some of the existing filters); in this way we will have various filters that provide different services (like the setup of delegators and dispatchers, access control, authentication etc...) that could be composed (added/removed) when needed to flexibly build various types of applications based on the OFBiz framework like single page applications, traditional web applications, rest api etc... This design will help to make our code simpler to read and maintain (see the complex login related code we have now).

However, since we are not currently using this filter ootb I am fine if we decide to remove it or at least we should provide some good Javadocs comment to it to explain its purpose and how to use it.

> Error parsing JWT
> -----------------
>
>                 Key: OFBIZ-10814
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-10814
>             Project: OFBiz
>          Issue Type: Bug
>          Components: framework
>    Affects Versions: Trunk
>            Reporter: Michael Brohl
>            Assignee: Michael Brohl
>            Priority: Major
>         Attachments: Apache OFBiz JWT Test.postman_collection.json, OFBIZ-10814_JWT_parsing_error.patch, OFBIZ-10814_JWT_parsing_error_and_refactoring.patch, OFBIZ-10814_JWT_parsing_error_examples.patch
>
>
> I have problems using the Authorization: Bearer header value for requests towards OFBiz. OFBiz has problems parsing externally generated JSON Web Tokens.
> I have generated them using both [1] and [2] using HS512 and the default secret.
> The JWT check fails because of a parsing error:
> {noformat}
> 2019-01-17 16:48:36,233 |jsse-nio-8443-exec-7 |JavaEventHandler              |E| Problems Processing Event
> io.jsonwebtoken.MalformedJwtException: Unable to read JSON value: �z��'G�#�$�uB"�&�r#�$�3S"
>     at io.jsonwebtoken.impl.DefaultJwtParser.readValue(DefaultJwtParser.java:554) ~[jjwt-0.9.1.jar:0.9.1]
>     at io.jsonwebtoken.impl.DefaultJwtParser.parse(DefaultJwtParser.java:252) ~[jjwt-0.9.1.jar:0.9.1]
>     at io.jsonwebtoken.impl.DefaultJwtParser.parse(DefaultJwtParser.java:481) ~[jjwt-0.9.1.jar:0.9.1]
>     at io.jsonwebtoken.impl.DefaultJwtParser.parseClaimsJws(DefaultJwtParser.java:541) ~[jjwt-0.9.1.jar:0.9.1]
>     at org.apache.ofbiz.webapp.control.JWTManager.validateToken(JWTManager.java:124) ~[ofbiz.jar:?]
>     at org.apache.ofbiz.webapp.control.ExternalLoginKeysManager.jwtValidation(ExternalLoginKeysManager.java:292) ~[ofbiz.jar:?]
>     at org.apache.ofbiz.webapp.control.ExternalLoginKeysManager.checkJWTLogin(ExternalLoginKeysManager.java:196) ~[ofbiz.jar:?]
>     at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:1.8.0_152]
>     at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[?:1.8.0_152]
>     at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:1.8.0_152]
>     at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_152]
>     at org.apache.ofbiz.webapp.event.JavaEventHandler.invoke(JavaEventHandler.java:86) [ofbiz.jar:?]
>     at org.apache.ofbiz.webapp.control.RequestHandler.runEvent(RequestHandler.java:774) [ofbiz.jar:?]
>     at org.apache.ofbiz.webapp.control.RequestHandler.doRequest(RequestHandler.java:407) [ofbiz.jar:?]
>     at org.apache.ofbiz.webapp.control.ControlServlet.doGet(ControlServlet.java:208) [ofbiz.jar:?]
>     at javax.servlet.http.HttpServlet.service(HttpServlet.java:645) [javax.servlet-api-4.0.1.jar:4.0.1]
>     at javax.servlet.http.HttpServlet.service(HttpServlet.java:750) [javax.servlet-api-4.0.1.jar:4.0.1]
>     at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231) [tomcat-catalina-9.0.13.jar:9.0.13]
>     at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [tomcat-catalina-9.0.13.jar:9.0.13]
>     at org.apache.ofbiz.webapp.control.ContextFilter.doFilter(ContextFilter.java:191) [ofbiz.jar:?]
>     at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) [tomcat-catalina-9.0.13.jar:9.0.13]
>     at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [tomcat-catalina-9.0.13.jar:9.0.13]
>     at org.apache.ofbiz.webapp.control.ControlFilter.doFilter(ControlFilter.java:156) [ofbiz.jar:?]
>     at javax.servlet.http.HttpFilter.doFilter(HttpFilter.java:127) [javax.servlet-api-4.0.1.jar:4.0.1]
>     at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) [tomcat-catalina-9.0.13.jar:9.0.13]
>     at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [tomcat-catalina-9.0.13.jar:9.0.13]
>     at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:199) [tomcat-catalina-9.0.13.jar:9.0.13]
>     at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96) [tomcat-catalina-9.0.13.jar:9.0.13]
>     at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:490) [tomcat-catalina-9.0.13.jar:9.0.13]
>     at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139) [tomcat-catalina-9.0.13.jar:9.0.13]
>     at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92) [tomcat-catalina-9.0.13.jar:9.0.13]
>     at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74) [tomcat-catalina-9.0.13.jar:9.0.13]
>     at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:668) [tomcat-catalina-9.0.13.jar:9.0.13]
>     at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343) [tomcat-catalina-9.0.13.jar:9.0.13]
>     at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:408) [tomcat-coyote-9.0.13.jar:9.0.13]
>     at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66) [tomcat-coyote-9.0.13.jar:9.0.13]
>     at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:791) [tomcat-coyote-9.0.13.jar:9.0.13]
>     at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1417) [tomcat-coyote-9.0.13.jar:9.0.13]
>     at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) [tomcat-coyote-9.0.13.jar:9.0.13]
>     at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [?:1.8.0_152]
>     at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [?:1.8.0_152]
>     at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) [tomcat-util-9.0.13.jar:9.0.13]
>     at java.lang.Thread.run(Thread.java:748) [?:1.8.0_152]
> Caused by: com.fasterxml.jackson.core.JsonParseException: Illegal character ((CTRL-CHAR, code 5)): only regular white space (\r, \n, \t) is allowed between tokens
>  at [Source: (String)"�z��'G�#�$�uB"�&�r#�$�3S""; line: 1, column: 2]
>     at com.fasterxml.jackson.core.JsonParser._constructError(JsonParser.java:1804) ~[jackson-core-2.9.6.jar:2.9.6]
>     at com.fasterxml.jackson.core.base.ParserMinimalBase._reportError(ParserMinimalBase.java:669) ~[jackson-core-2.9.6.jar:2.9.6]
>     at com.fasterxml.jackson.core.base.ParserMinimalBase._throwInvalidSpace(ParserMinimalBase.java:620) ~[jackson-core-2.9.6.jar:2.9.6]
>     at com.fasterxml.jackson.core.json.ReaderBasedJsonParser._skipWSOrEnd(ReaderBasedJsonParser.java:2350) ~[jackson-core-2.9.6.jar:2.9.6]
>     at com.fasterxml.jackson.core.json.ReaderBasedJsonParser.nextToken(ReaderBasedJsonParser.java:646) ~[jackson-core-2.9.6.jar:2.9.6]
>     at com.fasterxml.jackson.databind.ObjectMapper._initForReading(ObjectMapper.java:4141) ~[jackson-databind-2.9.6.jar:2.9.6]
>     at com.fasterxml.jackson.databind.ObjectMapper._readMapAndClose(ObjectMapper.java:4000) ~[jackson-databind-2.9.6.jar:2.9.6]
>     at com.fasterxml.jackson.databind.ObjectMapper.readValue(ObjectMapper.java:3004) ~[jackson-databind-2.9.6.jar:2.9.6]
>     at io.jsonwebtoken.impl.DefaultJwtParser.readValue(DefaultJwtParser.java:552) ~[jjwt-0.9.1.jar:0.9.1]
>     ... 42 more
> 2019-01-17 16:48:36,237 |jsse-nio-8443-exec-7 |RequestHandler                |E| null
> org.apache.ofbiz.webapp.event.EventHandlerException: Problems processing event: io.jsonwebtoken.MalformedJwtException: Unable to read JSON value: �z��'G�#�$�uB"�&�r#�$�3S" (Unable to read JSON value: �z��'G�#�$�uB"�&�r#�$�3S")
>     at org.apache.ofbiz.webapp.event.JavaEventHandler.invoke(JavaEventHandler.java:94) ~[ofbiz.jar:?]
>     at org.apache.ofbiz.webapp.control.RequestHandler.runEvent(RequestHandler.java:774) ~[ofbiz.jar:?]
>     at org.apache.ofbiz.webapp.control.RequestHandler.doRequest(RequestHandler.java:407) [ofbiz.jar:?]
>     at org.apache.ofbiz.webapp.control.ControlServlet.doGet(ControlServlet.java:208) [ofbiz.jar:?]
>     at javax.servlet.http.HttpServlet.service(HttpServlet.java:645) [javax.servlet-api-4.0.1.jar:4.0.1]
>     at javax.servlet.http.HttpServlet.service(HttpServlet.java:750) [javax.servlet-api-4.0.1.jar:4.0.1]
>     at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231) [tomcat-catalina-9.0.13.jar:9.0.13]
>     at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [tomcat-catalina-9.0.13.jar:9.0.13]
>     at org.apache.ofbiz.webapp.control.ContextFilter.doFilter(ContextFilter.java:191) [ofbiz.jar:?]
>     at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) [tomcat-catalina-9.0.13.jar:9.0.13]
>     at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [tomcat-catalina-9.0.13.jar:9.0.13]
>     at org.apache.ofbiz.webapp.control.ControlFilter.doFilter(ControlFilter.java:156) [ofbiz.jar:?]
>     at javax.servlet.http.HttpFilter.doFilter(HttpFilter.java:127) [javax.servlet-api-4.0.1.jar:4.0.1]
>     at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) [tomcat-catalina-9.0.13.jar:9.0.13]
>     at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [tomcat-catalina-9.0.13.jar:9.0.13]
>     at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:199) [tomcat-catalina-9.0.13.jar:9.0.13]
>     at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96) [tomcat-catalina-9.0.13.jar:9.0.13]
>     at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:490) [tomcat-catalina-9.0.13.jar:9.0.13]
>     at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139) [tomcat-catalina-9.0.13.jar:9.0.13]
>     at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92) [tomcat-catalina-9.0.13.jar:9.0.13]
>     at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74) [tomcat-catalina-9.0.13.jar:9.0.13]
>     at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:668) [tomcat-catalina-9.0.13.jar:9.0.13]
>     at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343) [tomcat-catalina-9.0.13.jar:9.0.13]
>     at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:408) [tomcat-coyote-9.0.13.jar:9.0.13]
>     at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66) [tomcat-coyote-9.0.13.jar:9.0.13]
>     at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:791) [tomcat-coyote-9.0.13.jar:9.0.13]
>     at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1417) [tomcat-coyote-9.0.13.jar:9.0.13]
>     at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) [tomcat-coyote-9.0.13.jar:9.0.13]
>     at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [?:1.8.0_152]
>     at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [?:1.8.0_152]
>     at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) [tomcat-util-9.0.13.jar:9.0.13]
>     at java.lang.Thread.run(Thread.java:748) [?:1.8.0_152]
> Caused by: io.jsonwebtoken.MalformedJwtException: Unable to read JSON value: �z��'G�#�$�uB"�&�r#�$�3S"
>     at io.jsonwebtoken.impl.DefaultJwtParser.readValue(DefaultJwtParser.java:554) ~[jjwt-0.9.1.jar:0.9.1]
>     at io.jsonwebtoken.impl.DefaultJwtParser.parse(DefaultJwtParser.java:252) ~[jjwt-0.9.1.jar:0.9.1]
>     at io.jsonwebtoken.impl.DefaultJwtParser.parse(DefaultJwtParser.java:481) ~[jjwt-0.9.1.jar:0.9.1]
>     at io.jsonwebtoken.impl.DefaultJwtParser.parseClaimsJws(DefaultJwtParser.java:541) ~[jjwt-0.9.1.jar:0.9.1]
>     at org.apache.ofbiz.webapp.control.JWTManager.validateToken(JWTManager.java:124) ~[ofbiz.jar:?]
>     at org.apache.ofbiz.webapp.control.ExternalLoginKeysManager.jwtValidation(ExternalLoginKeysManager.java:292) ~[ofbiz.jar:?]
>     at org.apache.ofbiz.webapp.control.ExternalLoginKeysManager.checkJWTLogin(ExternalLoginKeysManager.java:196) ~[ofbiz.jar:?]
>     at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:1.8.0_152]
>     at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[?:1.8.0_152]
>     at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:1.8.0_152]
>     at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_152]
>     at org.apache.ofbiz.webapp.event.JavaEventHandler.invoke(JavaEventHandler.java:86) ~[ofbiz.jar:?]
>     ... 31 more
> Caused by: com.fasterxml.jackson.core.JsonParseException: Illegal character ((CTRL-CHAR, code 5)): only regular white space (\r, \n, \t) is allowed between tokens
>  at [Source: (String)"�z��'G�#�$�uB"�&�r#�$�3S""; line: 1, column: 2]
>     at com.fasterxml.jackson.core.JsonParser._constructError(JsonParser.java:1804) ~[jackson-core-2.9.6.jar:2.9.6]
>     at com.fasterxml.jackson.core.base.ParserMinimalBase._reportError(ParserMinimalBase.java:669) ~[jackson-core-2.9.6.jar:2.9.6]
>     at com.fasterxml.jackson.core.base.ParserMinimalBase._throwInvalidSpace(ParserMinimalBase.java:620) ~[jackson-core-2.9.6.jar:2.9.6]
>     at com.fasterxml.jackson.core.json.ReaderBasedJsonParser._skipWSOrEnd(ReaderBasedJsonParser.java:2350) ~[jackson-core-2.9.6.jar:2.9.6]
>     at com.fasterxml.jackson.core.json.ReaderBasedJsonParser.nextToken(ReaderBasedJsonParser.java:646) ~[jackson-core-2.9.6.jar:2.9.6]
>     at com.fasterxml.jackson.databind.ObjectMapper._initForReading(ObjectMapper.java:4141) ~[jackson-databind-2.9.6.jar:2.9.6]
>     at com.fasterxml.jackson.databind.ObjectMapper._readMapAndClose(ObjectMapper.java:4000) ~[jackson-databind-2.9.6.jar:2.9.6]
>     at com.fasterxml.jackson.databind.ObjectMapper.readValue(ObjectMapper.java:3004) ~[jackson-databind-2.9.6.jar:2.9.6]
>     at io.jsonwebtoken.impl.DefaultJwtParser.readValue(DefaultJwtParser.java:552) ~[jjwt-0.9.1.jar:0.9.1]
>     at io.jsonwebtoken.impl.DefaultJwtParser.parse(DefaultJwtParser.java:252) ~[jjwt-0.9.1.jar:0.9.1]
>     at io.jsonwebtoken.impl.DefaultJwtParser.parse(DefaultJwtParser.java:481) ~[jjwt-0.9.1.jar:0.9.1]
>     at io.jsonwebtoken.impl.DefaultJwtParser.parseClaimsJws(DefaultJwtParser.java:541) ~[jjwt-0.9.1.jar:0.9.1]
>     at org.apache.ofbiz.webapp.control.JWTManager.validateToken(JWTManager.java:124) ~[ofbiz.jar:?]
>     at org.apache.ofbiz.webapp.control.ExternalLoginKeysManager.jwtValidation(ExternalLoginKeysManager.java:292) ~[ofbiz.jar:?]
>     at org.apache.ofbiz.webapp.control.ExternalLoginKeysManager.checkJWTLogin(ExternalLoginKeysManager.java:196) ~[ofbiz.jar:?]
>     at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:1.8.0_152]
>     at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[?:1.8.0_152]
>     at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:1.8.0_152]
>     at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_152]
>     at org.apache.ofbiz.webapp.event.JavaEventHandler.invoke(JavaEventHandler.java:86) ~[ofbiz.jar:?]
>     ... 31 more{noformat}
> If I create a JWT in [2] and paste it in [1] with a not Base64 encoded secret, the JWT claims are displayed fine so I think they are correct and parsable.
> You can test using
> {noformat}
> eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJpc3MiOiJPbmxpbmUgSldUIEJ1aWxkZXIiLCJpYXQiOjE1NDc3MzkzNDgsImV4cCI6MTU3OTI3NTM0OCwiYXVkIjoid3d3LmV4YW1wbGUuY29tIiwic3ViIjoianJvY2tldEBleGFtcGxlLmNvbSIsIkdpdmVuTmFtZSI6IkpvaG5ueSIsIlN1cm5hbWUiOiJSb2NrZXQiLCJFbWFpbCI6Impyb2NrZXRAZXhhbXBsZS5jb20iLCJSb2xlIjpbIk1hbmFnZXIiLCJQcm9qZWN0IEFkbWluaXN0cmF0b3IiXX0.KTZOnBj_GlZw5btWc8_8xau3pqs685idQGta9WC3WEJzk4AEeOhjyDCbT6AbOsaLcu5uKDHDphdsq9Tiea_Hpg{noformat}
>  
> Any ideas what could be wrong?
>  
> [1] [https://jwt.io/]
> [2] [http://jwtbuilder.jamiekurtz.com/]
>  



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
Free forum by Nabble Edit this page