We are using Payara 5.2022.1 in a project where a very specific custom auth solution MUST be used. That solution sends a (non-JWT) Bearer token in the Authorization header, and a JAX-RS filter picks that token and creates a SecurityContext. So far, so good. The problem is that as soon as @RolesAllowed is found in a JAX-RS resource, Payara always returns 401, as apparently it does not check if the token is a JWT token, but simply fails to parse it. While we think this is a bug (if the parsing fails, the request must not get answered by 401 but simply forwarded to our own JAX-RS @ PreMatching @ Priority(AUTHENTICATION) filter), we worked around by using a @CustomRolesAllowed instead, which works fine for now. But what we actually like to instead is: Can we set a Payara specific option that simply switch off JWT support completely (not the support for @ RolesAllowed for JAX-RS, but just the parsing of JWT)?
Related topics
| Topic | Replies | Views | Activity | |
|---|---|---|---|---|
| Payara GET BASIC auth request fails with 401 | 1 | 856 | February 15, 2023 | |
| Logging of the Authentication mechanism in PAYARA | 1 | 383 | December 9, 2021 | |
| java.lang.LinkageError while classloading "com.nimbusds.jwt.JWTClaimsSet" | 3 | 612 | January 3, 2022 | |
| Payaramicro with MicroShed JWT issue | 2 | 274 | November 20, 2021 | |
| Application Login page is displayed when accessing a REST endpoint - Payara-5.2021.8 | 2 | 677 | December 16, 2021 |