We are using Payara 5.2022.1 in a project where a very specific custom auth solution MUST be used. That solution sends a (non-JWT) Bearer token in the Authorization header, and a JAX-RS filter picks that token and creates a SecurityContext. So far, so good. The problem is that as soon as @RolesAllowed is found in a JAX-RS resource, Payara always returns 401, as apparently it does not check if the token is a JWT token, but simply fails to parse it. While we think this is a bug (if the parsing fails, the request must not get answered by 401 but simply forwarded to our own JAX-RS @ PreMatching @ Priority(AUTHENTICATION) filter), we worked around by using a @CustomRolesAllowed instead, which works fine for now. But what we actually like to instead is: Can we set a Payara specific option that simply switch off JWT support completely (not the support for @ RolesAllowed for JAX-RS, but just the parsing of JWT)?
Related topics
| Topic | Replies | Views | Activity | |
|---|---|---|---|---|
| Security API ignores roles provided by custom security extension | 1 | 287 | March 31, 2022 | |
| Logging of the Authentication mechanism in PAYARA | 1 | 376 | December 9, 2021 | |
| Payaramicro with MicroShed JWT issue | 2 | 268 | November 20, 2021 | |
| Payara GET BASIC auth request fails with 401 | 1 | 782 | February 15, 2023 | |
| Why is Payara redirecting from /path to /path/? | 3 | 430 | June 1, 2022 |