We are using Payara 5.2022.1 in a project where a very specific custom auth solution MUST be used. That solution sends a (non-JWT) Bearer token in the Authorization header, and a JAX-RS filter picks that token and creates a SecurityContext. So far, so good. The problem is that as soon as @RolesAllowed is found in a JAX-RS resource, Payara always returns 401, as apparently it does not check if the token is a JWT token, but simply fails to parse it. While we think this is a bug (if the parsing fails, the request must not get answered by 401 but simply forwarded to our own JAX-RS @ PreMatching @ Priority(AUTHENTICATION) filter), we worked around by using a @CustomRolesAllowed instead, which works fine for now. But what we actually like to instead is: Can we set a Payara specific option that simply switch off JWT support completely (not the support for @ RolesAllowed for JAX-RS, but just the parsing of JWT)?
Related topics
Topic | Replies | Views | Activity | |
---|---|---|---|---|
Payara GET BASIC auth request fails with 401 | 1 | 838 | February 15, 2023 | |
Logging of the Authentication mechanism in PAYARA | 1 | 380 | December 9, 2021 | |
java.lang.LinkageError while classloading "com.nimbusds.jwt.JWTClaimsSet" | 3 | 599 | January 3, 2022 | |
Payaramicro with MicroShed JWT issue | 2 | 273 | November 20, 2021 | |
Application Login page is displayed when accessing a REST endpoint - Payara-5.2021.8 | 2 | 665 | December 16, 2021 |