Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [jakarta.ee-community] Is Jakarta EE Security missing something?

Hi Ondro,

thanks for your feedback and investigation. I understand that this is the missing part if I want my application to support both - user authentication flow via web browser and a bearer token based authentication for web services.


Ralph

On 24.04.25 14:46, Ondro Mihályi wrote:
Hi Ralph,

In Jakarta EE 11, it will be possible to decide which auth mechanism to use based on info in request. 

In GlassFish 8, which will provide Jakarta EE 11, MicroProfile JWT is implemented as a Jakarta Security auth mechanism. The missing piece is to be able to inject the built-in JWT mechanism into a custom handler so that the handle can delegate to it in case of REST requests. I raised an issue to add this to GlassFish 8 when it's ready: https://github.com/eclipse-ee4j/glassfish/issues/25475

MP JWT bridge aims to do something similar, plus add means to define the JWT mechanism via an annotation instead of MicroProfile Config properties. I hope it also specifies the qualifier so that the JWT mechanism can be injected in a standard way into a Security handler.

Ondro

On Thu, Apr 24, 2025 at 10:46 AM Ralph Soika <ralph.soika@xxxxxxxxx> wrote:

Hi Ondro,

the microprofile-jwt-bridge is poorly documented. Most links are broken :-(


Regards

ralph

On 23.04.25 23:46, Ondro Mihályi wrote:
Hi Ralph,

Isn't this already provided by MicroProfile JWT? 

However, this is not integrated with Jakarta Security, it's just a different API you can use to secure REST services using Bearer authentication with JWT. There's an initiative to integrate MP JWT with Jakarta Security: https://github.com/microprofile/microprofile-jwt-bridge

Ondro

On Wed, Apr 23, 2025 at 8:55 AM Ralph Soika via jakarta.ee-community <jakarta.ee-community@xxxxxxxxxxx> wrote:

Hi,

I'm not sure if this is the right place for my question, but I'm a bit confused. It's about the new capabilities in Jakarta EE 10 regarding OpenID Integration (OIDC).

With the @OpenIdAuthenticationMechanismDefinition  annotation Jakarta EE supports a cool way to integrate the oidc authentication flow. But this annotation (supported by all actual platforms) is only for browser based authentication. I have always assumed that this mechanism also supports programmatic logins. But this is obviously not the case.

This means: If you add the @OpenIdAuthenticationMechanismDefinition to your Jakarta EE app you can connect your app easily with different Identity provider platforms (e.g. Keycloak) and users can authenticate in a secure way via Web browsers. But if you need to perform a programmatic login - for example in a microservice architecture where an external service need to access your applications API you are totally lost. I can't believe that I'm the only one who makes this requirement? 

Wildfly offers its own proprietary solution (I think based on soteria) that supports exactly this feature. But this means that the application is no longer platform-neutral and you are forced to use the elytron library "wildfly-elytron-http-oidc" to get out user attributes from the users claim.
I have written a blog about this feature here: https://ralph.blog.imixs.com/2025/03/26/wildfly-29-oidc-bearer-token-authentication/

I guess your answer in this forum will be that Jakarta EE is just a specification and if I need such a feature I can implement my own jaspi login module. But can that really be true? Not every developer writes his own jaspi Login module. I myself shy away from it, because I expect that I will very quickly reach a point where I am no longer platform independent.

Can anyone help me with this question? Or am I missing an important concept of Jakarta EE all the time?
I have already written issues about this at Wildfly and soteria and on Stackoverflow. But somehow the community is silent on this topic.


Thanks for your help in advance

===
Ralph

--

Imixs Software Solutions GmbH
Web: www.imixs.com Phone: +49 (0)89-452136 16
Timezone: Europe/Berlin - CET/CEST
Office: Frei-Otto-Str. 4, 80797 München
Registergericht: Amtsgericht München, HRB 136045
Geschäftsführer: Gaby Heinle u. Ralph Soika

Imixs is an open source company, read more: www.imixs.org

_______________________________________________
jakarta.ee-community mailing list
jakarta.ee-community@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/jakarta.ee-community
--

Imixs Software Solutions GmbH
Web: www.imixs.com Phone: +49 (0)89-452136 16
Timezone: Europe/Berlin - CET/CEST
Office: Frei-Otto-Str. 4, 80797 München
Registergericht: Amtsgericht München, HRB 136045
Geschäftsführer: Gaby Heinle u. Ralph Soika

Imixs is an open source company, read more: www.imixs.org

--

Imixs Software Solutions GmbH
Web: www.imixs.com Phone: +49 (0)89-452136 16
Timezone: Europe/Berlin - CET/CEST
Office: Frei-Otto-Str. 4, 80797 München
Registergericht: Amtsgericht München, HRB 136045
Geschäftsführer: Gaby Heinle u. Ralph Soika

Imixs is an open source company, read more: www.imixs.org

Back to the top