README-source.adoc

../shared-doc/attributes.adoc

jaxrs-jwt: Jakarta REST secured using JSON Web Tokens (JWTs)

The jaxrs-jwt quickstart demonstrates a Jakarta REST secured application using JSON Web Tokens (JWT) with Elytron.

What is it?

This quickstart demonstrates how to secure a Jakarta REST service with JWTs using the Elytron subsystem.

There are 4 resource endpoints, plus another one for generating JWTs.

• /rest/public - Requires no authentication.

• /rest/customer - Can be accessed by users with customer role authority.

• /rest/admin - Can be accessed by users with admin role authority.

• /rest/claims - Can be accessed by any authenticated user and demonstrates how to extract token claims.

• /rest/token - POST endpoint for generating tokens from provided credentials.

Note	This quickstart asserts only few JWT claims for demonstration purposes. In your application, you should use all claims required by the specification you are using.

../shared-doc/view-the-source.adoc ../shared-doc/system-requirements.adoc ../shared-doc/use-of-jboss-home-name.adoc

../shared-doc/back-up-server-standalone-configuration.adoc ../shared-doc/start-the-standalone-server.adoc

Configure the Server

You configure the security domain by running JBoss CLI commands. For your convenience, this quickstart batches the commands into a configure-elytron.cli script provided in the root directory of this quickstart.

1. Before you begin, make sure you do the following:

   • Back up the {productName} standalone server configuration as described above.

   • Start the {productName} server with the standalone default profile as described above.

2. Review the configure-elytron.cli file in the root of this quickstart directory. This script adds the configuration that enables Elytron security for the quickstart deployment. Comments in the script describe the purpose of each block of commands.

   Important

   This script contains placeholder PEM public key to make the deployment of this quickstart easy. DO not use this key for anything but testing purposes! You must generate your own key pair for your own application.

3. Open a new terminal, navigate to the root directory of this quickstart, and run the following command, replacing {jbossHomeName} with the path to your server:

   $ {jbossHomeName}/bin/jboss-cli.sh --connect --file=configure-elytron.cli

   Note	For Windows, use the {jbossHomeName}\bin\jboss-cli.bat script.

   You will see the following warnings when executing the script:

   WFLYELY01090: Allowed jku values haven't been specified for token realm 'jwt-realm'. Token validation will fail if the token contains a 'jku' header parameter. The allowed jku values can be specified as a space separated string using the 'wildfly.elytron.jwt.allowed.jku.values.jwt-realm' system property.
   
   ELY01179: SSL not configured. jku claim will not be supported.
   
   ELY01182: Allowed jku values haven't been configured for the JWT validator. Token validation will fail if the token contains a 'jku' header parameter.

   The quickstart creates and makes use of a JWT that doesn’t include a jku header parameter so the warnings can be ignored. When making use of a real token provider with a jwt-realm, token validation will fail if the token contains a jku header parameter and the allowed jku values have not been specified.

4. Stop the {productName} server.

Review the Modified Server Configuration

After stopping the server, open the {jbossHomeName}/standalone/configuration/standalone.xml file and review the changes.

1. The following token-realm was added to the security-realms element in the elytron subsystem.

   <token-realm name="jwt-realm" principal-claim="sub">
       <jwt issuer="quickstart-jwt-issuer" audience="jwt-audience" key-store="jwt-key-store" certificate="jwt-auth"/>
   </token-realm>

2. The following security-domain was added, which uses the jwt-realm.

   <security-domain name="jwt-domain" default-realm="jwt-realm" permission-mapper="default-permission-mapper">
       <realm name="jwt-realm" role-decoder="groups-to-roles"/>
   </security-domain>

3. The following HTTP authentication factory was added, which uses BEARER_TOKEN and the jwt-realm.

   <http-authentication-factory name="jwt-http-authentication" http-server-mechanism-factory="global" security-domain="jwt-domain">
       <mechanism-configuration>
           <mechanism mechanism-name="BEARER_TOKEN">
               <mechanism-realm realm-name="jwt-realm"/>
           </mechanism>
       </mechanism-configuration>
   </http-authentication-factory>

4. The application security domain in the Undertow subsystem is configured to use the new HTTP authentication factory.

   <application-security-domains>
       <application-security-domain name="other" http-authentication-factory="jwt-http-authentication"/>
   </application-security-domains>

5. Finally, the application security domain in the EJB subsystem is configured to use the jwt-domain.

   <application-security-domains>
       <application-security-domain name="other" security-domain="jwt-domain"/>
   </application-security-domains>

../shared-doc/build-and-deploy-the-quickstart.adoc

Access the Application

The JwtAuthIT test shows how a client can authenticate with the server.

../shared-doc/run-integration-tests-with-server-distribution.adoc ../shared-doc/undeploy-the-quickstart.adoc :restoreScriptName: restore-configuration.cli ../shared-doc/restore-standalone-server-configuration.adoc

This script reverts the changes made to the undertow and elytron subsystem.You should see the following result when you run the script.

The batch executed successfully
process-state: reload-required

../shared-doc/restore-standalone-server-configuration-manual.adoc

../shared-doc/build-and-run-the-quickstart-with-provisioned-server.adoc ../shared-doc/build-and-run-the-quickstart-with-openshift.adoc ../shared-doc/build-and-run-the-quickstart-with-kubernetes.adoc