ofbiz-notifications mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jacques Le Roux (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (OFBIZ-10814) Error parsing JWT
Date Sat, 02 Feb 2019 18:42:00 GMT

    [ https://issues.apache.org/jira/browse/OFBIZ-10814?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16759138#comment-16759138
] 

Jacques Le Roux commented on OFBIZ-10814:
-----------------------------------------

Hi Michael,

I tested your changes with the trunk, it works. I mean, I can SSO login from a localhost example
to content on trunk demo.

All, 

While reviewing the code I noticed that in JWTManager::getAuthenticationToken we pass "USERNAME"
and "PASSWORD" as parameters in a request. Why do we need that? This method is not use OOTB
yet, so just curious

> Error parsing JWT
> -----------------
>
>                 Key: OFBIZ-10814
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-10814
>             Project: OFBiz
>          Issue Type: Bug
>          Components: framework
>    Affects Versions: Trunk
>            Reporter: Michael Brohl
>            Assignee: Michael Brohl
>            Priority: Major
>         Attachments: Apache OFBiz JWT Test.postman_collection.json, OFBIZ-10814_JWT_parsing_error.patch,
OFBIZ-10814_JWT_parsing_error_and_refactoring.patch, OFBIZ-10814_JWT_parsing_error_examples.patch
>
>
> I have problems using the Authorization: Bearer header value for requests towards OFBiz.
OFBiz has problems parsing externally generated JSON Web Tokens.
> I have generated them using both [1] and [2] using HS512 and the default secret.
> The JWT check fails because of a parsing error:
> {noformat}
> 2019-01-17 16:48:36,233 |jsse-nio-8443-exec-7 |JavaEventHandler             
|E| Problems Processing Event
> io.jsonwebtoken.MalformedJwtException: Unable to read JSON value: �z��'G�#�$�uB"�&�r#�$�3S"
>     at io.jsonwebtoken.impl.DefaultJwtParser.readValue(DefaultJwtParser.java:554)
~[jjwt-0.9.1.jar:0.9.1]
>     at io.jsonwebtoken.impl.DefaultJwtParser.parse(DefaultJwtParser.java:252) ~[jjwt-0.9.1.jar:0.9.1]
>     at io.jsonwebtoken.impl.DefaultJwtParser.parse(DefaultJwtParser.java:481) ~[jjwt-0.9.1.jar:0.9.1]
>     at io.jsonwebtoken.impl.DefaultJwtParser.parseClaimsJws(DefaultJwtParser.java:541)
~[jjwt-0.9.1.jar:0.9.1]
>     at org.apache.ofbiz.webapp.control.JWTManager.validateToken(JWTManager.java:124)
~[ofbiz.jar:?]
>     at org.apache.ofbiz.webapp.control.ExternalLoginKeysManager.jwtValidation(ExternalLoginKeysManager.java:292)
~[ofbiz.jar:?]
>     at org.apache.ofbiz.webapp.control.ExternalLoginKeysManager.checkJWTLogin(ExternalLoginKeysManager.java:196)
~[ofbiz.jar:?]
>     at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:1.8.0_152]
>     at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
~[?:1.8.0_152]
>     at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
~[?:1.8.0_152]
>     at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_152]
>     at org.apache.ofbiz.webapp.event.JavaEventHandler.invoke(JavaEventHandler.java:86)
[ofbiz.jar:?]
>     at org.apache.ofbiz.webapp.control.RequestHandler.runEvent(RequestHandler.java:774)
[ofbiz.jar:?]
>     at org.apache.ofbiz.webapp.control.RequestHandler.doRequest(RequestHandler.java:407)
[ofbiz.jar:?]
>     at org.apache.ofbiz.webapp.control.ControlServlet.doGet(ControlServlet.java:208)
[ofbiz.jar:?]
>     at javax.servlet.http.HttpServlet.service(HttpServlet.java:645) [javax.servlet-api-4.0.1.jar:4.0.1]
>     at javax.servlet.http.HttpServlet.service(HttpServlet.java:750) [javax.servlet-api-4.0.1.jar:4.0.1]
>     at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231)
[tomcat-catalina-9.0.13.jar:9.0.13]
>     at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
[tomcat-catalina-9.0.13.jar:9.0.13]
>     at org.apache.ofbiz.webapp.control.ContextFilter.doFilter(ContextFilter.java:191)
[ofbiz.jar:?]
>     at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
[tomcat-catalina-9.0.13.jar:9.0.13]
>     at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
[tomcat-catalina-9.0.13.jar:9.0.13]
>     at org.apache.ofbiz.webapp.control.ControlFilter.doFilter(ControlFilter.java:156)
[ofbiz.jar:?]
>     at javax.servlet.http.HttpFilter.doFilter(HttpFilter.java:127) [javax.servlet-api-4.0.1.jar:4.0.1]
>     at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
[tomcat-catalina-9.0.13.jar:9.0.13]
>     at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
[tomcat-catalina-9.0.13.jar:9.0.13]
>     at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:199)
[tomcat-catalina-9.0.13.jar:9.0.13]
>     at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
[tomcat-catalina-9.0.13.jar:9.0.13]
>     at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:490)
[tomcat-catalina-9.0.13.jar:9.0.13]
>     at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139)
[tomcat-catalina-9.0.13.jar:9.0.13]
>     at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)
[tomcat-catalina-9.0.13.jar:9.0.13]
>     at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74)
[tomcat-catalina-9.0.13.jar:9.0.13]
>     at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:668)
[tomcat-catalina-9.0.13.jar:9.0.13]
>     at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)
[tomcat-catalina-9.0.13.jar:9.0.13]
>     at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:408)
[tomcat-coyote-9.0.13.jar:9.0.13]
>     at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
[tomcat-coyote-9.0.13.jar:9.0.13]
>     at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:791)
[tomcat-coyote-9.0.13.jar:9.0.13]
>     at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1417)
[tomcat-coyote-9.0.13.jar:9.0.13]
>     at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
[tomcat-coyote-9.0.13.jar:9.0.13]
>     at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
[?:1.8.0_152]
>     at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
[?:1.8.0_152]
>     at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
[tomcat-util-9.0.13.jar:9.0.13]
>     at java.lang.Thread.run(Thread.java:748) [?:1.8.0_152]
> Caused by: com.fasterxml.jackson.core.JsonParseException: Illegal character ((CTRL-CHAR,
code 5)): only regular white space (\r, \n, \t) is allowed between tokens
>  at [Source: (String)"�z��'G�#�$�uB"�&�r#�$�3S""; line:
1, column: 2]
>     at com.fasterxml.jackson.core.JsonParser._constructError(JsonParser.java:1804)
~[jackson-core-2.9.6.jar:2.9.6]
>     at com.fasterxml.jackson.core.base.ParserMinimalBase._reportError(ParserMinimalBase.java:669)
~[jackson-core-2.9.6.jar:2.9.6]
>     at com.fasterxml.jackson.core.base.ParserMinimalBase._throwInvalidSpace(ParserMinimalBase.java:620)
~[jackson-core-2.9.6.jar:2.9.6]
>     at com.fasterxml.jackson.core.json.ReaderBasedJsonParser._skipWSOrEnd(ReaderBasedJsonParser.java:2350)
~[jackson-core-2.9.6.jar:2.9.6]
>     at com.fasterxml.jackson.core.json.ReaderBasedJsonParser.nextToken(ReaderBasedJsonParser.java:646)
~[jackson-core-2.9.6.jar:2.9.6]
>     at com.fasterxml.jackson.databind.ObjectMapper._initForReading(ObjectMapper.java:4141)
~[jackson-databind-2.9.6.jar:2.9.6]
>     at com.fasterxml.jackson.databind.ObjectMapper._readMapAndClose(ObjectMapper.java:4000)
~[jackson-databind-2.9.6.jar:2.9.6]
>     at com.fasterxml.jackson.databind.ObjectMapper.readValue(ObjectMapper.java:3004)
~[jackson-databind-2.9.6.jar:2.9.6]
>     at io.jsonwebtoken.impl.DefaultJwtParser.readValue(DefaultJwtParser.java:552)
~[jjwt-0.9.1.jar:0.9.1]
>     ... 42 more
> 2019-01-17 16:48:36,237 |jsse-nio-8443-exec-7 |RequestHandler               
|E| null
> org.apache.ofbiz.webapp.event.EventHandlerException: Problems processing event: io.jsonwebtoken.MalformedJwtException:
Unable to read JSON value: �z��'G�#�$�uB"�&�r#�$�3S" (Unable to
read JSON value: �z��'G�#�$�uB"�&�r#�$�3S")
>     at org.apache.ofbiz.webapp.event.JavaEventHandler.invoke(JavaEventHandler.java:94)
~[ofbiz.jar:?]
>     at org.apache.ofbiz.webapp.control.RequestHandler.runEvent(RequestHandler.java:774)
~[ofbiz.jar:?]
>     at org.apache.ofbiz.webapp.control.RequestHandler.doRequest(RequestHandler.java:407)
[ofbiz.jar:?]
>     at org.apache.ofbiz.webapp.control.ControlServlet.doGet(ControlServlet.java:208)
[ofbiz.jar:?]
>     at javax.servlet.http.HttpServlet.service(HttpServlet.java:645) [javax.servlet-api-4.0.1.jar:4.0.1]
>     at javax.servlet.http.HttpServlet.service(HttpServlet.java:750) [javax.servlet-api-4.0.1.jar:4.0.1]
>     at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231)
[tomcat-catalina-9.0.13.jar:9.0.13]
>     at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
[tomcat-catalina-9.0.13.jar:9.0.13]
>     at org.apache.ofbiz.webapp.control.ContextFilter.doFilter(ContextFilter.java:191)
[ofbiz.jar:?]
>     at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
[tomcat-catalina-9.0.13.jar:9.0.13]
>     at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
[tomcat-catalina-9.0.13.jar:9.0.13]
>     at org.apache.ofbiz.webapp.control.ControlFilter.doFilter(ControlFilter.java:156)
[ofbiz.jar:?]
>     at javax.servlet.http.HttpFilter.doFilter(HttpFilter.java:127) [javax.servlet-api-4.0.1.jar:4.0.1]
>     at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
[tomcat-catalina-9.0.13.jar:9.0.13]
>     at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
[tomcat-catalina-9.0.13.jar:9.0.13]
>     at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:199)
[tomcat-catalina-9.0.13.jar:9.0.13]
>     at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
[tomcat-catalina-9.0.13.jar:9.0.13]
>     at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:490)
[tomcat-catalina-9.0.13.jar:9.0.13]
>     at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139)
[tomcat-catalina-9.0.13.jar:9.0.13]
>     at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)
[tomcat-catalina-9.0.13.jar:9.0.13]
>     at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74)
[tomcat-catalina-9.0.13.jar:9.0.13]
>     at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:668)
[tomcat-catalina-9.0.13.jar:9.0.13]
>     at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)
[tomcat-catalina-9.0.13.jar:9.0.13]
>     at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:408)
[tomcat-coyote-9.0.13.jar:9.0.13]
>     at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
[tomcat-coyote-9.0.13.jar:9.0.13]
>     at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:791)
[tomcat-coyote-9.0.13.jar:9.0.13]
>     at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1417)
[tomcat-coyote-9.0.13.jar:9.0.13]
>     at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
[tomcat-coyote-9.0.13.jar:9.0.13]
>     at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
[?:1.8.0_152]
>     at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
[?:1.8.0_152]
>     at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
[tomcat-util-9.0.13.jar:9.0.13]
>     at java.lang.Thread.run(Thread.java:748) [?:1.8.0_152]
> Caused by: io.jsonwebtoken.MalformedJwtException: Unable to read JSON value: �z��'G�#�$�uB"�&�r#�$�3S"
>     at io.jsonwebtoken.impl.DefaultJwtParser.readValue(DefaultJwtParser.java:554)
~[jjwt-0.9.1.jar:0.9.1]
>     at io.jsonwebtoken.impl.DefaultJwtParser.parse(DefaultJwtParser.java:252) ~[jjwt-0.9.1.jar:0.9.1]
>     at io.jsonwebtoken.impl.DefaultJwtParser.parse(DefaultJwtParser.java:481) ~[jjwt-0.9.1.jar:0.9.1]
>     at io.jsonwebtoken.impl.DefaultJwtParser.parseClaimsJws(DefaultJwtParser.java:541)
~[jjwt-0.9.1.jar:0.9.1]
>     at org.apache.ofbiz.webapp.control.JWTManager.validateToken(JWTManager.java:124)
~[ofbiz.jar:?]
>     at org.apache.ofbiz.webapp.control.ExternalLoginKeysManager.jwtValidation(ExternalLoginKeysManager.java:292)
~[ofbiz.jar:?]
>     at org.apache.ofbiz.webapp.control.ExternalLoginKeysManager.checkJWTLogin(ExternalLoginKeysManager.java:196)
~[ofbiz.jar:?]
>     at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:1.8.0_152]
>     at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
~[?:1.8.0_152]
>     at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
~[?:1.8.0_152]
>     at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_152]
>     at org.apache.ofbiz.webapp.event.JavaEventHandler.invoke(JavaEventHandler.java:86)
~[ofbiz.jar:?]
>     ... 31 more
> Caused by: com.fasterxml.jackson.core.JsonParseException: Illegal character ((CTRL-CHAR,
code 5)): only regular white space (\r, \n, \t) is allowed between tokens
>  at [Source: (String)"�z��'G�#�$�uB"�&�r#�$�3S""; line:
1, column: 2]
>     at com.fasterxml.jackson.core.JsonParser._constructError(JsonParser.java:1804)
~[jackson-core-2.9.6.jar:2.9.6]
>     at com.fasterxml.jackson.core.base.ParserMinimalBase._reportError(ParserMinimalBase.java:669)
~[jackson-core-2.9.6.jar:2.9.6]
>     at com.fasterxml.jackson.core.base.ParserMinimalBase._throwInvalidSpace(ParserMinimalBase.java:620)
~[jackson-core-2.9.6.jar:2.9.6]
>     at com.fasterxml.jackson.core.json.ReaderBasedJsonParser._skipWSOrEnd(ReaderBasedJsonParser.java:2350)
~[jackson-core-2.9.6.jar:2.9.6]
>     at com.fasterxml.jackson.core.json.ReaderBasedJsonParser.nextToken(ReaderBasedJsonParser.java:646)
~[jackson-core-2.9.6.jar:2.9.6]
>     at com.fasterxml.jackson.databind.ObjectMapper._initForReading(ObjectMapper.java:4141)
~[jackson-databind-2.9.6.jar:2.9.6]
>     at com.fasterxml.jackson.databind.ObjectMapper._readMapAndClose(ObjectMapper.java:4000)
~[jackson-databind-2.9.6.jar:2.9.6]
>     at com.fasterxml.jackson.databind.ObjectMapper.readValue(ObjectMapper.java:3004)
~[jackson-databind-2.9.6.jar:2.9.6]
>     at io.jsonwebtoken.impl.DefaultJwtParser.readValue(DefaultJwtParser.java:552)
~[jjwt-0.9.1.jar:0.9.1]
>     at io.jsonwebtoken.impl.DefaultJwtParser.parse(DefaultJwtParser.java:252) ~[jjwt-0.9.1.jar:0.9.1]
>     at io.jsonwebtoken.impl.DefaultJwtParser.parse(DefaultJwtParser.java:481) ~[jjwt-0.9.1.jar:0.9.1]
>     at io.jsonwebtoken.impl.DefaultJwtParser.parseClaimsJws(DefaultJwtParser.java:541)
~[jjwt-0.9.1.jar:0.9.1]
>     at org.apache.ofbiz.webapp.control.JWTManager.validateToken(JWTManager.java:124)
~[ofbiz.jar:?]
>     at org.apache.ofbiz.webapp.control.ExternalLoginKeysManager.jwtValidation(ExternalLoginKeysManager.java:292)
~[ofbiz.jar:?]
>     at org.apache.ofbiz.webapp.control.ExternalLoginKeysManager.checkJWTLogin(ExternalLoginKeysManager.java:196)
~[ofbiz.jar:?]
>     at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:1.8.0_152]
>     at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
~[?:1.8.0_152]
>     at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
~[?:1.8.0_152]
>     at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_152]
>     at org.apache.ofbiz.webapp.event.JavaEventHandler.invoke(JavaEventHandler.java:86)
~[ofbiz.jar:?]
>     ... 31 more{noformat}
> If I create a JWT in [2] and paste it in [1] with a not Base64 encoded secret, the JWT
claims are displayed fine so I think they are correct and parsable.
> You can test using
> {noformat}
> eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJpc3MiOiJPbmxpbmUgSldUIEJ1aWxkZXIiLCJpYXQiOjE1NDc3MzkzNDgsImV4cCI6MTU3OTI3NTM0OCwiYXVkIjoid3d3LmV4YW1wbGUuY29tIiwic3ViIjoianJvY2tldEBleGFtcGxlLmNvbSIsIkdpdmVuTmFtZSI6IkpvaG5ueSIsIlN1cm5hbWUiOiJSb2NrZXQiLCJFbWFpbCI6Impyb2NrZXRAZXhhbXBsZS5jb20iLCJSb2xlIjpbIk1hbmFnZXIiLCJQcm9qZWN0IEFkbWluaXN0cmF0b3IiXX0.KTZOnBj_GlZw5btWc8_8xau3pqs685idQGta9WC3WEJzk4AEeOhjyDCbT6AbOsaLcu5uKDHDphdsq9Tiea_Hpg{noformat}
>  
> Any ideas what could be wrong?
>  
> [1] [https://jwt.io/]
> [2] [http://jwtbuilder.jamiekurtz.com/]
>  



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Mime
View raw message