This project illustrates how to use MicroProfile JSON Web Token (MP JWT) to secure REST APIs. It makes use of JWTenizr to generate tokens and is currently implemented on WildFly, Quarkus and Open Liberty. AFAIK, it can easily be extended to other MicroProfile runtimes such as Payara, TomEE and KumuluzEE.
A basic knowledge of MP JWT is needed and, if you don’t feel comfortable with that, I invite you to read MicroProfile JSON Web Token written by my friend Jean-Louis Monteiro from Tomitribe.
The project has been developed in the following context:
-
OpenJDK Runtime Environment AdoptOpenJDK (build 11.0.7+10)
-
MicroProfile 3.3
-
GraalVM 19.3.1 (for Quarkus Native)
-
Wildfly 20.0.0.Final
-
Quarkus 1.5.0.Final
-
OpenLiberty 20.0.0.7
-
JWTenizr 0.0.4-SNAPSHOT.
The project is made of 3 independent modules. Each one is dedicated to a runtime: Quarkus, WildFly, Liberty.
To keep it simple, there is deliberately nothing in common between these modules. This enables to adapt the code and the configuration with flexibility. Bear in mind that despite being based on a standard, there are some differences when it comes to concrete implementation! As we say, the evil in the details … However I’ve tried to make them as close as possible.
Each project is made of a JAX-RS resource class named GreetingResource that exposes a (very) simple REST API. It has 4 methods, all of them returning a String value:
-
hello: permitted to everybody
-
securedHello: restricted to users with the duke role
-
forbidden: restricted to users with the root role
-
getMyClaim: return the value of a custom claim.
The API is documented using OpenAPI and exposed with swagger-ui.
As can be seen in the code, MP JWT programming model is fairly easy. It is based on annotations (@DenyAll, @PermitAll, @RolesAllowed) and CDI to inject data coming from the token. It is worth mentioning that JAX-RS resource classes must be @RequestScoped (vs @ApplicationScoped).
There is also a test class named GreetingResourceTest acting as a REST client, based on RestAssured. It is run with Arquillian for Widlfly and Liberty. No need of Arquillian with Quarkus.
In a nutshell, MicroProfile JWT enables to secure REST APIs in a scalable and stateless way. The principle is to provide a token for each HTTP request. This token is self-contained: it contains authorization and authentication data as well as a signature to check its integrity and authenticity.
Reminder:
-
A token is signed by an issuer using its private key
-
The signature can be checked by third parties using the public key of the issuer.
A token is made of 3 parts:
<header>.<body>.<signature>
The body part is made of claims. A claim is a <key,value> pair. Some claims are standard; custom ones can be defined to transport additional data.
MP JWT introduces 2 specific claims:
-
upn (User Principal Name): uniquely identifies the subject or user principal of the token. On the server-side, this information can be retrieved as the name property of the Principal and the JsonWebToken
-
groups: the subject’s group memberships that will be mapped to roles on the server-side. Typically, secured methods in JAX-RS class ressources are annotated with @RolesAllowed.
JWTenizr is an open source library proposed by Adam Bien. It generates a JWT token and a MicroProfile configuration based on 2 input files:
-
A configuration file named jwtenizr-config.json which defines the key pair (public/private), the token issuer and the location to generate microprofile-config.properties
-
A template file named jwt-token.json which defines the content of the token body.
jwtenizr-config.json jwt-token.json | | –––––––––– –––––––––––– | | v v –––––––––––––––––– | JWTEnizr | –––––––––––––––––– | | ––––––– ––––––––––––– | | v v microprofile-config.properties token.jwt
In this video Securing JAX-RS Endpoint with JWT, Adam Bien demonstrates how to use it with Quarkus.
A token has a limited lifespan (15 minutes with JWTenizr). To avoid token expiration during tests, the token exp claim is checked from token.jwt, and if required JWTenizr is called at the beginning of JUnit tests to regenerate a new one.
To that end, JWTenizr is defined in pom.xml as a test dependency. Since it is not available on Maven Central, it must be installed in your local Maven repo:
-
Download JWTenizr from GitHub
-
Install it locally by running mvn install.
This is the main configuration file:
{
"mpConfigIssuer": "jefrajames",
"mpConfigurationFolder": "src/main/resources/META-INF",
"privateKey": "private key value here",
"publicKey": "public key value here"
}
Note: for Quarkus and Liberty, mpConfigurationFolder can’t be directly generated in src/main/resources/META-INF.
This template file defines the content of the body token in the form of claims:
{"iss":"jefrajames","jti":"42","sub":"jf","upn":"james","groups":["chief","hacker","duke"],"myclaim":"customValue"}
In this example, 4 of them are of specific relevance:
-
iss: which defines the issuer of the token, this value can optionally be controlled by the endpoint
-
upn: which defines the User Principal Name
-
groups: which defines the groups/roles the user belongs to
-
myclaim: is a custom claim.
To facilitate the use of curl, each project has a specific curl.sh script that uses the last generated token (from token.jwt) and targets the application specific URL.
When run without argument, curl.sh calls the default hello endpoint. Just add an argument to call other endpoints:
-
curl.sh secured
-
curl.sh forbidden
-
curl.sh myclaim.
Using MP JWT can impact performance in several ways:
-
It increases the size of HTTP requests. According to my tests, the size of a token is around 600 bytes
-
On the server-side, it requires JAX-RS ressource classes to be @RequestScoped (vs @ApplicationScoped): hence these classes are not reusable, a new instance is created per request which adds some overhead
-
The signature is checked for each request to validate the token.
In most cases, the performance degradation is acceptable, but should be kept in mind: don’t be surprised to measure a degradation!
A JWT token is Base64 encoded. Being Base64 encoded doesn’t mean that it is cyphered. A "man in the middle" attack enables to steel and reuse it. This risk can be mitigated in two ways:
-
By limiting the tokens lifespan: a tradeoff must be strike between performance and security. To make it simple: small values increase security (limiting the risk of inappropriate reuse) while high values increase performance (less token generation)
-
By using HTTPS as transport layer: in this way a ciphered communication channel is established between clients and servers preventing tokens to be stolen and reused.
Needless to say that in production, both are recommended.
MP JWT is based on RSA algorithms using public/private key pairs. Public key distribution and renewall must be taken into account using a PKI.
JWTenizr is a nice tool in devevelopment. Using an IAM such as Keycloak in production is a must.
Here are 2 articles explaining how to configure WildFly and OpenLiberty with Keycloack: