dhatim / dropwizard-jwt-cookie-authentication Goto Github PK

@rultor release, tag is 3.3.0

@rultor release, tag is 3.2.0

I am trying to use your library to generate a JWT for a mobile app.

The API endpoint is called /login which uses Basic Authentication (username / password) to then generate a token

@GET
@Path("/login")
@Produces(MediaType.APPLICATION_JSON)
public DefaultJwtCookiePrincipal setPrincipal(@Context ContainerRequestContext requestContext, @Auth final
    ShepherdUser user){
    DefaultJwtCookiePrincipal principal = new DefaultJwtCookiePrincipal(user.getName());
    principal.addInContext(requestContext);
    return principal;
}

When calling the endpoint I get a HTTP 401 with the message

Credentials are required to access this resource.

If I remove this line from the application bootstrap, the basic authentication works

bootstrap.addBundle(JwtCookieAuthBundle.getDefault());

However I get back an unencrypted DefaultJwtCookiePrincipal response

{"name":"admin","persistent":false,"roles":[],"claims":{"sub":"admin","pst":false,"rls":[]}}

This is in my basic authentication in the application run

    // app authentication
    environment.jersey().register(new AuthDynamicFeature(new BasicCredentialAuthFilter.Builder<ShepherdUser>()
            .setAuthenticator(new ShepherdAuthenticator())
            .setAuthorizer(new ShepherdAuthoriser())
            .setRealm(configuration.getName())
            .buildAuthFilter()));
    environment.jersey().register(RolesAllowedDynamicFeature.class);
    environment.jersey().register(new AuthValueFactoryProvider.Binder<>(ShepherdUser.class));

Finally my Principle

public class ShepherdUser implements Principal {

private String name;
private Set<String> roles;

public ShepherdUser(String name, Set<String> roles) {
    this.name = checkNotNull(name, "User name is required");
    this.roles = checkNotNull(roles, "Roles are required");
}

public String getName() {
    return this.name;
}

public Set<String> getRoles() {
    return roles;
}
}

It seems that Dropwizard is not using the correct authentication for my /login endpoint, how can I make this work.
I couldn't find any documentation on this.

I also posted on Stackoverflow for the benefit of anyone else

https://stackoverflow.com/questions/47080904/creating-json-web-tokens-through-basic-authentication-endpoint-dropwizard/47094105#47094105

Thanks

With a custom configuration, following the tutorial here on GitHub, if I add this line:

bootstrap.addBundle(JwtCookieAuthBundle.getDefault().withConfigurationSupplier(MyAppConfiguration::getJwtCookieAuth));

It says:

non-static method cannot be referenced from a static context

What is the correct way to apply custom configuration?

It would nice if we could change the default cookie name from the config. From what I can see, the cookie name "sessionToken" is currently hardcoded:

private static final String DEFAULT_COOKIE_NAME = "sessionToken";

@rultor release, tag is 3.3.0

I'd like to override the UnauthorizedHandler so I can redirect my browser to the login page if a request fails to authenticate.

I've created a branch[1] in my fork you can review and if you like I could submit a PR. Also open to any feedback or alternatives.

1: master...adamhoward:dropwizard-jwt-cookie-authentication:unauthorized_handler

I've set 1 minute time for volatile session in yml file, and its working.

jwtCookieAuth:
secretSeed: null
httpsOnlyCookie: false
sessionExpiryVolatile: PT1m
sessionExpiryPersistent: P2d

Is there a way for me to not set expiry to token.. i have a use case for file upload API which should consist md5 and user identifier in token without expiry.. so i can receive (only md5 matching file) file in future.

This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.

Open

These updates have all been created already. Click a checkbox below to force a retry/rebase of any.

• Update dependency jakarta.annotation:jakarta.annotation-api to v3

Detected dependencies

• Check this box to trigger a request for Renovate to run again on this repository

@rultor release, tag is 2.0.2

There is an error with this repository's Renovate configuration that needs to be fixed. As a precaution, Renovate will stop PRs until it is resolved.

Location: renovate.json
Error type: The renovate configuration file contains some invalid settings
Message: packageRules[0]: Each packageRule must contain at least one match* or exclude* selector. Rule: {"automerge":true}

@rultor release, tag is 2.1.0

@rultor release, tag is 3.3.0

@rultor release, tag is 4.0.0

@rultor release, tag is 2.1.1

@rultor release, tag is 2.0.1

I've set 1 minute time for volatile session in yml file, but its not working.

jwtCookieAuth:
secretSeed: null
httpsOnlyCookie: false
sessionExpiryVolatile: PT1m
sessionExpiryPersistent: P2d

Please suggest me a way to achieve it or share some example.

@rultor release, tag is 2.0.0

@rultor release, tag is 3.1.0

It'd be good to have another field picked up from the config file to set the SameSite Attribute.
https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#samesite-cookie-attribute

@rultor release, tag is 3.4.0