Details
Description
I have problems using the Authorization: Bearer header value for requests towards OFBiz. OFBiz has problems parsing externally generated JSON Web Tokens.
I have generated them using both [1] and [2] using HS512 and the default secret.
The JWT check fails because of a parsing error:
2019-01-17 16:48:36,233 |jsse-nio-8443-exec-7 |JavaEventHandler |E| Problems Processing Event io.jsonwebtoken.MalformedJwtException: Unable to read JSON value: �z��'G�#�$�uB"�&�r#�$�3S" at io.jsonwebtoken.impl.DefaultJwtParser.readValue(DefaultJwtParser.java:554) ~[jjwt-0.9.1.jar:0.9.1] at io.jsonwebtoken.impl.DefaultJwtParser.parse(DefaultJwtParser.java:252) ~[jjwt-0.9.1.jar:0.9.1] at io.jsonwebtoken.impl.DefaultJwtParser.parse(DefaultJwtParser.java:481) ~[jjwt-0.9.1.jar:0.9.1] at io.jsonwebtoken.impl.DefaultJwtParser.parseClaimsJws(DefaultJwtParser.java:541) ~[jjwt-0.9.1.jar:0.9.1] at org.apache.ofbiz.webapp.control.JWTManager.validateToken(JWTManager.java:124) ~[ofbiz.jar:?] at org.apache.ofbiz.webapp.control.ExternalLoginKeysManager.jwtValidation(ExternalLoginKeysManager.java:292) ~[ofbiz.jar:?] at org.apache.ofbiz.webapp.control.ExternalLoginKeysManager.checkJWTLogin(ExternalLoginKeysManager.java:196) ~[ofbiz.jar:?] at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:1.8.0_152] at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[?:1.8.0_152] at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:1.8.0_152] at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_152] at org.apache.ofbiz.webapp.event.JavaEventHandler.invoke(JavaEventHandler.java:86) [ofbiz.jar:?] at org.apache.ofbiz.webapp.control.RequestHandler.runEvent(RequestHandler.java:774) [ofbiz.jar:?] at org.apache.ofbiz.webapp.control.RequestHandler.doRequest(RequestHandler.java:407) [ofbiz.jar:?] at org.apache.ofbiz.webapp.control.ControlServlet.doGet(ControlServlet.java:208) [ofbiz.jar:?] at javax.servlet.http.HttpServlet.service(HttpServlet.java:645) [javax.servlet-api-4.0.1.jar:4.0.1] at javax.servlet.http.HttpServlet.service(HttpServlet.java:750) [javax.servlet-api-4.0.1.jar:4.0.1] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231) [tomcat-catalina-9.0.13.jar:9.0.13] at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [tomcat-catalina-9.0.13.jar:9.0.13] at org.apache.ofbiz.webapp.control.ContextFilter.doFilter(ContextFilter.java:191) [ofbiz.jar:?] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) [tomcat-catalina-9.0.13.jar:9.0.13] at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [tomcat-catalina-9.0.13.jar:9.0.13] at org.apache.ofbiz.webapp.control.ControlFilter.doFilter(ControlFilter.java:156) [ofbiz.jar:?] at javax.servlet.http.HttpFilter.doFilter(HttpFilter.java:127) [javax.servlet-api-4.0.1.jar:4.0.1] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) [tomcat-catalina-9.0.13.jar:9.0.13] at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [tomcat-catalina-9.0.13.jar:9.0.13] at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:199) [tomcat-catalina-9.0.13.jar:9.0.13] at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96) [tomcat-catalina-9.0.13.jar:9.0.13] at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:490) [tomcat-catalina-9.0.13.jar:9.0.13] at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139) [tomcat-catalina-9.0.13.jar:9.0.13] at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92) [tomcat-catalina-9.0.13.jar:9.0.13] at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74) [tomcat-catalina-9.0.13.jar:9.0.13] at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:668) [tomcat-catalina-9.0.13.jar:9.0.13] at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343) [tomcat-catalina-9.0.13.jar:9.0.13] at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:408) [tomcat-coyote-9.0.13.jar:9.0.13] at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66) [tomcat-coyote-9.0.13.jar:9.0.13] at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:791) [tomcat-coyote-9.0.13.jar:9.0.13] at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1417) [tomcat-coyote-9.0.13.jar:9.0.13] at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) [tomcat-coyote-9.0.13.jar:9.0.13] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [?:1.8.0_152] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [?:1.8.0_152] at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) [tomcat-util-9.0.13.jar:9.0.13] at java.lang.Thread.run(Thread.java:748) [?:1.8.0_152] Caused by: com.fasterxml.jackson.core.JsonParseException: Illegal character ((CTRL-CHAR, code 5)): only regular white space (\r, \n, \t) is allowed between tokens at [Source: (String)"�z��'G�#�$�uB"�&�r#�$�3S""; line: 1, column: 2] at com.fasterxml.jackson.core.JsonParser._constructError(JsonParser.java:1804) ~[jackson-core-2.9.6.jar:2.9.6] at com.fasterxml.jackson.core.base.ParserMinimalBase._reportError(ParserMinimalBase.java:669) ~[jackson-core-2.9.6.jar:2.9.6] at com.fasterxml.jackson.core.base.ParserMinimalBase._throwInvalidSpace(ParserMinimalBase.java:620) ~[jackson-core-2.9.6.jar:2.9.6] at com.fasterxml.jackson.core.json.ReaderBasedJsonParser._skipWSOrEnd(ReaderBasedJsonParser.java:2350) ~[jackson-core-2.9.6.jar:2.9.6] at com.fasterxml.jackson.core.json.ReaderBasedJsonParser.nextToken(ReaderBasedJsonParser.java:646) ~[jackson-core-2.9.6.jar:2.9.6] at com.fasterxml.jackson.databind.ObjectMapper._initForReading(ObjectMapper.java:4141) ~[jackson-databind-2.9.6.jar:2.9.6] at com.fasterxml.jackson.databind.ObjectMapper._readMapAndClose(ObjectMapper.java:4000) ~[jackson-databind-2.9.6.jar:2.9.6] at com.fasterxml.jackson.databind.ObjectMapper.readValue(ObjectMapper.java:3004) ~[jackson-databind-2.9.6.jar:2.9.6] at io.jsonwebtoken.impl.DefaultJwtParser.readValue(DefaultJwtParser.java:552) ~[jjwt-0.9.1.jar:0.9.1] ... 42 more 2019-01-17 16:48:36,237 |jsse-nio-8443-exec-7 |RequestHandler |E| null org.apache.ofbiz.webapp.event.EventHandlerException: Problems processing event: io.jsonwebtoken.MalformedJwtException: Unable to read JSON value: �z��'G�#�$�uB"�&�r#�$�3S" (Unable to read JSON value: �z��'G�#�$�uB"�&�r#�$�3S") at org.apache.ofbiz.webapp.event.JavaEventHandler.invoke(JavaEventHandler.java:94) ~[ofbiz.jar:?] at org.apache.ofbiz.webapp.control.RequestHandler.runEvent(RequestHandler.java:774) ~[ofbiz.jar:?] at org.apache.ofbiz.webapp.control.RequestHandler.doRequest(RequestHandler.java:407) [ofbiz.jar:?] at org.apache.ofbiz.webapp.control.ControlServlet.doGet(ControlServlet.java:208) [ofbiz.jar:?] at javax.servlet.http.HttpServlet.service(HttpServlet.java:645) [javax.servlet-api-4.0.1.jar:4.0.1] at javax.servlet.http.HttpServlet.service(HttpServlet.java:750) [javax.servlet-api-4.0.1.jar:4.0.1] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231) [tomcat-catalina-9.0.13.jar:9.0.13] at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [tomcat-catalina-9.0.13.jar:9.0.13] at org.apache.ofbiz.webapp.control.ContextFilter.doFilter(ContextFilter.java:191) [ofbiz.jar:?] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) [tomcat-catalina-9.0.13.jar:9.0.13] at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [tomcat-catalina-9.0.13.jar:9.0.13] at org.apache.ofbiz.webapp.control.ControlFilter.doFilter(ControlFilter.java:156) [ofbiz.jar:?] at javax.servlet.http.HttpFilter.doFilter(HttpFilter.java:127) [javax.servlet-api-4.0.1.jar:4.0.1] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) [tomcat-catalina-9.0.13.jar:9.0.13] at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [tomcat-catalina-9.0.13.jar:9.0.13] at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:199) [tomcat-catalina-9.0.13.jar:9.0.13] at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96) [tomcat-catalina-9.0.13.jar:9.0.13] at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:490) [tomcat-catalina-9.0.13.jar:9.0.13] at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139) [tomcat-catalina-9.0.13.jar:9.0.13] at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92) [tomcat-catalina-9.0.13.jar:9.0.13] at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74) [tomcat-catalina-9.0.13.jar:9.0.13] at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:668) [tomcat-catalina-9.0.13.jar:9.0.13] at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343) [tomcat-catalina-9.0.13.jar:9.0.13] at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:408) [tomcat-coyote-9.0.13.jar:9.0.13] at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66) [tomcat-coyote-9.0.13.jar:9.0.13] at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:791) [tomcat-coyote-9.0.13.jar:9.0.13] at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1417) [tomcat-coyote-9.0.13.jar:9.0.13] at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) [tomcat-coyote-9.0.13.jar:9.0.13] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [?:1.8.0_152] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [?:1.8.0_152] at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) [tomcat-util-9.0.13.jar:9.0.13] at java.lang.Thread.run(Thread.java:748) [?:1.8.0_152] Caused by: io.jsonwebtoken.MalformedJwtException: Unable to read JSON value: �z��'G�#�$�uB"�&�r#�$�3S" at io.jsonwebtoken.impl.DefaultJwtParser.readValue(DefaultJwtParser.java:554) ~[jjwt-0.9.1.jar:0.9.1] at io.jsonwebtoken.impl.DefaultJwtParser.parse(DefaultJwtParser.java:252) ~[jjwt-0.9.1.jar:0.9.1] at io.jsonwebtoken.impl.DefaultJwtParser.parse(DefaultJwtParser.java:481) ~[jjwt-0.9.1.jar:0.9.1] at io.jsonwebtoken.impl.DefaultJwtParser.parseClaimsJws(DefaultJwtParser.java:541) ~[jjwt-0.9.1.jar:0.9.1] at org.apache.ofbiz.webapp.control.JWTManager.validateToken(JWTManager.java:124) ~[ofbiz.jar:?] at org.apache.ofbiz.webapp.control.ExternalLoginKeysManager.jwtValidation(ExternalLoginKeysManager.java:292) ~[ofbiz.jar:?] at org.apache.ofbiz.webapp.control.ExternalLoginKeysManager.checkJWTLogin(ExternalLoginKeysManager.java:196) ~[ofbiz.jar:?] at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:1.8.0_152] at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[?:1.8.0_152] at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:1.8.0_152] at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_152] at org.apache.ofbiz.webapp.event.JavaEventHandler.invoke(JavaEventHandler.java:86) ~[ofbiz.jar:?] ... 31 more Caused by: com.fasterxml.jackson.core.JsonParseException: Illegal character ((CTRL-CHAR, code 5)): only regular white space (\r, \n, \t) is allowed between tokens at [Source: (String)"�z��'G�#�$�uB"�&�r#�$�3S""; line: 1, column: 2] at com.fasterxml.jackson.core.JsonParser._constructError(JsonParser.java:1804) ~[jackson-core-2.9.6.jar:2.9.6] at com.fasterxml.jackson.core.base.ParserMinimalBase._reportError(ParserMinimalBase.java:669) ~[jackson-core-2.9.6.jar:2.9.6] at com.fasterxml.jackson.core.base.ParserMinimalBase._throwInvalidSpace(ParserMinimalBase.java:620) ~[jackson-core-2.9.6.jar:2.9.6] at com.fasterxml.jackson.core.json.ReaderBasedJsonParser._skipWSOrEnd(ReaderBasedJsonParser.java:2350) ~[jackson-core-2.9.6.jar:2.9.6] at com.fasterxml.jackson.core.json.ReaderBasedJsonParser.nextToken(ReaderBasedJsonParser.java:646) ~[jackson-core-2.9.6.jar:2.9.6] at com.fasterxml.jackson.databind.ObjectMapper._initForReading(ObjectMapper.java:4141) ~[jackson-databind-2.9.6.jar:2.9.6] at com.fasterxml.jackson.databind.ObjectMapper._readMapAndClose(ObjectMapper.java:4000) ~[jackson-databind-2.9.6.jar:2.9.6] at com.fasterxml.jackson.databind.ObjectMapper.readValue(ObjectMapper.java:3004) ~[jackson-databind-2.9.6.jar:2.9.6] at io.jsonwebtoken.impl.DefaultJwtParser.readValue(DefaultJwtParser.java:552) ~[jjwt-0.9.1.jar:0.9.1] at io.jsonwebtoken.impl.DefaultJwtParser.parse(DefaultJwtParser.java:252) ~[jjwt-0.9.1.jar:0.9.1] at io.jsonwebtoken.impl.DefaultJwtParser.parse(DefaultJwtParser.java:481) ~[jjwt-0.9.1.jar:0.9.1] at io.jsonwebtoken.impl.DefaultJwtParser.parseClaimsJws(DefaultJwtParser.java:541) ~[jjwt-0.9.1.jar:0.9.1] at org.apache.ofbiz.webapp.control.JWTManager.validateToken(JWTManager.java:124) ~[ofbiz.jar:?] at org.apache.ofbiz.webapp.control.ExternalLoginKeysManager.jwtValidation(ExternalLoginKeysManager.java:292) ~[ofbiz.jar:?] at org.apache.ofbiz.webapp.control.ExternalLoginKeysManager.checkJWTLogin(ExternalLoginKeysManager.java:196) ~[ofbiz.jar:?] at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:1.8.0_152] at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[?:1.8.0_152] at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:1.8.0_152] at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_152] at org.apache.ofbiz.webapp.event.JavaEventHandler.invoke(JavaEventHandler.java:86) ~[ofbiz.jar:?] ... 31 more
If I create a JWT in [2] and paste it in [1] with a not Base64 encoded secret, the JWT claims are displayed fine so I think they are correct and parsable.
You can test using
eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJpc3MiOiJPbmxpbmUgSldUIEJ1aWxkZXIiLCJpYXQiOjE1NDc3MzkzNDgsImV4cCI6MTU3OTI3NTM0OCwiYXVkIjoid3d3LmV4YW1wbGUuY29tIiwic3ViIjoianJvY2tldEBleGFtcGxlLmNvbSIsIkdpdmVuTmFtZSI6IkpvaG5ueSIsIlN1cm5hbWUiOiJSb2NrZXQiLCJFbWFpbCI6Impyb2NrZXRAZXhhbXBsZS5jb20iLCJSb2xlIjpbIk1hbmFnZXIiLCJQcm9qZWN0IEFkbWluaXN0cmF0b3IiXX0.KTZOnBj_GlZw5btWc8_8xau3pqs685idQGta9WC3WEJzk4AEeOhjyDCbT6AbOsaLcu5uKDHDphdsq9Tiea_Hpg
Any ideas what could be wrong?
[1] https://jwt.io/
[2] http://jwtbuilder.jamiekurtz.com/
Attachments
Attachments
Issue Links
- is required by
-
OFBIZ-9833 Token Based Authentication
- Closed