Skip to content

Commit 1586668

Browse files
starksm64starksm64
committed
Initial commit for continuing JWT auth proposal
1 parent 4836627 commit 1586668

12 files changed

+906
-1
lines changed

.gitignore

+6
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,6 @@
1+
# Intellij files
2+
.idea
3+
*.iml
4+
*.ipr
5+
*.iws
6+

LICENSE

-1
Original file line numberDiff line numberDiff line change
@@ -199,4 +199,3 @@
199199
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
200200
See the License for the specific language governing permissions and
201201
limitations under the License.
202-

README.adoc

+60
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,60 @@
1+
//
2+
// Copyright (c) 2016-2017 Contributors to the Eclipse Foundation
3+
//
4+
// See the NOTICES file(s) distributed with this work for additional
5+
// information regarding copyright ownership.
6+
//
7+
// Licensed under the Apache License, Version 2.0 (the "License");
8+
// you may not use this file except in compliance with the License.
9+
// You may obtain a copy of the License at
10+
//
11+
// http://www.apache.org/licenses/LICENSE-2.0
12+
//
13+
// Unless required by applicable law or agreed to in writing, software
14+
// distributed under the License is distributed on an "AS IS" BASIS,
15+
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16+
// See the License for the specific language governing permissions and
17+
// limitations under the License.
18+
//
19+
20+
# JWT RBAC for MicroProfile
21+
22+
## Status
23+
24+
MicroProfile JWT RBAC proposal in progress
25+
http://[]
26+
## Introduction
27+
This specification outlines a proposal for using http://openid.net/connect/[OpenID Connect(OIDC)] based
28+
https://tools.ietf.org/html/rfc7519[JSON Web Tokens(JWT)] for role based access control(RBAC) of microservice endpoints.
29+
30+
31+
## Motivation
32+
MicroProfile 1.1 is a baseline platform definition that optimizes Enterprise Java for a microservices architecture and delivers application portability across multiple MicroProfile runtimes. While Java EE is a very feature rich platform and is like a toolbox that can be used to to address a wide variety of application architectures, MicroProfile focuses on defining a small and a minimum set of Java EE standards that can be used to deliver applications based on a microservice architecture, they are:
33+
34+
* JAX-RS
35+
* CDI
36+
* JSON-P
37+
38+
The security requirements that involve microservice architectures are strongly related with RESTful Security. In a RESTful
39+
architecture style, services are usually stateless and any security state associated with a client is sent to the target
40+
service on every request in order to allow services to re-create a security context for the caller and perform both
41+
authentication and authorization checks.
42+
43+
One of the main strategies to propagate the security state from clients to services or even from services to services involves
44+
the use of security tokens. In fact, the main security protocols in use today are based on security tokens such as OAuth2,
45+
OpenID Connect, SAML, WS-Trust, WS-Federation and others. While some of these standards are more related with identity
46+
federation, they share a common concept regarding security tokens and token based authentication.
47+
48+
For RESTful based microservices, security tokens offer a very lightweight and interoperable way to propagate identities across
49+
different services, where:
50+
51+
* Services don’t need to store any state about clients or users
52+
* Services can verify the token validity if token follows a well known format. Otherwise, services may invoke a separated service.
53+
* Services can identify the caller by introspecting the token. If the token follows a well known format, services are capable to introspect the token by
54+
themselves, locally. Otherwise, services may invoke a separated service.
55+
* Services can enforce authorization policies based on
56+
any information within a security token
57+
* Support for both delegation and impersonation of identities
58+
59+
Today, the most common solutions involving RESTful and microservices security are based on OAuth2, OpenID Connect and
60+
JSON Web Token (JWT) standards.

api/pom.xml

+81
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,81 @@
1+
<?xml version="1.0" encoding="UTF-8"?>
2+
<!--
3+
Licensed under the Apache License, Version 2.0 (the
4+
"License"); you may not use this file except in compliance
5+
with the License. You may obtain a copy of the License at
6+
7+
http://www.apache.org/licenses/LICENSE-2.0
8+
9+
Unless required by applicable law or agreed to in writing,
10+
software distributed under the License is distributed on an
11+
"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
12+
KIND, either express or implied. See the License for the
13+
specific language governing permissions and limitations
14+
under the License.
15+
-->
16+
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
17+
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
18+
<modelVersion>4.0.0</modelVersion>
19+
20+
<parent>
21+
<!-- This is just for now and will not work if the API has a separate release cycle than the rest. -->
22+
<groupId>org.eclipse.microprofile.jwt</groupId>
23+
<artifactId>microprofile.jwt-auth.parent</artifactId>
24+
<version>1.0-SNAPSHOT</version>
25+
</parent>
26+
27+
<groupId>org.eclipse.microprofile.apis</groupId>
28+
<artifactId>microprofile-jwt-auth_1.0_api</artifactId>
29+
<version>1.0-SNAPSHOT</version>
30+
<name>MicroProfile JWT Auth API</name>
31+
32+
<dependencies>
33+
<dependency>
34+
<groupId>javax.enterprise</groupId>
35+
<artifactId>cdi-api</artifactId>
36+
<scope>provided</scope>
37+
</dependency>
38+
</dependencies>
39+
40+
<build>
41+
<plugins>
42+
<plugin>
43+
<groupId>org.apache.maven.plugins</groupId>
44+
<artifactId>maven-javadoc-plugin</artifactId>
45+
<version>2.10.3</version>
46+
<executions>
47+
<execution>
48+
<id>attach-javadocs</id>
49+
<goals>
50+
<goal>jar</goal>
51+
</goals>
52+
</execution>
53+
</executions>
54+
</plugin>
55+
<plugin>
56+
<groupId>biz.aQute.bnd</groupId>
57+
<artifactId>bnd-maven-plugin</artifactId>
58+
<version>2.4.1</version>
59+
60+
<executions>
61+
<execution>
62+
<goals>
63+
<goal>bnd-process</goal>
64+
</goals>
65+
</execution>
66+
</executions>
67+
</plugin>
68+
<plugin>
69+
<groupId>org.apache.maven.plugins</groupId>
70+
<artifactId>maven-jar-plugin</artifactId>
71+
<configuration>
72+
<Bundle-SymbolicName>org.eclipse.microprofile.config</Bundle-SymbolicName>
73+
<Bundle-Name>MicroProfile config bundle</Bundle-Name>
74+
<archive>
75+
<manifestFile>${project.build.outputDirectory}/META-INF/MANIFEST.MF</manifestFile>
76+
</archive>
77+
</configuration>
78+
</plugin>
79+
</plugins>
80+
</build>
81+
</project>

pom.xml

+204
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,204 @@
1+
<?xml version="1.0" encoding="UTF-8"?>
2+
<!--
3+
Licensed under the Apache License, Version 2.0 (the
4+
"License"); you may not use this file except in compliance
5+
with the License. You may obtain a copy of the License at
6+
7+
http://www.apache.org/licenses/LICENSE-2.0
8+
9+
Unless required by applicable law or agreed to in writing,
10+
software distributed under the License is distributed on an
11+
"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
12+
KIND, either express or implied. See the License for the
13+
specific language governing permissions and limitations
14+
under the License.
15+
-->
16+
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
17+
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
18+
<modelVersion>4.0.0</modelVersion>
19+
20+
<groupId>org.eclipse.microprofile.jwt</groupId>
21+
<artifactId>microprofile.jwt-auth.parent</artifactId>
22+
<version>1.0-SNAPSHOT</version>
23+
<name>MicroProfile JWT Auth Parent</name>
24+
<packaging>pom</packaging>
25+
26+
<url>http://microprofile.io</url>
27+
28+
<properties>
29+
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
30+
<maven.compiler.source>1.8</maven.compiler.source>
31+
<maven.compiler.target>1.8</maven.compiler.target>
32+
33+
<checkstyle.version>2.17</checkstyle.version>
34+
<checkstyle.methodNameFormat>^_?[a-z][a-zA-Z0-9]*$</checkstyle.methodNameFormat>
35+
</properties>
36+
37+
<licenses>
38+
<license>
39+
<name>Apache License, Version 2.0</name>
40+
<url>https://www.apache.org/licenses/LICENSE-2.0.txt</url>
41+
<distribution>repo</distribution>
42+
<comments>A business-friendly OSS license</comments>
43+
</license>
44+
</licenses>
45+
46+
47+
<modules>
48+
<module>api</module>
49+
<module>tck</module>
50+
<module>spec</module>
51+
</modules>
52+
53+
<dependencyManagement>
54+
<dependencies>
55+
<dependency>
56+
<groupId>javax.enterprise</groupId>
57+
<artifactId>cdi-api</artifactId>
58+
<version>1.2</version>
59+
</dependency>
60+
<dependency>
61+
<groupId>org.jboss.arquillian</groupId>
62+
<artifactId>arquillian-bom</artifactId>
63+
<version>1.1.12.Final</version>
64+
<scope>import</scope>
65+
<type>pom</type>
66+
</dependency>
67+
</dependencies>
68+
</dependencyManagement>
69+
70+
<build>
71+
<pluginManagement>
72+
<plugins>
73+
<plugin>
74+
<groupId>org.apache.maven.plugins</groupId>
75+
<artifactId>maven-checkstyle-plugin</artifactId>
76+
<version>${checkstyle.version}</version>
77+
</plugin>
78+
<plugin>
79+
<groupId>org.apache.maven.plugins</groupId>
80+
<artifactId>maven-jar-plugin</artifactId>
81+
<version>3.0.2</version>
82+
</plugin>
83+
</plugins>
84+
</pluginManagement>
85+
<plugins>
86+
<plugin>
87+
<groupId>org.apache.maven.plugins</groupId>
88+
<artifactId>maven-checkstyle-plugin</artifactId>
89+
<executions>
90+
<execution>
91+
<id>verify-style</id>
92+
<phase>process-classes</phase>
93+
<goals>
94+
<goal>check</goal>
95+
</goals>
96+
</execution>
97+
</executions>
98+
<configuration>
99+
<encoding>UTF-8</encoding>
100+
<consoleOutput>true</consoleOutput>
101+
<failOnViolation>true</failOnViolation>
102+
<includeTestSourceDirectory>true</includeTestSourceDirectory>
103+
<failsOnError>true</failsOnError>
104+
<linkXRef>true</linkXRef>
105+
<logViolationsToConsole>true</logViolationsToConsole>
106+
<checkstyleRules>
107+
<module name="Checker">
108+
<module name="SuppressionCommentFilter" />
109+
<module name="FileLength">
110+
<property name="max" value="3500" />
111+
<property name="fileExtensions" value="java" />
112+
</module>
113+
<module name="FileTabCharacter" />
114+
<module name="TreeWalker">
115+
<module name="FileContentsHolder" />
116+
<module name="ConstantName">
117+
<property name="format" value="^(([A-Z][A-Z0-9]*(_[A-Z0-9]+)*))$" />
118+
</module>
119+
<module name="LocalVariableName" />
120+
<module name="MethodName">
121+
<property name="format" value="${checkstyle.methodNameFormat}" />
122+
</module>
123+
<module name="PackageName" />
124+
<module name="LocalFinalVariableName" />
125+
<module name="ParameterName" />
126+
<module name="StaticVariableName" />
127+
128+
<module name="TypeName">
129+
<property name="format" value="^_?[A-Z][a-zA-Z0-9]*$|packageinfo" />
130+
</module>
131+
<module name="AvoidStarImport">
132+
<property name="excludes" value="java.io,java.net,java.util,javax.enterprise.inject.spi,javax.enterprise.context" />
133+
</module>
134+
<module name="IllegalImport" />
135+
<module name="RedundantImport" />
136+
<module name="UnusedImports" />
137+
<module name="LineLength">
138+
<property name="max" value="150" />
139+
<property name="ignorePattern" value="@version|@see" />
140+
</module>
141+
<module name="MethodLength">
142+
<property name="max" value="250" />
143+
</module>
144+
<module name="ParameterNumber">
145+
<property name="max" value="11" />
146+
</module>
147+
<module name="EmptyBlock">
148+
<property name="option" value="text" />
149+
</module>
150+
<module name="NeedBraces" />
151+
<module name="LeftCurly">
152+
<property name="option" value="EOL" />
153+
</module>
154+
<module name="RightCurly">
155+
<property name="option" value="ALONE" />
156+
</module>
157+
<module name="EmptyStatement" />
158+
<module name="EqualsHashCode" />
159+
<module name="DefaultComesLast" />
160+
<module name="MissingSwitchDefault" />
161+
<module name="FallThrough" />
162+
<module name="MultipleVariableDeclarations" />
163+
<module name="com.puppycrawl.tools.checkstyle.checks.design.DesignForExtensionCheck">
164+
<property name="severity" value="ignore" />
165+
</module>
166+
<module name="HideUtilityClassConstructor" />
167+
<module name="com.puppycrawl.tools.checkstyle.checks.design.VisibilityModifierCheck">
168+
<property name="packageAllowed" value="false" />
169+
<property name="protectedAllowed" value="true" />
170+
<property name="publicMemberPattern" value="^serialVersionUID" />
171+
<property name="severity" value="warning" />
172+
</module>
173+
<module name="UpperEll" />
174+
</module>
175+
</module>
176+
</checkstyleRules>
177+
</configuration>
178+
</plugin>
179+
180+
<plugin>
181+
<groupId>org.apache.rat</groupId>
182+
<artifactId>apache-rat-plugin</artifactId>
183+
<version>0.12</version>
184+
<executions>
185+
<execution>
186+
<id>rat-check</id>
187+
<goals><goal>check</goal></goals>
188+
</execution>
189+
</executions>
190+
<configuration>
191+
<excludes>
192+
<exclude>.travis.yml.*</exclude>
193+
<exclude>bnd.bnd</exclude>
194+
<exclude>*.log</exclude>
195+
<exclude>.checkstyle</exclude>
196+
<exclude>.factorypath</exclude>
197+
<exclude>.editorconfig</exclude>
198+
</excludes>
199+
</configuration>
200+
</plugin>
201+
202+
</plugins>
203+
</build>
204+
</project>

0 commit comments

Comments
 (0)