Enhancement: Inject the built-in JWT authentication mechanism

[OndroMih]

GlassFish Version (and build number)

8

JDK version

21

OS

N/A

Database

No response

Problem Description

MicroProfile JWT mechanism in GlassFish is implemented via Jakarta Security auth mechanism, JWTAuthenticationMechanism.

This issue is to request support for injecting this mechanism. I suggest 2 options, I think both could be supported:

1. Using the @Named qualifier, so that the mechanism can be injected via the standard API, although it's not type safe:

@Inject @Named("jwtAuthenticationMechanism")
HttpAuthenticationMechanism jwtAuth;

2. Using a new qualifier and annotation literal, exposed via a custom API:

@Inject @JwtAuthenticationMechanism
HttpAuthenticationMechanism jwtAuth;

GlassFish 8 and Jakarta EE 11 come with a new feature - HttpAuthenticationMechanismHandler. This allows delegating to available mechanisms using custom rules. If it's possible to inject the built-in JWTAuthenticationMechanism, it would be possible to create a handler that uses JWT authentication for REST endpoints, and another authentication, e.g. form-based or OIDC, for web pages.

Steps to reproduce

This could be possible to implement a custom handler that decides whether to use form or jwt auth:

@ApplicationScoped
class CustomAuthenticationMechanismHandler implements HttpAuthenticationMechanismHandler {

            @Inject @FormAuthenticationMechanism
            HttpAuthenticationMechanism formAuth;

            @Inject @JwtAuthenticationMechanism
            HttpAuthenticationMechanism jwtAuth;

            @Override
            public AuthenticationStatus validateRequest(HttpServletRequest request, HttpServletResponse response, HttpMessageContext context) throws AuthenticationException {
                if (isRestRequest(request)) {
                    return jwtAuth.validateRequest(request, response, context);
                } else {
                    return formAuth.validateRequest(request, response, context);
                }
            }
};

Impact of Issue

No response

[hantsy]

Hope to replace the JNDI lookup with the CDI names, or prioritize CDI naming matching in the managed resources, jakartaee/platform#1054

[OndroMih]

Here we discuss injection via qualifiers. Injection via @nAmed qualifier is an antioattern in Java code, it was only introduced for textual expressions, e.g. in JSP or JSF.

In case of this GlassFish-specific feature to support injecting MP JWT mechanism, it makes sense to expose it under a @nAmed qualifier to allow injecting it with standard Jakarta EE API, without depending on a GlassFish-specific qualifier. But if this gets to Jakarta Security spec in the future, it would be better that the spec defines a standard qualifier instead.

[arjantijms]

The JWT bridge spec started work to define such annotation. When/if the merge happens we can take over that annotation and add it directly to the Jakarta Security API.

[OndroMih]

Sure. That would be for EE 12 and GF 9. This issue is raised for GF8, where EE 11 still doesn’t specify this.