I'm trying to set up a JAX-RS-service in thorntail with JWT authentication. Everything works fine (I can inject Principal and user is correctly set), except that in case of a failed authentication, answer is still sent without any 401-HTTP-Header. What I've done is:
- Added
@LoginConfig(authMethod = "MP-JWT", realmName = "my-domain")to myApplication-Class Configured the security-domain
security: security-domains: my-domain: jaspi-authentication: login-module-stacks: roles-token-stack: login-modules: jwt-jaspi-login-module: code: org.wildfly.swarm.microprofile.jwtauth.deployment.auth.jaas.JWTLoginModule flag: required auth-modules: http: code: org.wildfly.extension.undertow.security.jaspi.modules.HTTPSchemeServerAuthModule module: org.wildfly.extension.undertow flag: required login-module-stack-ref: roles-token-stackConfigured JWT-specific things (seem to work, so I'm skipping this here)
What else do I need to do in order for this to work properly? Do I need to add any annotations to my Endpoint? As I said, I want to return a 401 in case of a failed authentication.
What I've found out so far: JASPICAuthenticationMechanism.isMandatory needs to return true in order for this to work. If this is the case JWTAuthMechanism.sendChallenge is triggered after a failure of JWTAuthMechanism.authenticate and so a 401 is sent to the client. But i have no idea, in which cases isMandatory returns true.
Thanks for any help in this case!
Solution (thanks to Ladicek, see comments below):
If you want to use MP JWT, don't start it with
Swarmand don't forget to set flaguseUberJarif starting it withthorntail:run.