Merge pull request #89 from prime-framework/degroff/always_bind_jwtAuthorizeMethods5x

degroff/always bind JWT authorize methods5x

Author: robotdan

build.savant

@@ -29,7 +29,7 @@ logbackVersion = "1.5.13"
 slf4jVersion = "2.0.13"
 testngVersion = "7.8.0"
 
-project(group: "org.primeframework", name: "prime-mvc", version: "5.2.0", licenses: ["ApacheV2_0"]) {
+project(group: "org.primeframework", name: "prime-mvc", version: "5.3.0", licenses: ["ApacheV2_0"]) {
   workflow {
     fetch {
       // Dependency resolution order:

pom.xml

@@ -5,7 +5,7 @@
 
   <groupId>org.primeframework</groupId>
   <artifactId>prime-mvc</artifactId>
-  <version>5.2.0</version>
+  <version>5.3.0</version>
   <packaging>jar</packaging>
 
   <name>FusionAuth App</name>

src/main/java/org/primeframework/mvc/action/config/DefaultActionConfigurationBuilder.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2012-2024, Inversoft Inc., All Rights Reserved
+ * Copyright (c) 2012-2025, Inversoft Inc., All Rights Reserved
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -412,8 +412,15 @@ protected Map<HTTPMethod, ExecuteMethodConfiguration> findExecuteMethods(Class<?
   protected Map<HTTPMethod, List<JWTMethodConfiguration>> findJwtAuthorizationMethods(Class<?> actionClass,
                                                                                       List<String> securitySchemes,
                                                                                       Map<HTTPMethod, ExecuteMethodConfiguration> executeMethods) {
-    // When JWT scheme is not enabled, we will not call any of the JWT Authorization Methods.
-    if (!securitySchemes.contains("jwt")) {
+    // When a JWT scheme is not enabled, we will not call any of the JWT Authorization Methods.
+    // - Note that anyone can bind a jwt security scheme, and they may wish to use these authorization methods.
+    //   So as long as the scheme contains "jwt", bind them. For example, you may wish to bind `jwt-1` and `jwt-2` with
+    //   different constraint validations.
+    // - In theory we could just always bind them, however we do validate that the action is properly configured to
+    //   have a method to cover the expected HTTP verbs, etc. Ideally we would keep this logic to keep the user from
+    //   not using these methods correctly. But if we wanted to tell the user it's their problem, we could remove
+    //   some of that validation and just always bind them.
+    if (securitySchemes.stream().noneMatch(s -> s.contains("jwt"))) {
       return Collections.emptyMap();
     }
 
@@ -454,15 +461,17 @@ protected Map<HTTPMethod, List<JWTMethodConfiguration>> findJwtAuthorizationMeth
 
     if (!jwtMethods.keySet().containsAll(authenticatedMethods)) {
       throw new PrimeException("The action class [" + actionClass + "] is missing at a JWT Authorization method. " +
-                               "The class must define one or more methods annotated " + JWTAuthorizeMethod.class.getSimpleName() + " when [jwtEnabled] is set to [true]. "
-                               + "Ensure that for each execute method in your action such as post, put, get and delete that a method is configured to authorize the JWT.");
+                               "The class must define one or more methods annotated " + JWTAuthorizeMethod.class.getSimpleName() + " when [jwtEnabled] " +
+                               "is set to [true], which is deprecated, or you are using a jwt based security scheme. Your action has " +
+                               "defined the following security schemes [" + String.join(", ", securitySchemes) + "].Ensure that for each execute " +
+                               "method in your action such as post, put, get and delete that a method is configured to authorize the JWT.");
     }
 
     return jwtMethods;
   }
 
   /**
-   * Finds all of the result configurations for the action class.
+   * Finds all the result configurations for the action class.
    *
    * @param actionClass The action class.
    * @return The map of all the result configurations.

src/test/java/org/example/action/JwtAuthorizedAction.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2016-2018, Inversoft Inc., All Rights Reserved
+ * Copyright (c) 2016-2025, Inversoft Inc., All Rights Reserved
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -24,7 +24,7 @@
 /**
  * @author Daniel DeGroff
  */
-@Action(requiresAuthentication = true, jwtEnabled = true)
+@Action(requiresAuthentication = true, scheme = "jwt")
 @Status.List({
     @Status(),
     @Status(code = "unauthenticated", status = 401),

src/test/java/org/example/action/JwtAuthorizedDeprecatedAction.java

@@ -0,0 +1,43 @@
+/*
+ * Copyright (c) 2025, Inversoft Inc., All Rights Reserved
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND,
+ * either express or implied. See the License for the specific
+ * language governing permissions and limitations under the License.
+ */
+package org.example.action;
+
+import io.fusionauth.http.HTTPValues.Methods;
+import io.fusionauth.jwt.domain.JWT;
+import org.primeframework.mvc.action.annotation.Action;
+import org.primeframework.mvc.action.result.annotation.Status;
+import org.primeframework.mvc.security.annotation.JWTAuthorizeMethod;
+
+/**
+ * @author Daniel DeGroff
+ */
+@Action(requiresAuthentication = true, jwtEnabled = true)
+@Status.List({
+    @Status(),
+    @Status(code = "unauthenticated", status = 401),
+    @Status(code = "unauthorized", status = 401)
+})
+// Use the deprecated jwtEnabled instead of scheme = jwt
+public class JwtAuthorizedDeprecatedAction {
+  @JWTAuthorizeMethod(httpMethods = {Methods.GET})
+  public boolean authorize(JWT jwt) {
+    return true;
+  }
+
+  public String get() {
+    return "success";
+  }
+}

src/test/java/org/example/action/JwtAuthorizedDisabledAction.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2016-2018, Inversoft Inc., All Rights Reserved
+ * Copyright (c) 2016-2025, Inversoft Inc., All Rights Reserved
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -23,19 +23,16 @@
 /**
  * @author Daniel DeGroff
  */
-@Action(requiresAuthentication = true, jwtEnabled = false)
+@Action(requiresAuthentication = true, scheme = "jwt")
 @Status.List({
     @Status(code = "success", status = 200),
     @Status(code = "unauthenticated", status = 401),
     @Status(code = "unauthorized", status = 401)
 })
 public class JwtAuthorizedDisabledAction {
-
-  public boolean authorized;
-
   @JWTAuthorizeMethod
   public boolean authorize(JWT jwt) {
-    return authorized;
+    return false;
   }
 
   public String get() {

src/test/java/org/example/action/JwtAuthorizedOtherAction.java

@@ -0,0 +1,43 @@
+/*
+ * Copyright (c) 2025, Inversoft Inc., All Rights Reserved
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND,
+ * either express or implied. See the License for the specific
+ * language governing permissions and limitations under the License.
+ */
+package org.example.action;
+
+import io.fusionauth.http.HTTPValues.Methods;
+import io.fusionauth.jwt.domain.JWT;
+import org.primeframework.mvc.action.annotation.Action;
+import org.primeframework.mvc.action.result.annotation.Status;
+import org.primeframework.mvc.security.annotation.JWTAuthorizeMethod;
+
+/**
+ * @author Daniel DeGroff
+ */
+@Action(requiresAuthentication = true, scheme = "jwt-other")
+@Status.List({
+    @Status(),
+    @Status(code = "unauthenticated", status = 401),
+    @Status(code = "unauthorized", status = 401)
+})
+// Use a jwt scheme with a suffix, as long as the scheme name contains jwt it will work.
+public class JwtAuthorizedOtherAction {
+  @JWTAuthorizeMethod(httpMethods = {Methods.GET})
+  public boolean authorize(JWT jwt) {
+    return true;
+  }
+
+  public String get() {
+    return "success";
+  }
+}

src/test/java/org/primeframework/mvc/GlobalTest.java

@@ -808,14 +808,12 @@ public void get_jwtAuthorized() throws Exception {
   public void get_jwtDisabledJwtAuthentication() throws Exception {
     // Send in a JWT Authorization header when the Action has JWT disabled. Should always get a 401. When a JWT is provided, the action expects JWT to be enabled.
     test.simulate(() -> simulator.test("/jwt-authorized-disabled")
-                                 .withURLParameter("authorized", true)
                                  .withHeader("Authorization", "JWT eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkifQ.qHdut1UR4-2FSAvh7U3YdeRR5r5boVqjIGQ16Ztp894")
                                  .get()
                                  .assertStatusCode(401));
 
     // Same, use Bearer scheme
     test.simulate(() -> simulator.test("/jwt-authorized-disabled")
-                                 .withURLParameter("authorized", true)
                                  .withHeader("Authorization", "Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkifQ.qHdut1UR4-2FSAvh7U3YdeRR5r5boVqjIGQ16Ztp894")
                                  .get()
                                  .assertStatusCode(401));
@@ -866,6 +864,26 @@ public void get_jwtNotBefore() throws Exception {
                                  .assertStatusCode(401));
   }
 
+  @Test
+  public void get_jwt_jwtEnabled_deprecated() throws Exception {
+    // Test an action using the deprecated jwtEnabled instead of the jwt scheme
+    test.simulate(() -> simulator.test("/jwt-authorized-deprecated")
+                                 .withHeader("Authorization", "JWT eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkifQ.qHdut1UR4-2FSAvh7U3YdeRR5r5boVqjIGQ16Ztp894")
+                                 .get()
+                                 .assertHeaderContains("Cache-Control", "no-cache")
+                                 .assertStatusCode(200));
+  }
+
+  @Test
+  public void get_jwt_other_scheme() throws Exception {
+    // Test an action with a jwt based scheme, but not named 'jwt'
+    test.simulate(() -> simulator.test("/jwt-authorized-other")
+                                 .withHeader("Authorization", "JWT eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkifQ.qHdut1UR4-2FSAvh7U3YdeRR5r5boVqjIGQ16Ztp894")
+                                 .get()
+                                 .assertHeaderContains("Cache-Control", "no-cache")
+                                 .assertStatusCode(200));
+  }
+
   @Test
   public void get_largeFTL() {
     simulator.test("/large-ftl")

src/test/java/org/primeframework/mvc/PrimeBaseTest.java

@@ -78,6 +78,7 @@
 import org.primeframework.mvc.security.CBCCipherProvider;
 import org.primeframework.mvc.security.CipherProvider;
 import org.primeframework.mvc.security.GCMCipherProvider;
+import org.primeframework.mvc.security.JWTSecurityScheme;
 import org.primeframework.mvc.security.MockOAuthUserLoginSecurityContext;
 import org.primeframework.mvc.security.MockStaticClasspathResourceFilter;
 import org.primeframework.mvc.security.MockStaticResourceFilter;
@@ -87,6 +88,7 @@
 import org.primeframework.mvc.security.UserLoginSecurityContext;
 import org.primeframework.mvc.security.VerifierProvider;
 import org.primeframework.mvc.security.csrf.CSRFProvider;
+import org.primeframework.mvc.security.guice.SecuritySchemeFactory;
 import org.primeframework.mvc.test.RequestBuilder.HTTPRequestConsumer;
 import org.primeframework.mvc.test.RequestSimulator;
 import org.primeframework.mvc.util.ThrowingRunnable;
@@ -239,6 +241,7 @@ protected void configure() {
         bind(MessageObserver.class).toInstance(messageObserver);
         bind(MetricRegistry.class).toInstance(metricRegistry);
         bind(UserLoginSecurityContext.class).to(MockUserLoginSecurityContext.class);
+        SecuritySchemeFactory.addSecurityScheme(binder(), "jwt-other", JWTSecurityScheme.class);
 
         // Test Content-Type
         ContentHandlerFactory.addContentHandler(binder(), "application/test+json", JacksonContentHandler.class);