Securing Liberty microprofile metrics endpoint in a MpJwt environment

Question

I am following the OpenLiberty guides for microprofile and trying to build an example application that highlights all the microprofile features as a proof of concept for an eventual implementation.

I am working with Liberty v2018.0.0.1 and have added the mpMetrics-1.1 feature. Liberty exposes a metrics endpoint /metrics but this requires authentication. All the examples I have found use the configuration to provide user credentials.

My application uses the mpJwt-1.0 feature for authorisation of a JAX-RS resource. When I added the tag to server.xml the user is no longer authorised (status code 401). If I send a JWT I get a 403.

My questions: - If I wish to access the /metrics endpoint with a JWT which role should be configured in the JWT? - Can I use two different authentication methods in the same server.xml - i.e. basic authentication with a basic registry for the metrics and JWT for my application endpoints?

An abbreviated server.xml:

<feature>mpMetrics-1.1</feature>
<feature>mpJwt-1.0</feature>

<mpJwt id="jwtConsumer"...

<quickStartSecurity userName="tech" userPassword="techpwd" />

<keyStore id="defaultKeyStore"...

Answer 1

This is a known issue, https://github.com/OpenLiberty/open-liberty/issues/2793. Here is the workaround: 1. create a user registry that contains the user with user name to be the same as upn claim in JWT, and you can use any dummy password. 2. set mapToUserRegistry to "true" in mpjwt configuration element.