Reputation: 4751
Vert.x JWT auth gives Forbidden access
SCENARIO
I am calling this method inside the start() of my http server verticle:
private void setupAuth(Router router) {
// Secure access key
var config = new JWTAuthOptions()
.setKeyStore(new KeyStoreOptions()
.setType("jceks")
.setPath("C:\\Users\\3587741\\Desktop\\Projects\\P_Gatlin\\jwt\\keystore.jceks")
.setPassword("secret")
);
// Setup the secure route
authProvider = JWTAuth.create(vertx, config);
router.route().handler(BodyHandler.create());
router.route().handler(SessionHandler.create(LocalSessionStore.create(vertx)).setAuthProvider(authProvider));
// Redirect to a login page if the user is NOT logged
var redirectAuthHandler = RedirectAuthHandler.create(authProvider, RouteNames.LOGIN_ADMIN, "/");
// Secure every page that starts with "/admin/..."
router.route("/admin/*").handler(redirectAuthHandler);
router.post(RouteNames.LOGIN_CHECKER).handler(FormLoginHandler.create(authProvider));
}
I need to have the /admin/* path to be safe. The above implementation has been almost totally copy pasted from the official documentation. I have used this line to generate the key:
keytool -genkeypair -keystore keystore.jceks -storetype jceks -storepass secret -keyalg EC -keysize 256 -alias ES512 -keypass secret -sigalg SHA512withECDSA -dname "CN=,OU=,O=,L=,ST=,C=" -validity 360
From the above, the password is secret and alias is es512. This is the content of the login page
<form action="/login-auth" method="POST">
<div class="credential">
<input type="text" name="username" placeholder="Username" />
<input type="password" name="password" placeholder="Password" />
<input type="submit" value="OK" />
</div>
</form>
where /login-auth is the value of RouteNames.LOGIN_CHECKER inside router.post(RouteNames.LOGIN_CHECKER).handler(FormLoginHandler.create(authProvider));
In my webpage I try to access http://localhost/admin/test and I am correctly redirected to /login page:
Why do I get this message
Forbidden
when I try to access? The alias and the password are correct, I have also tested them with keytool and they match (I have used them in the command to generate the jceks). What is wrong?
Am I failing to use the JWT auth in some way?
Upvotes: 1
Views: 209
Answers (1)
Reputation: 5801
You're mixing 2 incompatible things here.
FormAuthHandlerfunction is to redirect your browser to an HTML page where login/password are asked to the end user. This is what you're observing.JWTHandlerfunction is to validate JWT tokens.
So when your browser submits the form to the server, it sends a form (with username/password), not a JWT token. Since the token is missing you will get a forbidden error code.
Upvotes: 2
Related Questions
- Auth0 JWT with Java
- Generate JWT token not valid - java
- Java jjwt creating invalid JSON for JWT
- Broken Access Control in Java
- Unexpected "InvalidJwtSignatureException: JWT rejected due to invalid signature"
- Spring authentication with JWT returning 403
- JWT invalid signature
- Vert.x JWT Not enough or too many segments
- Get user and validate JWT token in vert.x
- Auth0 java-jwt library fails to verify a valid token