[FIXED] Vert.x JWT auth gives Forbidden access

Issue

SCENARIO

I am calling this method inside the start() of my http server verticle:

private void setupAuth(Router router) {
    // Secure access key
    var config = new JWTAuthOptions()
      .setKeyStore(new KeyStoreOptions()
        .setType("jceks")
        .setPath("C:\\Users\\3587741\\Desktop\\Projects\\P_Gatlin\\jwt\\keystore.jceks")
        .setPassword("secret")
      );

    // Setup the secure route
    authProvider = JWTAuth.create(vertx, config);
    router.route().handler(BodyHandler.create());
    router.route().handler(SessionHandler.create(LocalSessionStore.create(vertx)).setAuthProvider(authProvider));

    // Redirect to a login page if the user is NOT logged
    var redirectAuthHandler = RedirectAuthHandler.create(authProvider, RouteNames.LOGIN_ADMIN, "/");

    // Secure every page that starts with "/admin/..."
    router.route("/admin/*").handler(redirectAuthHandler);
    router.post(RouteNames.LOGIN_CHECKER).handler(FormLoginHandler.create(authProvider));
  }

I need to have the /admin/* path to be safe. The above implementation has been almost totally copy pasted from the official documentation. I have used this line to generate the key:

keytool -genkeypair -keystore keystore.jceks -storetype jceks -storepass secret -keyalg EC -keysize 256 -alias ES512 -keypass secret -sigalg SHA512withECDSA -dname "CN=,OU=,O=,L=,ST=,C=" -validity 360

From the above, the password is secret and alias is es512. This is the content of the login page

  <form action="/login-auth" method="POST">
    <div class="credential">
      <input type="text" name="username" placeholder="Username" />
      <input type="password" name="password" placeholder="Password" />

      <input type="submit" value="OK" />
    </div>
  </form>

where /login-auth is the value of RouteNames.LOGIN_CHECKER inside router.post(RouteNames.LOGIN_CHECKER).handler(FormLoginHandler.create(authProvider));

---

In my webpage I try to access http://localhost/admin/test and I am correctly redirected to /login page:

Why do I get this message

Forbidden

when I try to access? The alias and the password are correct, I have also tested them with keytool and they match (I have used them in the command to generate the jceks). What is wrong?

Am I failing to use the JWT auth in some way?

Solution

You're mixing 2 incompatible things here.

• FormAuthHandler function is to redirect your browser to an HTML page where login/password are asked to the end user. This is what you're observing.
• JWTHandler function is to validate JWT tokens.

So when your browser submits the form to the server, it sends a form (with username/password), not a JWT token. Since the token is missing you will get a forbidden error code.

Answered By - Paulo Lopes
Answer Checked By - Candace Johnson (JavaFixing Volunteer)