The JADE 2022 release meets tomorrow’s business demands.
When setting up a API via JadeRestService the current way to enable JWT validation is to right-click on the method being exposed, select "REST Security Option" and add something (single claim, delegate etc). When 1 item is added to this "REST Security Option" the internal JWT validation is enabled.
My class has over a hundred methods to expose, they all point to the same common "additional-validation" method/delegate. It is very fiddly and the methods in question don't have anything on the IDE to show JWT validation is enabled. What I'm really concerned with is the opposite - the IDE also doesn't show JWT validation is NOT enabled for that method. Because the JWT validation is 'opt in', it feels like a security mistake waiting to happen.
I would rather force enable the JWT checks in a common place. Is there a recommended way to add this validation in a common location, example: the 'processRequest' that calls JadeJWTValidator@validateAsymmetricTokenRS() and redirect to an error method on fail?
Additionally, is 'validateAsymmetricTokenRS()' enough to replicate the internal JWT validation or are there more methods I need to call? I appreciate there are best-practices for additional checking, I'm just ensuring I'm replicating the base logic.
Guest
Hi Patrick.
Currently to enable 'JWT Validation' the process is user intensive:
- In the IDE on the REST method to expose, right click a method
- Select "REST Security..."
- In the popup, select the claim type I want to use
To do this for 100 methods is overkill, not to mention I'm a human and will make a mistake.
Instead of repeating the above process 100 times - and trying to remember this step whenever I create a new method - I have put code in a common place to (try to) replicate the JWT validation: the 'processRequest' method.
I appreciate enabling a claim does more than call 'validateAsymmetricTokenRS()' behind the scenes... can I have the list of what methods are being called behind the scenes so I can put them in my 'processRequest' method?
Thanks
Hi Damian. We have added a ticket to our backlog to add some kind of visual indicator in the IDE to show if a method has JWT validation enabled.
To answer your question in the last paragraph, the validation goes beyond validateAsymmetricTokenRS() - there is a lot more going on behind the scenes for different cases.