JWT authentication is not denying the request when authorization header is not supplied

[jeevaengg21]

To understand the JWT authentication implementation standard I have tried out Kumuluzee with Microservice 3.3

The sample is working fine with valid JWT token as excepted without issues. But the weird behavior noticed was the target endpoint is still accessible without passing the "Authorization": "Bearer XXXXXX" header. Is there an additional configuration is required to enforce the authorization header mandatory for JWT authentication implementation.

Application Endpoint:

@ApplicationPath("/data")
@LoginConfig(authMethod = "MP-JWT")
@DeclareRoles({"protected"})
public class DemoRestApplication extends Application {
}

Kumuluzee config:

kumuluzee:
  name: demo
  version: 1.0-SNAPSHOT
  env:
    name: dev
  jwt-auth:
    public-key: XXXXXXX
    issuer: https://server.example.com
  server:
    http:
      port: 8180

[zvonegit]

It seems this is the same issue as #12 which was resolved with version v1.1.3.

The current version of KumuluzEE - v3.10.0 uses jwt v1.1.2 where the issue is still present. We are releasing KumuluzEE v3.11.0 which will use the latest version of jwt library v1.1.3.

[zvonegit]

@jeevaengg21, KumuluzEE version v3.11.0 is now released. The new version uses JWT Auth v1.1.3 which should resolve your issue.