I'm trying to secure RESTful web services with JWT tokens; it's basically picketlink-angularjs-rest: PicketLink AngularJS and REST Security quickstart but with LDAP (AD) identity store.
When client tries to acquire a token LDAP authorization works fine, but then NullPointerException occurs when JWSTokenProvider attempts to update the account with the token.
14:18:51,463 ERROR [org.picketlink.http] (default task-1) Exception thrown during processing for path [/web/rest/authenticate]. Sending error with status code [500].: javax.ejb.EJBException: org.picketlink.idm.IdentityManagementException: PLIDM000201: Credential update failed for account [org.picketlink.idm.model.basic.User@bd0f05c0] and type [app.security.jws.JWSToken@7abd2a33].
(...)
at org.picketlink.http.internal.authentication.schemes.TokenAuthenticationScheme.issueToken(TokenAuthenticationScheme.java:222) [picketlink-impl-2.7.0.Final.jar:]
at org.picketlink.http.internal.authentication.schemes.TokenAuthenticationScheme.onPostAuthentication(TokenAuthenticationScheme.java:128) [picketlink-impl-2.7.0.Final.jar:]
at org.picketlink.http.internal.SecurityFilter.performAuthenticationIfRequired(SecurityFilter.java:437) [picketlink-impl-2.7.0.Final.jar:]
at org.picketlink.http.internal.SecurityFilter.doFilter(SecurityFilter.java:174) [picketlink-impl-2.7.0.Final.jar:]
at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132) [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:85) [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:61) [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
(...)
at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_45]
Caused by: org.picketlink.idm.IdentityManagementException: PLIDM000201: Credential update failed for account [org.picketlink.idm.model.basic.User@bd0f05c0] and type [app.security.jws.JWSToken@7abd2a33].
at org.picketlink.idm.internal.ContextualIdentityManager.updateCredential(ContextualIdentityManager.java:235) [picketlink-idm-impl-2.7.0.Final.jar:]
at org.picketlink.idm.internal.ContextualIdentityManager.updateCredential(ContextualIdentityManager.java:217) [picketlink-idm-impl-2.7.0.Final.jar:]
at app.security.jws.JWSTokenProvider.issue(JWSTokenProvider.java:50) [app-1.0-SNAPSHOT.jar:]
(...)
... 75 more
Caused by: java.lang.NullPointerException
at org.picketlink.idm.internal.DefaultStoreSelector.getStoreForCredentialOperation(DefaultStoreSelector.java:221) [picketlink-idm-impl-2.7.0.Final.jar:]
at org.picketlink.idm.internal.ContextualIdentityManager.updateCredential(ContextualIdentityManager.java:231) [picketlink-idm-impl-2.7.0.Final.jar:]
... 112 more
(full stacktrace is here)
How can I make this scenario work? Or if it's impossible in PicketLink, what's the alternative?" I'm using Java EE 7 and WildFly application server.
Maybe this configuration is not supported? Check Picketlink documentation: http://docs.jboss.org/picketlink/2/latest/reference/html/sect-Built-in_Credential_Handlers.html
org.picketlink.idm.credential.TokenCredential Used for Token-based authentication is supported by JPAIdentityStore and FileBasedIdentityStore