I am writing a custom JAAS module to authenticate users using JSON Web Tokens (JWTs). The users connect to a 3rd party application over WebSockets, and this app supports custom JAAS modules.
I've no idea how to retrieve the JWT token from the application. It will be passed along as a header, but I don't know how to retrieve it using the JAAS API.
Surely I can access everything that a client has passed over and use this to authenticate? I'm thinking that there should be someway to retrieve arbitrary headers on the Subject that has request access to the application?
So after spending more time with JAAS, here is how my issue was solved:
JAAS does not allow me access to the (arbitrary) protocol header that contains the JWT. However, note that I was using MQTT over WSS, and the MQTT CONNECT packet has a "username" and "password" field. So the JWT can be passed as the password (regarding this seeming hacky, an authentication token is a kind of password). JAAS provides an API to retrieve the password from a user who has requested auth, regardless of the underlying protocol that was used to send the user's auth data.