From 32b7fdec47f1a6a8a0a38668e7fe0a817eec8d04 Mon Sep 17 00:00:00 2001
From: Max Shaposhnik <mshaposh@redhat.com>
Date: Wed, 18 Jul 2018 10:48:15 +0300
Subject: [PATCH 01/10] Add exclusions mechanism into jwtproxy config builder

---
 .../1.0.0/org.eclipse.che.exec.json           |  6 +++--
 .../1.0.1/org.eclipse.che.exec.json           |  6 +++--
 .../1.0.0/org.eclipse.che.terminal.json       |  3 ++-
 .../1.0.1/org.eclipse.che.terminal.json       |  3 ++-
 .../jwtproxy/JwtProxyConfigBuilder.java       | 27 ++++++++++++++-----
 .../secure/jwtproxy/JwtProxyProvisioner.java  | 19 +++++++++++--
 .../jwtproxy/JwtProxySecureServerExposer.java |  3 ++-
 .../jwtproxy/JwtProxyConfigBuilderTest.java   |  9 +++++--
 .../jwtproxy/JwtProxyProvisionerTest.java     |  3 ++-
 .../JwtProxySecureServerExposerTest.java      |  5 ++--
 .../src/test/resources/jwtproxy-confg.yaml    | 17 +++++++-----
 .../server/MachineTokenRegistry.java          | 15 ++++++++---
 .../1.0.0/org.eclipse.che.ws-agent.json       |  6 +++--
 .../1.0.1/org.eclipse.che.ws-agent.json       |  6 +++--
 .../1.0.2/org.eclipse.che.ws-agent.json       |  6 +++--
 .../1.0.3/org.eclipse.che.ws-agent.json       |  6 +++--
 16 files changed, 102 insertions(+), 38 deletions(-)

diff --git a/agents/exec/installer/src/main/resources/installers/1.0.0/org.eclipse.che.exec.json b/agents/exec/installer/src/main/resources/installers/1.0.0/org.eclipse.che.exec.json
index fa71a8925d6..327bf98f102 100644
--- a/agents/exec/installer/src/main/resources/installers/1.0.0/org.eclipse.che.exec.json
+++ b/agents/exec/installer/src/main/resources/installers/1.0.0/org.eclipse.che.exec.json
@@ -11,7 +11,8 @@
       "protocol": "http",
       "path" : "/process",
       "attributes": {
-        "secure": "true"
+        "secure": "true",
+        "unsecuredPaths" : "/liveness"
       }
     },
     "exec-agent/ws": {
@@ -19,7 +20,8 @@
       "protocol": "ws",
       "path": "/connect",
       "attributes": {
-        "secure": "true"
+        "secure": "true",
+        "unsecuredPaths" : "/liveness"
       }
     }
   }
diff --git a/agents/exec/installer/src/main/resources/installers/1.0.1/org.eclipse.che.exec.json b/agents/exec/installer/src/main/resources/installers/1.0.1/org.eclipse.che.exec.json
index e08d9f35ea9..6949ee5ccd6 100644
--- a/agents/exec/installer/src/main/resources/installers/1.0.1/org.eclipse.che.exec.json
+++ b/agents/exec/installer/src/main/resources/installers/1.0.1/org.eclipse.che.exec.json
@@ -11,7 +11,8 @@
       "protocol": "http",
       "path" : "/process",
       "attributes": {
-        "secure": "true"
+        "secure": "true",
+        "unsecuredPaths" : "/liveness"
       }
     },
     "exec-agent/ws": {
@@ -19,7 +20,8 @@
       "protocol": "ws",
       "path": "/connect",
       "attributes": {
-        "secure": "true"
+        "secure": "true",
+        "unsecuredPaths" : "/liveness"
       }
     }
   }
diff --git a/agents/terminal/src/main/resources/installers/1.0.0/org.eclipse.che.terminal.json b/agents/terminal/src/main/resources/installers/1.0.0/org.eclipse.che.terminal.json
index 58fdadfd519..df45e1aacd5 100644
--- a/agents/terminal/src/main/resources/installers/1.0.0/org.eclipse.che.terminal.json
+++ b/agents/terminal/src/main/resources/installers/1.0.0/org.eclipse.che.terminal.json
@@ -11,7 +11,8 @@
       "protocol": "ws",
       "path" : "/pty",
       "attributes": {
-        "secure": "true"
+        "secure": "true",
+        "unsecuredPaths" : "/liveness"
       }
     }
   }
diff --git a/agents/terminal/src/main/resources/installers/1.0.1/org.eclipse.che.terminal.json b/agents/terminal/src/main/resources/installers/1.0.1/org.eclipse.che.terminal.json
index cfd12111fc9..e974aae2382 100644
--- a/agents/terminal/src/main/resources/installers/1.0.1/org.eclipse.che.terminal.json
+++ b/agents/terminal/src/main/resources/installers/1.0.1/org.eclipse.che.terminal.json
@@ -11,7 +11,8 @@
       "protocol": "ws",
       "path" : "/pty",
       "attributes": {
-        "secure": "true"
+        "secure": "true",
+        "unsecuredPaths" : "/liveness"
       }
     }
   }
diff --git a/infrastructures/kubernetes/src/main/java/org/eclipse/che/workspace/infrastructure/kubernetes/server/secure/jwtproxy/JwtProxyConfigBuilder.java b/infrastructures/kubernetes/src/main/java/org/eclipse/che/workspace/infrastructure/kubernetes/server/secure/jwtproxy/JwtProxyConfigBuilder.java
index d580bd88de3..6da550497de 100644
--- a/infrastructures/kubernetes/src/main/java/org/eclipse/che/workspace/infrastructure/kubernetes/server/secure/jwtproxy/JwtProxyConfigBuilder.java
+++ b/infrastructures/kubernetes/src/main/java/org/eclipse/che/workspace/infrastructure/kubernetes/server/secure/jwtproxy/JwtProxyConfigBuilder.java
@@ -10,11 +10,13 @@
  */
 package org.eclipse.che.workspace.infrastructure.kubernetes.server.secure.jwtproxy;
 
+import static java.lang.String.format;
 import static org.eclipse.che.workspace.infrastructure.kubernetes.server.secure.jwtproxy.JwtProxyProvisioner.JWT_PROXY_CONFIG_FOLDER;
 import static org.eclipse.che.workspace.infrastructure.kubernetes.server.secure.jwtproxy.JwtProxyProvisioner.JWT_PROXY_PUBLIC_KEY_FILE;
 
 import java.util.ArrayList;
 import java.util.List;
+import java.util.Set;
 
 /**
  * Helps to build JWTProxy config with several verifier proxies.
@@ -29,8 +31,8 @@ public JwtProxyConfigBuilder(String workspaceId) {
     this.workspaceId = workspaceId;
   }
 
-  public void addVerifierProxy(Integer listenPort, String upstream) {
-    verifierProxies.add(new VerifierProxy(listenPort, upstream));
+  public void addVerifierProxy(Integer listenPort, String upstream, Set<String> excludes) {
+    verifierProxies.add(new VerifierProxy(listenPort, upstream, excludes));
   }
 
   public String build() {
@@ -39,18 +41,18 @@ public String build() {
     configBuilder.append("jwtproxy:\n" + "  verifier_proxies:\n");
     for (VerifierProxy verifierProxy : verifierProxies) {
       configBuilder.append(
-          String.format(
+          format(
               "  - listen_addr: :%s\n" // :4471
                   + "    verifier:\n"
                   + "      upstream: %s/\n" // http://localhost:4401
-                  + "      audience: http://%s\n"
+                  + "      audience: %s\n"
                   + "      max_skew: 1m\n"
-                  + "      max_ttl: 3h\n"
+                  + "      max_ttl: 8800h\n"
                   + "      key_server:\n"
                   + "        type: preshared\n"
                   + "        options:\n"
                   + "          issuer: wsmaster\n"
-                  + "          key_id: mykey\n"
+                  + "          key_id: %s\n"
                   + "          public_key_path: "
                   + JWT_PROXY_CONFIG_FOLDER
                   + "/"
@@ -64,8 +66,17 @@ public String build() {
                   + "        type: void\n",
               verifierProxy.listenPort,
               verifierProxy.upstream,
+              workspaceId,
               workspaceId));
+      if (!verifierProxy.excludes.isEmpty()) {
+        configBuilder.append("      excludes:\n");
+        verifierProxy.excludes.forEach(
+            s -> {
+              configBuilder.append(format("      - %s\n", s));
+            });
+      }
     }
+
     configBuilder.append("  signer_proxy:\n" + "    enabled: false\n");
     return configBuilder.toString();
   }
@@ -73,10 +84,12 @@ public String build() {
   private class VerifierProxy {
     private Integer listenPort;
     private String upstream;
+    private Set<String> excludes;
 
-    VerifierProxy(Integer listenPort, String upstream) {
+    VerifierProxy(Integer listenPort, String upstream, Set<String> excludes) {
       this.listenPort = listenPort;
       this.upstream = upstream;
+      this.excludes = excludes;
     }
   }
 }
diff --git a/infrastructures/kubernetes/src/main/java/org/eclipse/che/workspace/infrastructure/kubernetes/server/secure/jwtproxy/JwtProxyProvisioner.java b/infrastructures/kubernetes/src/main/java/org/eclipse/che/workspace/infrastructure/kubernetes/server/secure/jwtproxy/JwtProxyProvisioner.java
index 3a4f5e9b7d0..cc43ff45dda 100644
--- a/infrastructures/kubernetes/src/main/java/org/eclipse/che/workspace/infrastructure/kubernetes/server/secure/jwtproxy/JwtProxyProvisioner.java
+++ b/infrastructures/kubernetes/src/main/java/org/eclipse/che/workspace/infrastructure/kubernetes/server/secure/jwtproxy/JwtProxyProvisioner.java
@@ -30,9 +30,13 @@
 import io.fabric8.kubernetes.api.model.VolumeBuilder;
 import io.fabric8.kubernetes.api.model.VolumeMount;
 import java.security.KeyPair;
+import java.util.Collections;
 import java.util.HashMap;
+import java.util.HashSet;
 import java.util.Map;
+import java.util.Set;
 import org.eclipse.che.api.core.model.workspace.config.MachineConfig;
+import org.eclipse.che.api.core.model.workspace.config.ServerConfig;
 import org.eclipse.che.api.core.model.workspace.runtime.RuntimeIdentity;
 import org.eclipse.che.api.workspace.server.spi.InfrastructureException;
 import org.eclipse.che.api.workspace.server.spi.InternalInfrastructureException;
@@ -77,6 +81,7 @@ public class JwtProxyProvisioner {
 
   static final String JWT_PROXY_CONFIG_FOLDER = "/config";
   static final String JWT_PROXY_PUBLIC_KEY_FILE = "mykey.pub";
+  static final String UNSECURED_PATHS_ATTRIBUTE = "unsecuredPaths";
 
   private final SignatureKeyManager signatureKeyManager;
 
@@ -105,6 +110,7 @@ public JwtProxyProvisioner(RuntimeIdentity identity, SignatureKeyManager signatu
    * @param backendServiceName service name that will be exposed
    * @param backendServicePort service port that will be exposed
    * @param protocol protocol that will be used for exposed port
+   * @param secureServers secure servers to expose
    * @return JWTProxy service port that expose the specified one
    * @throws InfrastructureException if any exception occurs during port exposing
    */
@@ -112,14 +118,23 @@ public ServicePort expose(
       KubernetesEnvironment k8sEnv,
       String backendServiceName,
       int backendServicePort,
-      String protocol)
+      String protocol,
+      Map<String, ServerConfig> secureServers)
       throws InfrastructureException {
     ensureJwtProxyInjected(k8sEnv);
 
     int listenPort = availablePort++;
 
+    Set<String> excludes = new HashSet<>();
+    for (ServerConfig config : secureServers.values()) {
+      if (config.getAttributes().containsKey(UNSECURED_PATHS_ATTRIBUTE)) {
+        Collections.addAll(
+            excludes, config.getAttributes().get(UNSECURED_PATHS_ATTRIBUTE).split(","));
+      }
+    }
+
     proxyConfigBuilder.addVerifierProxy(
-        listenPort, "http://" + backendServiceName + ":" + backendServicePort);
+        listenPort, "http://" + backendServiceName + ":" + backendServicePort, excludes);
     k8sEnv
         .getConfigMaps()
         .get(getConfigMapName())
diff --git a/infrastructures/kubernetes/src/main/java/org/eclipse/che/workspace/infrastructure/kubernetes/server/secure/jwtproxy/JwtProxySecureServerExposer.java b/infrastructures/kubernetes/src/main/java/org/eclipse/che/workspace/infrastructure/kubernetes/server/secure/jwtproxy/JwtProxySecureServerExposer.java
index 3c7aa75d798..60226eb2e2c 100644
--- a/infrastructures/kubernetes/src/main/java/org/eclipse/che/workspace/infrastructure/kubernetes/server/secure/jwtproxy/JwtProxySecureServerExposer.java
+++ b/infrastructures/kubernetes/src/main/java/org/eclipse/che/workspace/infrastructure/kubernetes/server/secure/jwtproxy/JwtProxySecureServerExposer.java
@@ -73,7 +73,8 @@ public void expose(
             k8sEnv,
             serviceName,
             servicePort.getTargetPort().getIntVal(),
-            servicePort.getProtocol());
+            servicePort.getProtocol(),
+            secureServers);
 
     exposerStrategy.expose(
         k8sEnv, machineName, proxyProvisioner.getServiceName(), exposedServicePort, secureServers);
diff --git a/infrastructures/kubernetes/src/test/java/org/eclipse/che/workspace/infrastructure/kubernetes/server/secure/jwtproxy/JwtProxyConfigBuilderTest.java b/infrastructures/kubernetes/src/test/java/org/eclipse/che/workspace/infrastructure/kubernetes/server/secure/jwtproxy/JwtProxyConfigBuilderTest.java
index 0334798a41f..dc4b71c6f84 100644
--- a/infrastructures/kubernetes/src/test/java/org/eclipse/che/workspace/infrastructure/kubernetes/server/secure/jwtproxy/JwtProxyConfigBuilderTest.java
+++ b/infrastructures/kubernetes/src/test/java/org/eclipse/che/workspace/infrastructure/kubernetes/server/secure/jwtproxy/JwtProxyConfigBuilderTest.java
@@ -10,8 +10,11 @@
  */
 package org.eclipse.che.workspace.infrastructure.kubernetes.server.secure.jwtproxy;
 
+import static java.util.Arrays.asList;
 import static org.testng.Assert.assertEquals;
 
+import java.util.HashSet;
+import java.util.Set;
 import org.testng.annotations.BeforeMethod;
 import org.testng.annotations.Test;
 import org.testng.reporters.Files;
@@ -33,8 +36,10 @@ public void setUp() {
   @Test
   public void shouldBuildJwtProxyConfigInYamlFormat() throws Exception {
     // given
-    jwtProxyConfigBuilder.addVerifierProxy(8080, "http://tomcat:8080");
-    jwtProxyConfigBuilder.addVerifierProxy(4101, "ws://terminal:4101");
+    Set<String> excludes = new HashSet<>(asList("/api/liveness"));
+    jwtProxyConfigBuilder.addVerifierProxy(8080, "http://tomcat:8080", new HashSet<>(excludes));
+    excludes.add("/other/exclude");
+    jwtProxyConfigBuilder.addVerifierProxy(4101, "ws://terminal:4101", new HashSet<>(excludes));
 
     // when
     String jwtProxyConfigYaml = jwtProxyConfigBuilder.build();
diff --git a/infrastructures/kubernetes/src/test/java/org/eclipse/che/workspace/infrastructure/kubernetes/server/secure/jwtproxy/JwtProxyProvisionerTest.java b/infrastructures/kubernetes/src/test/java/org/eclipse/che/workspace/infrastructure/kubernetes/server/secure/jwtproxy/JwtProxyProvisionerTest.java
index 405caa4edc5..395367a1930 100644
--- a/infrastructures/kubernetes/src/test/java/org/eclipse/che/workspace/infrastructure/kubernetes/server/secure/jwtproxy/JwtProxyProvisionerTest.java
+++ b/infrastructures/kubernetes/src/test/java/org/eclipse/che/workspace/infrastructure/kubernetes/server/secure/jwtproxy/JwtProxyProvisionerTest.java
@@ -27,6 +27,7 @@
 import java.security.KeyPair;
 import java.security.PublicKey;
 import java.util.Base64;
+import java.util.Collections;
 import java.util.regex.Pattern;
 import org.eclipse.che.api.core.model.workspace.runtime.RuntimeIdentity;
 import org.eclipse.che.api.workspace.server.model.impl.RuntimeIdentityImpl;
@@ -91,7 +92,7 @@ public void shouldReturnGeneratedJwtProxyConfigMapName() {
   @Test
   public void shouldProvisionJwtProxyRelatedObjectsIntoKubernetesEnvironment() throws Exception {
     // when
-    jwtProxyProvisioner.expose(k8sEnv, "terminal", 4401, "TCP");
+    jwtProxyProvisioner.expose(k8sEnv, "terminal", 4401, "TCP", Collections.EMPTY_MAP);
 
     // then
     InternalMachineConfig jwtProxyMachine =
diff --git a/infrastructures/kubernetes/src/test/java/org/eclipse/che/workspace/infrastructure/kubernetes/server/secure/jwtproxy/JwtProxySecureServerExposerTest.java b/infrastructures/kubernetes/src/test/java/org/eclipse/che/workspace/infrastructure/kubernetes/server/secure/jwtproxy/JwtProxySecureServerExposerTest.java
index ba19af057a9..7971e3cd39d 100644
--- a/infrastructures/kubernetes/src/test/java/org/eclipse/che/workspace/infrastructure/kubernetes/server/secure/jwtproxy/JwtProxySecureServerExposerTest.java
+++ b/infrastructures/kubernetes/src/test/java/org/eclipse/che/workspace/infrastructure/kubernetes/server/secure/jwtproxy/JwtProxySecureServerExposerTest.java
@@ -12,6 +12,7 @@
 
 import static org.mockito.ArgumentMatchers.any;
 import static org.mockito.ArgumentMatchers.anyInt;
+import static org.mockito.ArgumentMatchers.anyMap;
 import static org.mockito.ArgumentMatchers.anyString;
 import static org.mockito.Mockito.doReturn;
 import static org.mockito.Mockito.verify;
@@ -71,7 +72,7 @@ public void shouldExposeSecureServersWithNewJwtProxyServicePort() throws Excepti
     ServicePort jwtProxyServicePort = new ServicePort();
     doReturn(jwtProxyServicePort)
         .when(jwtProxyProvisioner)
-        .expose(any(), anyString(), anyInt(), anyString());
+        .expose(any(), anyString(), anyInt(), anyString(), anyMap());
 
     when(jwtProxyProvisioner.getServiceName()).thenReturn(JWT_PROXY_SERVICE_NAME);
 
@@ -80,7 +81,7 @@ public void shouldExposeSecureServersWithNewJwtProxyServicePort() throws Excepti
         k8sEnv, MACHINE_NAME, MACHINE_SERVICE_NAME, machineServicePort, servers);
 
     // then
-    verify(jwtProxyProvisioner).expose(k8sEnv, MACHINE_SERVICE_NAME, 8080, "TCP");
+    verify(jwtProxyProvisioner).expose(k8sEnv, MACHINE_SERVICE_NAME, 8080, "TCP", servers);
     verify(externalServerExposer)
         .expose(k8sEnv, MACHINE_NAME, JWT_PROXY_SERVICE_NAME, jwtProxyServicePort, servers);
   }
diff --git a/infrastructures/kubernetes/src/test/resources/jwtproxy-confg.yaml b/infrastructures/kubernetes/src/test/resources/jwtproxy-confg.yaml
index a6f83c5c240..5aa751dee19 100644
--- a/infrastructures/kubernetes/src/test/resources/jwtproxy-confg.yaml
+++ b/infrastructures/kubernetes/src/test/resources/jwtproxy-confg.yaml
@@ -3,14 +3,14 @@ jwtproxy:
   - listen_addr: :8080
     verifier:
       upstream: http://tomcat:8080/
-      audience: http://workspace123
+      audience: workspace123
       max_skew: 1m
-      max_ttl: 3h
+      max_ttl: 8800h
       key_server:
         type: preshared
         options:
           issuer: wsmaster
-          key_id: mykey
+          key_id: workspace123
           public_key_path: /config/mykey.pub
       claims_verifiers:
       - type: static
@@ -18,17 +18,19 @@ jwtproxy:
           iss: wsmaster
       nonce_storage:
         type: void
+      excludes:
+      - /api/liveness
   - listen_addr: :4101
     verifier:
       upstream: ws://terminal:4101/
-      audience: http://workspace123
+      audience: workspace123
       max_skew: 1m
-      max_ttl: 3h
+      max_ttl: 8800h
       key_server:
         type: preshared
         options:
           issuer: wsmaster
-          key_id: mykey
+          key_id: workspace123
           public_key_path: /config/mykey.pub
       claims_verifiers:
       - type: static
@@ -36,5 +38,8 @@ jwtproxy:
           iss: wsmaster
       nonce_storage:
         type: void
+      excludes:
+      - /api/liveness
+      - /other/exclude
   signer_proxy:
     enabled: false
diff --git a/multiuser/machine-auth/che-multiuser-machine-authentication/src/main/java/org/eclipse/che/multiuser/machine/authentication/server/MachineTokenRegistry.java b/multiuser/machine-auth/che-multiuser-machine-authentication/src/main/java/org/eclipse/che/multiuser/machine/authentication/server/MachineTokenRegistry.java
index 1db3b690de2..95ca0ffcd0f 100644
--- a/multiuser/machine-auth/che-multiuser-machine-authentication/src/main/java/org/eclipse/che/multiuser/machine/authentication/server/MachineTokenRegistry.java
+++ b/multiuser/machine-auth/che-multiuser-machine-authentication/src/main/java/org/eclipse/che/multiuser/machine/authentication/server/MachineTokenRegistry.java
@@ -10,8 +10,9 @@
  */
 package org.eclipse.che.multiuser.machine.authentication.server;
 
-import static io.jsonwebtoken.SignatureAlgorithm.RS512;
+import static io.jsonwebtoken.SignatureAlgorithm.RS256;
 import static java.lang.String.format;
+import static java.time.temporal.ChronoUnit.DAYS;
 import static org.eclipse.che.multiuser.machine.authentication.shared.Constants.MACHINE_TOKEN_KIND;
 
 import com.google.common.collect.HashBasedTable;
@@ -19,6 +20,7 @@
 import io.jsonwebtoken.Claims;
 import io.jsonwebtoken.Jwts;
 import java.security.PrivateKey;
+import java.time.Instant;
 import java.util.HashMap;
 import java.util.Map;
 import java.util.UUID;
@@ -92,14 +94,21 @@ private String createToken(String userId, String workspaceId)
     final User user = userManager.getById(userId);
     final Map<String, Object> header = new HashMap<>(2);
     header.put("kind", MACHINE_TOKEN_KIND);
-    final Map<String, Object> claims = new HashMap<>(4);
+    header.put("kid", workspaceId);
+    final Map<String, Object> claims = new HashMap<>();
     // to ensure that each token is unique
     claims.put(Claims.ID, UUID.randomUUID().toString());
     claims.put(Constants.USER_ID_CLAIM, userId);
     claims.put(Constants.USER_NAME_CLAIM, user.getName());
     claims.put(Constants.WORKSPACE_ID_CLAIM, workspaceId);
+    // jwtproxy required claims
+    claims.put(Claims.ISSUER, "wsmaster");
+    claims.put(Claims.AUDIENCE, workspaceId);
+    claims.put(Claims.EXPIRATION, Instant.now().plus(365, DAYS).getEpochSecond());
+    claims.put(Claims.NOT_BEFORE, -1); // always
+    claims.put(Claims.ISSUED_AT, Instant.now().getEpochSecond());
     final String token =
-        Jwts.builder().setClaims(claims).setHeader(header).signWith(RS512, privateKey).compact();
+        Jwts.builder().setClaims(claims).setHeader(header).signWith(RS256, privateKey).compact();
     tokens.put(workspaceId, userId, token);
     return token;
   }
diff --git a/wsagent/agent/src/main/resources/installers/1.0.0/org.eclipse.che.ws-agent.json b/wsagent/agent/src/main/resources/installers/1.0.0/org.eclipse.che.ws-agent.json
index 2df0eecf510..a68aea4be2d 100644
--- a/wsagent/agent/src/main/resources/installers/1.0.0/org.eclipse.che.ws-agent.json
+++ b/wsagent/agent/src/main/resources/installers/1.0.0/org.eclipse.che.ws-agent.json
@@ -14,7 +14,8 @@
       "protocol": "http",
       "path" : "/api",
       "attributes": {
-        "secure": "true"
+        "secure": "true",
+        "unsecuredPaths" : "/api/liveness"
       }
     },
     "wsagent/ws": {
@@ -22,7 +23,8 @@
       "protocol": "ws",
       "path" : "/wsagent",
       "attributes": {
-        "secure": "true"
+        "secure": "true",
+        "unsecuredPaths" : "/api/liveness"
       }
     }
   }
diff --git a/wsagent/agent/src/main/resources/installers/1.0.1/org.eclipse.che.ws-agent.json b/wsagent/agent/src/main/resources/installers/1.0.1/org.eclipse.che.ws-agent.json
index 5b5d33f0a86..c8c5332fd36 100644
--- a/wsagent/agent/src/main/resources/installers/1.0.1/org.eclipse.che.ws-agent.json
+++ b/wsagent/agent/src/main/resources/installers/1.0.1/org.eclipse.che.ws-agent.json
@@ -14,7 +14,8 @@
       "protocol": "http",
       "path" : "/api",
       "attributes": {
-        "secure": "true"
+        "secure": "true",
+        "unsecuredPaths" : "/api/liveness"
       }
     },
     "wsagent/ws": {
@@ -22,7 +23,8 @@
       "protocol": "ws",
       "path" : "/wsagent",
       "attributes": {
-        "secure": "true"
+        "secure": "true",
+        "unsecuredPaths" : "/api/liveness"
       }
     },
     "wsagent-debug": {
diff --git a/wsagent/agent/src/main/resources/installers/1.0.2/org.eclipse.che.ws-agent.json b/wsagent/agent/src/main/resources/installers/1.0.2/org.eclipse.che.ws-agent.json
index b48e5cd0c07..cb9ef476caa 100644
--- a/wsagent/agent/src/main/resources/installers/1.0.2/org.eclipse.che.ws-agent.json
+++ b/wsagent/agent/src/main/resources/installers/1.0.2/org.eclipse.che.ws-agent.json
@@ -14,7 +14,8 @@
       "protocol": "http",
       "path" : "/api",
       "attributes": {
-        "secure": "true"
+        "secure": "true",
+        "unsecuredPaths" : "/api/liveness"
       }
     },
     "wsagent/ws": {
@@ -22,7 +23,8 @@
       "protocol": "ws",
       "path" : "/wsagent",
       "attributes": {
-        "secure": "true"
+        "secure": "true",
+        "unsecuredPaths" : "/api/liveness"
       }
     },
     "wsagent-debug": {
diff --git a/wsagent/agent/src/main/resources/installers/1.0.3/org.eclipse.che.ws-agent.json b/wsagent/agent/src/main/resources/installers/1.0.3/org.eclipse.che.ws-agent.json
index f4cac844b90..ddef838dc31 100644
--- a/wsagent/agent/src/main/resources/installers/1.0.3/org.eclipse.che.ws-agent.json
+++ b/wsagent/agent/src/main/resources/installers/1.0.3/org.eclipse.che.ws-agent.json
@@ -11,7 +11,8 @@
       "protocol": "http",
       "path" : "/api",
       "attributes": {
-        "secure": "true"
+        "secure": "true",
+        "unsecuredPaths" : "/api/liveness"
       }
     },
     "wsagent/ws": {
@@ -19,7 +20,8 @@
       "protocol": "ws",
       "path" : "/wsagent",
       "attributes": {
-        "secure": "true"
+        "secure": "true",
+        "unsecuredPaths" : "/api/liveness"
       }
     },
     "wsagent-debug": {

From 1703429cea6d64263750203fb60837c0f4dedef9 Mon Sep 17 00:00:00 2001
From: Max Shaposhnik <mshaposh@redhat.com>
Date: Wed, 18 Jul 2018 11:54:38 +0300
Subject: [PATCH 02/10] fixup! Add exclusions mechanism into jwtproxy config
 builder

---
 .../server/secure/jwtproxy/JwtProxyConfigBuilder.java         | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/infrastructures/kubernetes/src/main/java/org/eclipse/che/workspace/infrastructure/kubernetes/server/secure/jwtproxy/JwtProxyConfigBuilder.java b/infrastructures/kubernetes/src/main/java/org/eclipse/che/workspace/infrastructure/kubernetes/server/secure/jwtproxy/JwtProxyConfigBuilder.java
index 6da550497de..2ddacff9ed3 100644
--- a/infrastructures/kubernetes/src/main/java/org/eclipse/che/workspace/infrastructure/kubernetes/server/secure/jwtproxy/JwtProxyConfigBuilder.java
+++ b/infrastructures/kubernetes/src/main/java/org/eclipse/che/workspace/infrastructure/kubernetes/server/secure/jwtproxy/JwtProxyConfigBuilder.java
@@ -71,9 +71,7 @@ public String build() {
       if (!verifierProxy.excludes.isEmpty()) {
         configBuilder.append("      excludes:\n");
         verifierProxy.excludes.forEach(
-            s -> {
-              configBuilder.append(format("      - %s\n", s));
-            });
+            s -> configBuilder.append(format("      - %s\n", s)));
       }
     }
 

From 9877ede960d148b805dad6c1a9926026adeedb46 Mon Sep 17 00:00:00 2001
From: Max Shaposhnik <mshaposh@redhat.com>
Date: Wed, 18 Jul 2018 12:24:23 +0300
Subject: [PATCH 03/10] fixup! fixup! Add exclusions mechanism into jwtproxy
 config builder

---
 .../che/api/core/model/workspace/config/ServerConfig.java  | 7 +++++++
 .../server/secure/jwtproxy/JwtProxyConfigBuilder.java      | 3 +--
 .../server/secure/jwtproxy/JwtProxyProvisioner.java        | 2 +-
 3 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/core/che-core-api-model/src/main/java/org/eclipse/che/api/core/model/workspace/config/ServerConfig.java b/core/che-core-api-model/src/main/java/org/eclipse/che/api/core/model/workspace/config/ServerConfig.java
index a53b4a4191e..2693dda7889 100644
--- a/core/che-core-api-model/src/main/java/org/eclipse/che/api/core/model/workspace/config/ServerConfig.java
+++ b/core/che-core-api-model/src/main/java/org/eclipse/che/api/core/model/workspace/config/ServerConfig.java
@@ -36,6 +36,13 @@ public interface ServerConfig {
    */
   String SECURE_SERVER_ATTRIBUTE = "secure";
 
+  /**
+   * {@link ServerConfig} and {@link Server} attribute name which can contain an comma-separated
+   * list of URI-s which are considered as non-secure on the given server and can be accessible with
+   * unauthenticated requests.
+   */
+  String UNSECURED_PATHS_ATTRIBUTE = "unsecuredPaths";
+
   /**
    * Port used by server.
    *
diff --git a/infrastructures/kubernetes/src/main/java/org/eclipse/che/workspace/infrastructure/kubernetes/server/secure/jwtproxy/JwtProxyConfigBuilder.java b/infrastructures/kubernetes/src/main/java/org/eclipse/che/workspace/infrastructure/kubernetes/server/secure/jwtproxy/JwtProxyConfigBuilder.java
index 2ddacff9ed3..43a571d8672 100644
--- a/infrastructures/kubernetes/src/main/java/org/eclipse/che/workspace/infrastructure/kubernetes/server/secure/jwtproxy/JwtProxyConfigBuilder.java
+++ b/infrastructures/kubernetes/src/main/java/org/eclipse/che/workspace/infrastructure/kubernetes/server/secure/jwtproxy/JwtProxyConfigBuilder.java
@@ -70,8 +70,7 @@ public String build() {
               workspaceId));
       if (!verifierProxy.excludes.isEmpty()) {
         configBuilder.append("      excludes:\n");
-        verifierProxy.excludes.forEach(
-            s -> configBuilder.append(format("      - %s\n", s)));
+        verifierProxy.excludes.forEach(s -> configBuilder.append(format("      - %s\n", s)));
       }
     }
 
diff --git a/infrastructures/kubernetes/src/main/java/org/eclipse/che/workspace/infrastructure/kubernetes/server/secure/jwtproxy/JwtProxyProvisioner.java b/infrastructures/kubernetes/src/main/java/org/eclipse/che/workspace/infrastructure/kubernetes/server/secure/jwtproxy/JwtProxyProvisioner.java
index cc43ff45dda..681e422ad5f 100644
--- a/infrastructures/kubernetes/src/main/java/org/eclipse/che/workspace/infrastructure/kubernetes/server/secure/jwtproxy/JwtProxyProvisioner.java
+++ b/infrastructures/kubernetes/src/main/java/org/eclipse/che/workspace/infrastructure/kubernetes/server/secure/jwtproxy/JwtProxyProvisioner.java
@@ -12,6 +12,7 @@
 
 import static java.util.Collections.emptyList;
 import static java.util.Collections.emptyMap;
+import static org.eclipse.che.api.core.model.workspace.config.ServerConfig.UNSECURED_PATHS_ATTRIBUTE;
 import static org.eclipse.che.commons.lang.NameGenerator.generate;
 import static org.eclipse.che.workspace.infrastructure.kubernetes.Constants.CHE_ORIGINAL_NAME_LABEL;
 import static org.eclipse.che.workspace.infrastructure.kubernetes.server.KubernetesServerExposer.SERVER_PREFIX;
@@ -81,7 +82,6 @@ public class JwtProxyProvisioner {
 
   static final String JWT_PROXY_CONFIG_FOLDER = "/config";
   static final String JWT_PROXY_PUBLIC_KEY_FILE = "mykey.pub";
-  static final String UNSECURED_PATHS_ATTRIBUTE = "unsecuredPaths";
 
   private final SignatureKeyManager signatureKeyManager;
 

From 1120d4c55210c31e6f0c1d998079a8456624d55e Mon Sep 17 00:00:00 2001
From: Max Shaposhnik <mshaposh@redhat.com>
Date: Wed, 18 Jul 2018 12:27:11 +0300
Subject: [PATCH 04/10] fixup! fixup! fixup! Add exclusions mechanism into
 jwtproxy config builder

---
 .../main/resources/installers/1.0.0/org.eclipse.che.exec.json | 4 ++--
 .../main/resources/installers/1.0.1/org.eclipse.che.exec.json | 4 ++--
 .../resources/installers/1.0.0/org.eclipse.che.terminal.json  | 2 +-
 .../resources/installers/1.0.1/org.eclipse.che.terminal.json  | 2 +-
 .../resources/installers/1.0.0/org.eclipse.che.ws-agent.json  | 4 ++--
 .../resources/installers/1.0.1/org.eclipse.che.ws-agent.json  | 4 ++--
 .../resources/installers/1.0.2/org.eclipse.che.ws-agent.json  | 4 ++--
 .../resources/installers/1.0.3/org.eclipse.che.ws-agent.json  | 4 ++--
 8 files changed, 14 insertions(+), 14 deletions(-)

diff --git a/agents/exec/installer/src/main/resources/installers/1.0.0/org.eclipse.che.exec.json b/agents/exec/installer/src/main/resources/installers/1.0.0/org.eclipse.che.exec.json
index 327bf98f102..2f6acaf1087 100644
--- a/agents/exec/installer/src/main/resources/installers/1.0.0/org.eclipse.che.exec.json
+++ b/agents/exec/installer/src/main/resources/installers/1.0.0/org.eclipse.che.exec.json
@@ -12,7 +12,7 @@
       "path" : "/process",
       "attributes": {
         "secure": "true",
-        "unsecuredPaths" : "/liveness"
+        "unsecuredPaths": "/liveness"
       }
     },
     "exec-agent/ws": {
@@ -21,7 +21,7 @@
       "path": "/connect",
       "attributes": {
         "secure": "true",
-        "unsecuredPaths" : "/liveness"
+        "unsecuredPaths": "/liveness"
       }
     }
   }
diff --git a/agents/exec/installer/src/main/resources/installers/1.0.1/org.eclipse.che.exec.json b/agents/exec/installer/src/main/resources/installers/1.0.1/org.eclipse.che.exec.json
index 6949ee5ccd6..78973645cd8 100644
--- a/agents/exec/installer/src/main/resources/installers/1.0.1/org.eclipse.che.exec.json
+++ b/agents/exec/installer/src/main/resources/installers/1.0.1/org.eclipse.che.exec.json
@@ -12,7 +12,7 @@
       "path" : "/process",
       "attributes": {
         "secure": "true",
-        "unsecuredPaths" : "/liveness"
+        "unsecuredPaths": "/liveness"
       }
     },
     "exec-agent/ws": {
@@ -21,7 +21,7 @@
       "path": "/connect",
       "attributes": {
         "secure": "true",
-        "unsecuredPaths" : "/liveness"
+        "unsecuredPaths": "/liveness"
       }
     }
   }
diff --git a/agents/terminal/src/main/resources/installers/1.0.0/org.eclipse.che.terminal.json b/agents/terminal/src/main/resources/installers/1.0.0/org.eclipse.che.terminal.json
index df45e1aacd5..788a6108583 100644
--- a/agents/terminal/src/main/resources/installers/1.0.0/org.eclipse.che.terminal.json
+++ b/agents/terminal/src/main/resources/installers/1.0.0/org.eclipse.che.terminal.json
@@ -12,7 +12,7 @@
       "path" : "/pty",
       "attributes": {
         "secure": "true",
-        "unsecuredPaths" : "/liveness"
+        "unsecuredPaths": "/liveness"
       }
     }
   }
diff --git a/agents/terminal/src/main/resources/installers/1.0.1/org.eclipse.che.terminal.json b/agents/terminal/src/main/resources/installers/1.0.1/org.eclipse.che.terminal.json
index e974aae2382..360b4338079 100644
--- a/agents/terminal/src/main/resources/installers/1.0.1/org.eclipse.che.terminal.json
+++ b/agents/terminal/src/main/resources/installers/1.0.1/org.eclipse.che.terminal.json
@@ -12,7 +12,7 @@
       "path" : "/pty",
       "attributes": {
         "secure": "true",
-        "unsecuredPaths" : "/liveness"
+        "unsecuredPaths": "/liveness"
       }
     }
   }
diff --git a/wsagent/agent/src/main/resources/installers/1.0.0/org.eclipse.che.ws-agent.json b/wsagent/agent/src/main/resources/installers/1.0.0/org.eclipse.che.ws-agent.json
index a68aea4be2d..a497b410a89 100644
--- a/wsagent/agent/src/main/resources/installers/1.0.0/org.eclipse.che.ws-agent.json
+++ b/wsagent/agent/src/main/resources/installers/1.0.0/org.eclipse.che.ws-agent.json
@@ -15,7 +15,7 @@
       "path" : "/api",
       "attributes": {
         "secure": "true",
-        "unsecuredPaths" : "/api/liveness"
+        "unsecuredPaths": "/api/liveness"
       }
     },
     "wsagent/ws": {
@@ -24,7 +24,7 @@
       "path" : "/wsagent",
       "attributes": {
         "secure": "true",
-        "unsecuredPaths" : "/api/liveness"
+        "unsecuredPaths": "/api/liveness"
       }
     }
   }
diff --git a/wsagent/agent/src/main/resources/installers/1.0.1/org.eclipse.che.ws-agent.json b/wsagent/agent/src/main/resources/installers/1.0.1/org.eclipse.che.ws-agent.json
index c8c5332fd36..509ffda07d5 100644
--- a/wsagent/agent/src/main/resources/installers/1.0.1/org.eclipse.che.ws-agent.json
+++ b/wsagent/agent/src/main/resources/installers/1.0.1/org.eclipse.che.ws-agent.json
@@ -15,7 +15,7 @@
       "path" : "/api",
       "attributes": {
         "secure": "true",
-        "unsecuredPaths" : "/api/liveness"
+        "unsecuredPaths": "/api/liveness"
       }
     },
     "wsagent/ws": {
@@ -24,7 +24,7 @@
       "path" : "/wsagent",
       "attributes": {
         "secure": "true",
-        "unsecuredPaths" : "/api/liveness"
+        "unsecuredPaths": "/api/liveness"
       }
     },
     "wsagent-debug": {
diff --git a/wsagent/agent/src/main/resources/installers/1.0.2/org.eclipse.che.ws-agent.json b/wsagent/agent/src/main/resources/installers/1.0.2/org.eclipse.che.ws-agent.json
index cb9ef476caa..8064dfd6707 100644
--- a/wsagent/agent/src/main/resources/installers/1.0.2/org.eclipse.che.ws-agent.json
+++ b/wsagent/agent/src/main/resources/installers/1.0.2/org.eclipse.che.ws-agent.json
@@ -15,7 +15,7 @@
       "path" : "/api",
       "attributes": {
         "secure": "true",
-        "unsecuredPaths" : "/api/liveness"
+        "unsecuredPaths": "/api/liveness"
       }
     },
     "wsagent/ws": {
@@ -24,7 +24,7 @@
       "path" : "/wsagent",
       "attributes": {
         "secure": "true",
-        "unsecuredPaths" : "/api/liveness"
+        "unsecuredPaths": "/api/liveness"
       }
     },
     "wsagent-debug": {
diff --git a/wsagent/agent/src/main/resources/installers/1.0.3/org.eclipse.che.ws-agent.json b/wsagent/agent/src/main/resources/installers/1.0.3/org.eclipse.che.ws-agent.json
index ddef838dc31..fc0567292e0 100644
--- a/wsagent/agent/src/main/resources/installers/1.0.3/org.eclipse.che.ws-agent.json
+++ b/wsagent/agent/src/main/resources/installers/1.0.3/org.eclipse.che.ws-agent.json
@@ -12,7 +12,7 @@
       "path" : "/api",
       "attributes": {
         "secure": "true",
-        "unsecuredPaths" : "/api/liveness"
+        "unsecuredPaths": "/api/liveness"
       }
     },
     "wsagent/ws": {
@@ -21,7 +21,7 @@
       "path" : "/wsagent",
       "attributes": {
         "secure": "true",
-        "unsecuredPaths" : "/api/liveness"
+        "unsecuredPaths": "/api/liveness"
       }
     },
     "wsagent-debug": {

From 59b784253bd90c5c240fc725d46291551ce18e69 Mon Sep 17 00:00:00 2001
From: Max Shaposhnik <mshaposh@redhat.com>
Date: Wed, 18 Jul 2018 14:01:37 +0300
Subject: [PATCH 05/10] fixup! fixup! fixup! fixup! Add exclusions mechanism
 into jwtproxy config builder

---
 .../server/secure/jwtproxy/JwtProxyConfigBuilderTest.java     | 4 ++--
 .../kubernetes/src/test/resources/jwtproxy-confg.yaml         | 2 --
 2 files changed, 2 insertions(+), 4 deletions(-)

diff --git a/infrastructures/kubernetes/src/test/java/org/eclipse/che/workspace/infrastructure/kubernetes/server/secure/jwtproxy/JwtProxyConfigBuilderTest.java b/infrastructures/kubernetes/src/test/java/org/eclipse/che/workspace/infrastructure/kubernetes/server/secure/jwtproxy/JwtProxyConfigBuilderTest.java
index dc4b71c6f84..766b084a82e 100644
--- a/infrastructures/kubernetes/src/test/java/org/eclipse/che/workspace/infrastructure/kubernetes/server/secure/jwtproxy/JwtProxyConfigBuilderTest.java
+++ b/infrastructures/kubernetes/src/test/java/org/eclipse/che/workspace/infrastructure/kubernetes/server/secure/jwtproxy/JwtProxyConfigBuilderTest.java
@@ -10,7 +10,6 @@
  */
 package org.eclipse.che.workspace.infrastructure.kubernetes.server.secure.jwtproxy;
 
-import static java.util.Arrays.asList;
 import static org.testng.Assert.assertEquals;
 
 import java.util.HashSet;
@@ -36,8 +35,9 @@ public void setUp() {
   @Test
   public void shouldBuildJwtProxyConfigInYamlFormat() throws Exception {
     // given
-    Set<String> excludes = new HashSet<>(asList("/api/liveness"));
+    Set<String> excludes = new HashSet<>();
     jwtProxyConfigBuilder.addVerifierProxy(8080, "http://tomcat:8080", new HashSet<>(excludes));
+    excludes.add("/api/liveness");
     excludes.add("/other/exclude");
     jwtProxyConfigBuilder.addVerifierProxy(4101, "ws://terminal:4101", new HashSet<>(excludes));
 
diff --git a/infrastructures/kubernetes/src/test/resources/jwtproxy-confg.yaml b/infrastructures/kubernetes/src/test/resources/jwtproxy-confg.yaml
index 5aa751dee19..2b4dd963b1a 100644
--- a/infrastructures/kubernetes/src/test/resources/jwtproxy-confg.yaml
+++ b/infrastructures/kubernetes/src/test/resources/jwtproxy-confg.yaml
@@ -18,8 +18,6 @@ jwtproxy:
           iss: wsmaster
       nonce_storage:
         type: void
-      excludes:
-      - /api/liveness
   - listen_addr: :4101
     verifier:
       upstream: ws://terminal:4101/

From be73f08af2e97fcb49b7e24c135c108069301d26 Mon Sep 17 00:00:00 2001
From: Max Shaposhnik <mshaposh@redhat.com>
Date: Wed, 18 Jul 2018 17:39:46 +0300
Subject: [PATCH 06/10] Add test export

---
 deploy/openshift/ocp.sh | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/deploy/openshift/ocp.sh b/deploy/openshift/ocp.sh
index 5ced2bb97c0..d66993eb469 100755
--- a/deploy/openshift/ocp.sh
+++ b/deploy/openshift/ocp.sh
@@ -76,6 +76,8 @@ export KEYCLOAK_USER=${KEYCLOAK_USER:-${DEFAULT_KEYCLOAK_USER}}
 
 DEFAULT_KEYCLOAK_PASSWORD=admin
 export KEYCLOAK_PASSWORD=${KEYCLOAK_PASSWORD:-${DEFAULT_KEYCLOAK_PASSWORD}}
+
+export CHE_SERVER_SECURE__EXPOSER=jwtproxy
 }
 
 test_dns_provider() {

From ad1ba95faba5f9a331ee7d96e33b80ab548a8584 Mon Sep 17 00:00:00 2001
From: Max Shaposhnik <mshaposh@redhat.com>
Date: Thu, 19 Jul 2018 13:44:34 +0300
Subject: [PATCH 07/10] Add Bearer token prefix for project service requests in
 selenium

---
 .../core/client/TestProjectServiceClient.java | 23 +++++++++++++------
 1 file changed, 16 insertions(+), 7 deletions(-)

diff --git a/selenium/che-selenium-core/src/main/java/org/eclipse/che/selenium/core/client/TestProjectServiceClient.java b/selenium/che-selenium-core/src/main/java/org/eclipse/che/selenium/core/client/TestProjectServiceClient.java
index 97d93e4999b..3a7a99107cb 100644
--- a/selenium/che-selenium-core/src/main/java/org/eclipse/che/selenium/core/client/TestProjectServiceClient.java
+++ b/selenium/che-selenium-core/src/main/java/org/eclipse/che/selenium/core/client/TestProjectServiceClient.java
@@ -38,6 +38,8 @@
  */
 @Singleton
 public class TestProjectServiceClient {
+
+  private static final String BEARER_TOKEN_PREFIX = "Bearer ";
   private final TestMachineServiceClient machineServiceClient;
   private final HttpJsonRequestFactory requestFactory;
   private final TestWorkspaceAgentApiEndpointUrlProvider workspaceAgentApiEndpointUrlProvider;
@@ -64,7 +66,8 @@ public void setProjectType(String workspaceId, String template, String projectNa
     requestFactory
         .fromUrl(workspaceAgentApiEndpointUrlProvider.get(workspaceId) + "project/" + projectName)
         .usePutMethod()
-        .setAuthorizationHeader(machineServiceClient.getMachineApiToken(workspaceId))
+        .setAuthorizationHeader(
+            BEARER_TOKEN_PREFIX + machineServiceClient.getMachineApiToken(workspaceId))
         .setBody(project)
         .request();
   }
@@ -73,7 +76,8 @@ public void setProjectType(String workspaceId, String template, String projectNa
   public void deleteResource(String workspaceId, String path) throws Exception {
     requestFactory
         .fromUrl(workspaceAgentApiEndpointUrlProvider.get(workspaceId) + "project/" + path)
-        .setAuthorizationHeader(machineServiceClient.getMachineApiToken(workspaceId))
+        .setAuthorizationHeader(
+            BEARER_TOKEN_PREFIX + machineServiceClient.getMachineApiToken(workspaceId))
         .useDeleteMethod()
         .request();
   }
@@ -82,7 +86,8 @@ public void createFolder(String workspaceId, String folder) throws Exception {
     String url = workspaceAgentApiEndpointUrlProvider.get(workspaceId) + "project/folder/" + folder;
     requestFactory
         .fromUrl(url)
-        .setAuthorizationHeader(machineServiceClient.getMachineApiToken(workspaceId))
+        .setAuthorizationHeader(
+            BEARER_TOKEN_PREFIX + machineServiceClient.getMachineApiToken(workspaceId))
         .usePostMethod()
         .request();
   }
@@ -100,7 +105,8 @@ public void importZipProject(
       httpConnection.setRequestMethod("POST");
       httpConnection.setRequestProperty("Content-Type", "application/zip");
       httpConnection.addRequestProperty(
-          "Authorization", machineServiceClient.getMachineApiToken(workspaceId));
+          "Authorization",
+          BEARER_TOKEN_PREFIX + machineServiceClient.getMachineApiToken(workspaceId));
       httpConnection.setDoOutput(true);
 
       try (OutputStream outputStream = httpConnection.getOutputStream()) {
@@ -156,7 +162,8 @@ public void createFileInProject(
       httpConnection.setRequestMethod("POST");
       httpConnection.setRequestProperty("Content-Type", "text/plain");
       httpConnection.addRequestProperty(
-          "Authorization", machineServiceClient.getMachineApiToken(workspaceId));
+          "Authorization",
+          BEARER_TOKEN_PREFIX + machineServiceClient.getMachineApiToken(workspaceId));
       httpConnection.setDoOutput(true);
       try (OutputStream output = httpConnection.getOutputStream()) {
         output.write(content.getBytes("UTF-8"));
@@ -178,7 +185,8 @@ public ProjectConfigDto getFirstProject(String workspaceId) throws Exception {
     String apiUrl = workspaceAgentApiEndpointUrlProvider.get(workspaceId) + "project";
     return requestFactory
         .fromUrl(apiUrl)
-        .setAuthorizationHeader(machineServiceClient.getMachineApiToken(workspaceId))
+        .setAuthorizationHeader(
+            BEARER_TOKEN_PREFIX + machineServiceClient.getMachineApiToken(workspaceId))
         .request()
         .asList(ProjectConfigDto.class)
         .get(0);
@@ -195,7 +203,8 @@ public void updateFile(String workspaceId, String pathToFile, String content) th
       httpConnection.setRequestMethod("PUT");
       httpConnection.setRequestProperty("Content-Type", "text/plain");
       httpConnection.addRequestProperty(
-          "Authorization", machineServiceClient.getMachineApiToken(workspaceId));
+          "Authorization",
+          BEARER_TOKEN_PREFIX + machineServiceClient.getMachineApiToken(workspaceId));
       httpConnection.setDoOutput(true);
 
       try (OutputStream output = httpConnection.getOutputStream()) {

From fd18704baea55aaa6eed3a64c4d61ae576c843c2 Mon Sep 17 00:00:00 2001
From: Max Shaposhnik <mshaposh@redhat.com>
Date: Fri, 20 Jul 2018 17:20:20 +0300
Subject: [PATCH 08/10] Fix header for app saving state request

---
 .../eclipse/che/ide/statepersistance/AppStateSyncWriter.java    | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ide/che-core-ide-app/src/main/java/org/eclipse/che/ide/statepersistance/AppStateSyncWriter.java b/ide/che-core-ide-app/src/main/java/org/eclipse/che/ide/statepersistance/AppStateSyncWriter.java
index 7233312ff7b..6f0cef41863 100644
--- a/ide/che-core-ide-app/src/main/java/org/eclipse/che/ide/statepersistance/AppStateSyncWriter.java
+++ b/ide/che-core-ide-app/src/main/java/org/eclipse/che/ide/statepersistance/AppStateSyncWriter.java
@@ -52,7 +52,7 @@ private native void sendSyncRequest(String url, String machineToken, String json
                     var request = new XMLHttpRequest();
                     request.open("POST", url, false);
                     request.setRequestHeader("Content-Type", "application/json");
-                    request.setRequestHeader("Authorization", machineToken);
+                    request.setRequestHeader("Authorization", "Bearer " + machineToken);
                     request.send(json);
                 } catch (e) {
                     console.error(e);

From 1cdd964fa33cea17892b081de341e3df31c5ede4 Mon Sep 17 00:00:00 2001
From: Max Shaposhnik <mshaposh@redhat.com>
Date: Tue, 24 Jul 2018 10:52:34 +0300
Subject: [PATCH 09/10] Disable jwtproxy auth before merge

---
 deploy/openshift/ocp.sh | 1 -
 1 file changed, 1 deletion(-)

diff --git a/deploy/openshift/ocp.sh b/deploy/openshift/ocp.sh
index d66993eb469..25a8b52a835 100755
--- a/deploy/openshift/ocp.sh
+++ b/deploy/openshift/ocp.sh
@@ -77,7 +77,6 @@ export KEYCLOAK_USER=${KEYCLOAK_USER:-${DEFAULT_KEYCLOAK_USER}}
 DEFAULT_KEYCLOAK_PASSWORD=admin
 export KEYCLOAK_PASSWORD=${KEYCLOAK_PASSWORD:-${DEFAULT_KEYCLOAK_PASSWORD}}
 
-export CHE_SERVER_SECURE__EXPOSER=jwtproxy
 }
 
 test_dns_provider() {

From eb0a8e226aed71e1ef94c53ebdc9fdc16bfcbe7f Mon Sep 17 00:00:00 2001
From: Max Shaposhnik <mshaposh@redhat.com>
Date: Tue, 24 Jul 2018 10:53:24 +0300
Subject: [PATCH 10/10] fixup! Disable jwtproxy auth before merge

---
 deploy/openshift/ocp.sh | 1 -
 1 file changed, 1 deletion(-)

diff --git a/deploy/openshift/ocp.sh b/deploy/openshift/ocp.sh
index 25a8b52a835..5ced2bb97c0 100755
--- a/deploy/openshift/ocp.sh
+++ b/deploy/openshift/ocp.sh
@@ -76,7 +76,6 @@ export KEYCLOAK_USER=${KEYCLOAK_USER:-${DEFAULT_KEYCLOAK_USER}}
 
 DEFAULT_KEYCLOAK_PASSWORD=admin
 export KEYCLOAK_PASSWORD=${KEYCLOAK_PASSWORD:-${DEFAULT_KEYCLOAK_PASSWORD}}
-
 }
 
 test_dns_provider() {