[keycloak-dev] Rest Service authentication.
Juan Escot
juan.escot at cdtec.es
Tue Jan 20 05:46:36 EST 2015
Hi,
I'm developing an application with AngularJS and Rest Services. I'm using
Keycloak for authentication and role management.
Mi Angular project is registered as 'confidential' and work's fine. It
refresh tokens and sends it on header like this: 'Authorization:Bearer
eyJhbGciOiJSUzI1Ni...'
Mi java project is defined as 'bearer only' and it's developed with Java
EJBs as Rest Services. I need more control over permissions and roles, so I
don't want to secure my project with security-contraints at web.xml. I'd
like to get user info and roles inside my Rest methods from token received.
I have checked I received the token with this line:
String token = request.getHeader("authorization");
But, I can't get any additional information about user. I have tried
different approaches but I can't fin a solution. Could I have a Keycloak
object with user info?.
This is a fragment of my code with all my attemps:
@Stateless
@LocalBean
@Path("/promociones")
@SecurityDomain("keycloak")
public class PromocionRest {
@Context
HttpServletRequest request;
@Context
SecurityContext securityContext;
@Resource
SessionContext sc;
@GET
@Produces("application/json")
@Path("/list")
//@RolesAllowed({ "user" }) <-- If I use this annotation y get an error.
@PermitAll
public RespuestaListaBase<Promocion> listadoPromociones(...){
KeycloakPrincipal principal =
(KeycloakPrincipal)securityContext.getUserPrincipal();
KeycloakSecurityContext session = (KeycloakSecurityContext)
request.getAttribute(KeycloakSecurityContext.class.getName());
if (sc!=null && sc.getCallerPrincipal()!=null){
System.out.println("Principal's name according to EJB: " +
sc.getCallerPrincipal().getName());
}
System.out.println("Is user in role 'user'? " +
request.isUserInRole("user"));
String token = request.getHeader("authorization");
HttpClient client = new
HttpClientBuilder().disableTrustManager().build();
try {
String url = request.getRequestURL().toString();
url = url.substring(0, url.indexOf('/', 8));
HttpGet get = new HttpGet(url + "/auth/admin/realms/demo/roles");
get.addHeader("Authorization", "Bearer " + token);
try {
HttpResponse response = client.execute(get);
if (response.getStatusLine().getStatusCode() != 200) {
//throw new Failure(response.getStatusLine().getStatusCode());
}
HttpEntity entity = response.getEntity();
InputStream is = entity.getContent();
} catch (IOException e) {
throw new RuntimeException(e);
}
} finally {
client.getConnectionManager().shutdown();
}
}
}
I also have configured jboss-web.xml like this:
<jboss-web>
<security-domain>keycloak</security-domain>
</jboss-web>
And web.xml like this:
<login-config>
<auth-method>KEYCLOAK</auth-method>
<realm-name>demo</realm-name>
</login-config>
<security-role>
<role-name>user</role-name>
</security-role>
Some notes about the code:
- KeycloakPrincipal principal =
(KeycloakPrincipal)securityContext.getUserPrincipal(); <-- principal is
always null
- KeycloakSecurityContext session = (KeycloakSecurityContext)
request.getAttribute(KeycloakSecurityContext.class.getName()); <-- session
is always null
- sc.getCallerPrincipal().getName() <-- returns 'anonymous', so it seems it
isn't taking security-domain?
- request.isUserInRole("user") <-- returns null
- HttpResponse response = client.execute(get) <-- throws an exception:
org.jboss.resteasy.spi.UnauthorizedException: Bearer
- If I use @RolesAllowed({ "user" }) annotation I get this error: JBAS014502:
The invocation is not allowed in the method
- String token = request.getHeader("authorization"); <-- I get
'Authorization:Bearer eyJhbGciOiJSUzI1Ni...'
I suppose i'm doing it wrong, but I don't know what is the correct form.
Could I get user information from token received?
Thanks in advance,
Juan Escot
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20150120/135834bc/attachment.html
More information about the keycloak-dev
mailing list