[keycloak-dev] Rest Service authentication.

Stian Thorgersen stian at redhat.com
Tue Jan 20 06:41:28 EST 2015 

For the security context to propagate to EJBs you need to create a shared security domain, see http://docs.jboss.org/keycloak/docs/1.1.0.Beta2/userguide/html/ch07.html#jboss-adapter-installation

----- Original Message -----
> From: "Juan Escot" <juan.escot at cdtec.es>
> To: keycloak-dev at lists.jboss.org
> Sent: Tuesday, 20 January, 2015 11:46:36 AM
> Subject: [keycloak-dev] Rest Service authentication.
> 
> Hi,
> I'm developing an application with AngularJS and Rest Services. I'm using
> Keycloak for authentication and role management.
> 
> Mi Angular project is registered as 'confidential' and work's fine. It
> refresh tokens and sends it on header like this: 'Authorization:Bearer
> eyJhbGciOiJSUzI1Ni...'
> 
> Mi java project is defined as 'bearer only' and it's developed with Java EJBs
> as Rest Services. I need more control over permissions and roles, so I don't
> want to secure my project with security-contraints at web.xml. I'd like to
> get user info and roles inside my Rest methods from token received. I have
> checked I received the token with this line:
> 
> String token = request.getHeader("authorization");
> 
> But, I can't get any additional information about user. I have tried
> different approaches but I can't fin a solution. Could I have a Keycloak
> object with user info?.
> 
> This is a fragment of my code with all my attemps:
> 
> @Stateless
> @LocalBean
> @Path("/promociones")
> @SecurityDomain("keycloak")
> public class PromocionRest {
> @Context
> HttpServletRequest request;
> @Context
> SecurityContext securityContext;
> @Resource
> SessionContext sc;
> @GET
> @Produces("application/json")
> @Path("/list")
> //@RolesAllowed({ "user" }) <-- If I use this annotation y get an error.
> @PermitAll
> public RespuestaListaBase<Promocion> listadoPromociones(...){
> KeycloakPrincipal principal =
> (KeycloakPrincipal)securityContext.getUserPrincipal();
> KeycloakSecurityContext session = (KeycloakSecurityContext)
> request.getAttribute(KeycloakSecurityContext.class.getName());
> if (sc!=null && sc.getCallerPrincipal()!=null){
> System.out.println("Principal's name according to EJB: " +
> sc.getCallerPrincipal().getName());
> }
> 
> System.out.println("Is user in role 'user'? " +
> request.isUserInRole("user"));
> 
> String token = request.getHeader("authorization");
> HttpClient client = new HttpClientBuilder().disableTrustManager().build();
> try {
> String url = request.getRequestURL().toString();
> url = url.substring(0, url.indexOf('/', 8));
> HttpGet get = new HttpGet(url + "/auth/admin/realms/demo/roles");
> get.addHeader("Authorization", "Bearer " + token);
> try {
> HttpResponse response = client.execute(get);
> if (response.getStatusLine().getStatusCode() != 200) {
> //throw new Failure(response.getStatusLine().getStatusCode());
> }
> HttpEntity entity = response.getEntity();
> InputStream is = entity.getContent();
> 
> } catch (IOException e) {
> throw new RuntimeException(e);
> }
> } finally {
> client.getConnectionManager().shutdown();
> }
> }
> }
> 
> I also have configured jboss-web.xml like this:
> <jboss-web>
> <security-domain>keycloak</security-domain>
> </jboss-web>
> 
> And web.xml like this:
> <login-config>
> <auth-method>KEYCLOAK</auth-method>
> <realm-name>demo</realm-name>
> </login-config>
> 
> <security-role>
> <role-name>user</role-name>
> </security-role>
> 
> Some notes about the code:
> - KeycloakPrincipal principal =
> (KeycloakPrincipal)securityContext.getUserPrincipal(); <-- principal is
> always null
> - KeycloakSecurityContext session = (KeycloakSecurityContext)
> request.getAttribute(KeycloakSecurityContext.class.getName()); <-- session
> is always null
> - sc.getCallerPrincipal().getName() <-- returns 'anonymous', so it seems it
> isn't taking security-domain?
> - request.isUserInRole("user") <-- returns null
> - HttpResponse response = client.execute(get) <-- throws an exception:
> org.jboss.resteasy.spi.UnauthorizedException: Bearer
> - If I use @RolesAllowed({ "user" }) annotation I get this error: JBAS014502:
> The invocation is not allowed in the method
> - String token = request.getHeader("authorization"); <-- I get
> 'Authorization:Bearer eyJhbGciOiJSUzI1Ni...'
> 
> I suppose i'm doing it wrong, but I don't know what is the correct form.
> Could I get user information from token received?
> 
> Thanks in advance,
> Juan Escot
> 
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev

More information about the keycloak-dev mailing list