[keycloak-dev] Rest Service authentication.

Bill Burke bburke at redhat.com
Tue Jan 20 09:13:44 EST 2015 

You still need to set up servlet security though and all the security 
constraints.  Set up your security constraints to be very broad, i.e. 
"*", then use @RolesAllowed within your EJBs.

On 1/20/2015 8:15 AM, Juan Escot wrote:
> Yes, I already have created it. I'm using Jboss EAP 6.3. I have
> installed the adapter. But I have found a difference between adapter
> installation in Keycloak 1.0.4.Final and 1.1.0.beta2.
>
> I'm using 1.0.4.Final and I add this line (as described at for Jboss EAP
> at
> http://docs.jboss.org/keycloak/docs/1.0.4.Final/userguide/html/ch07.html#jboss-adapter-installation
> ):
> <extension module="org.keycloak.keycloak-as7-subsystem"/>
>
> In 1.1.0.beta2 this configuration seems to be only for AS7. Should I use
> this? If I try it, I get an error (JBAS014674 module cannot be loaded)
> <extension module="org.keycloak.keycloak-subsystem"/>
>
> All changes made at my standalone.xml are:
>
> <extensions>
> <extension module="org.keycloak.keycloak-as7-subsystem"/>
> ...
> </extensions>
> ...
> <security-domains>
> <security-domain name="keycloak">
> <authentication>
> <login-module code="org.keycloak.adapters.jboss.KeycloakLoginModule"
> flag="required"/>
> </authentication>
> </security-domain>
> ...
> </security-domains>
>
> Do you think is a configuration problem? Do any of my attemps to get
> user information should work? Which one?
>
> Regards,
> Juan Escot
>
>
>
>
> 2015-01-20 12:41 GMT+01:00 Stian Thorgersen <stian at redhat.com
> <mailto:stian at redhat.com>>:
>
>     For the security context to propagate to EJBs you need to create a
>     shared security domain, see
>     http://docs.jboss.org/keycloak/docs/1.1.0.Beta2/userguide/html/ch07.html#jboss-adapter-installation
>
>     ----- Original Message -----
>      > From: "Juan Escot" <juan.escot at cdtec.es <mailto:juan.escot at cdtec.es>>
>      > To: keycloak-dev at lists.jboss.org
>     <mailto:keycloak-dev at lists.jboss.org>
>      > Sent: Tuesday, 20 January, 2015 11:46:36 AM
>      > Subject: [keycloak-dev] Rest Service authentication.
>      >
>      > Hi,
>      > I'm developing an application with AngularJS and Rest Services.
>     I'm using
>      > Keycloak for authentication and role management.
>      >
>      > Mi Angular project is registered as 'confidential' and work's
>     fine. It
>      > refresh tokens and sends it on header like this:
>     'Authorization:Bearer
>      > eyJhbGciOiJSUzI1Ni...'
>      >
>      > Mi java project is defined as 'bearer only' and it's developed
>     with Java EJBs
>      > as Rest Services. I need more control over permissions and roles,
>     so I don't
>      > want to secure my project with security-contraints at web.xml.
>     I'd like to
>      > get user info and roles inside my Rest methods from token
>     received. I have
>      > checked I received the token with this line:
>      >
>      > String token = request.getHeader("authorization");
>      >
>      > But, I can't get any additional information about user. I have tried
>      > different approaches but I can't fin a solution. Could I have a
>     Keycloak
>      > object with user info?.
>      >
>      > This is a fragment of my code with all my attemps:
>      >
>      > @Stateless
>      > @LocalBean
>      > @Path("/promociones")
>      > @SecurityDomain("keycloak")
>      > public class PromocionRest {
>      > @Context
>      > HttpServletRequest request;
>      > @Context
>      > SecurityContext securityContext;
>      > @Resource
>      > SessionContext sc;
>      > @GET
>      > @Produces("application/json")
>      > @Path("/list")
>      > //@RolesAllowed({ "user" }) <-- If I use this annotation y get an
>     error.
>      > @PermitAll
>      > public RespuestaListaBase<Promocion> listadoPromociones(...){
>      > KeycloakPrincipal principal =
>      > (KeycloakPrincipal)securityContext.getUserPrincipal();
>      > KeycloakSecurityContext session = (KeycloakSecurityContext)
>      > request.getAttribute(KeycloakSecurityContext.class.getName());
>      > if (sc!=null && sc.getCallerPrincipal()!=null){
>      > System.out.println("Principal's name according to EJB: " +
>      > sc.getCallerPrincipal().getName());
>      > }
>      >
>      > System.out.println("Is user in role 'user'? " +
>      > request.isUserInRole("user"));
>      >
>      > String token = request.getHeader("authorization");
>      > HttpClient client = new
>     HttpClientBuilder().disableTrustManager().build();
>      > try {
>      > String url = request.getRequestURL().toString();
>      > url = url.substring(0, url.indexOf('/', 8));
>      > HttpGet get = new HttpGet(url + "/auth/admin/realms/demo/roles");
>      > get.addHeader("Authorization", "Bearer " + token);
>      > try {
>      > HttpResponse response = client.execute(get);
>      > if (response.getStatusLine().getStatusCode() != 200) {
>      > //throw new Failure(response.getStatusLine().getStatusCode());
>      > }
>      > HttpEntity entity = response.getEntity();
>      > InputStream is = entity.getContent();
>      >
>      > } catch (IOException e) {
>      > throw new RuntimeException(e);
>      > }
>      > } finally {
>      > client.getConnectionManager().shutdown();
>      > }
>      > }
>      > }
>      >
>      > I also have configured jboss-web.xml like this:
>      > <jboss-web>
>      > <security-domain>keycloak</security-domain>
>      > </jboss-web>
>      >
>      > And web.xml like this:
>      > <login-config>
>      > <auth-method>KEYCLOAK</auth-method>
>      > <realm-name>demo</realm-name>
>      > </login-config>
>      >
>      > <security-role>
>      > <role-name>user</role-name>
>      > </security-role>
>      >
>      > Some notes about the code:
>      > - KeycloakPrincipal principal =
>      > (KeycloakPrincipal)securityContext.getUserPrincipal(); <--
>     principal is
>      > always null
>      > - KeycloakSecurityContext session = (KeycloakSecurityContext)
>      > request.getAttribute(KeycloakSecurityContext.class.getName());
>     <-- session
>      > is always null
>      > - sc.getCallerPrincipal().getName() <-- returns 'anonymous', so
>     it seems it
>      > isn't taking security-domain?
>      > - request.isUserInRole("user") <-- returns null
>      > - HttpResponse response = client.execute(get) <-- throws an
>     exception:
>      > org.jboss.resteasy.spi.UnauthorizedException: Bearer
>      > - If I use @RolesAllowed({ "user" }) annotation I get this error:
>     JBAS014502:
>      > The invocation is not allowed in the method
>      > - String token = request.getHeader("authorization"); <-- I get
>      > 'Authorization:Bearer eyJhbGciOiJSUzI1Ni...'
>      >
>      > I suppose i'm doing it wrong, but I don't know what is the
>     correct form.
>      > Could I get user information from token received?
>      >
>      > Thanks in advance,
>      > Juan Escot
>      >
>      > _______________________________________________
>      > keycloak-dev mailing list
>      > keycloak-dev at lists.jboss.org <mailto:keycloak-dev at lists.jboss.org>
>      > https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
>
>
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

More information about the keycloak-dev mailing list