[keycloak-dev] Rest Service authentication.
Bill Burke
bburke at redhat.com
Thu Jan 22 08:56:26 EST 2015
Now you have to write an exception mapper for EJBException :) EJB layer
is throwing exception, JAX-RS sees an unkown exception, so it sends off
a 500.
On 1/22/2015 7:39 AM, Juan Escot wrote:
> Thanks for your answer. Once I have configured correctly the servlet, I
> can use @RolesAllowed on my EJBs. KeycloakPrincipal
> and KeycloakSecurityContext are now filled.
>
> But now, I have a new issue. When users haven't permissions, jboss
> server is returning 500 (Internal Server Error) error code. Exact error
> is this:
> javax.ejb.ejbaccessexception: jbas014502: invocation on method: public
> xxxx is not allowed.
>
> I think it should return 403 (Forbidden) or 401 (Unauthorized), isn't
> it? Is this behavior correct? Is it a JBoss or Keycloak issue? Is it
> possible to configure status code returned?
>
>
> 2015-01-20 15:13 GMT+01:00 Bill Burke <bburke at redhat.com
> <mailto:bburke at redhat.com>>:
>
> You still need to set up servlet security though and all the security
> constraints. Set up your security constraints to be very broad, i.e.
> "*", then use @RolesAllowed within your EJBs.
>
> On 1/20/2015 8:15 AM, Juan Escot wrote:
> > Yes, I already have created it. I'm using Jboss EAP 6.3. I have
> > installed the adapter. But I have found a difference between adapter
> > installation in Keycloak 1.0.4.Final and 1.1.0.beta2.
> >
> > I'm using 1.0.4.Final and I add this line (as described at for
> Jboss EAP
> > at
> >
> http://docs.jboss.org/keycloak/docs/1.0.4.Final/userguide/html/ch07.html#jboss-adapter-installation
> > ):
> > <extension module="org.keycloak.keycloak-as7-subsystem"/>
> >
> > In 1.1.0.beta2 this configuration seems to be only for AS7.
> Should I use
> > this? If I try it, I get an error (JBAS014674 module cannot be
> loaded)
> > <extension module="org.keycloak.keycloak-subsystem"/>
> >
> > All changes made at my standalone.xml are:
> >
> > <extensions>
> > <extension module="org.keycloak.keycloak-as7-subsystem"/>
> > ...
> > </extensions>
> > ...
> > <security-domains>
> > <security-domain name="keycloak">
> > <authentication>
> > <login-module code="org.keycloak.adapters.jboss.KeycloakLoginModule"
> > flag="required"/>
> > </authentication>
> > </security-domain>
> > ...
> > </security-domains>
> >
> > Do you think is a configuration problem? Do any of my attemps to get
> > user information should work? Which one?
> >
> > Regards,
> > Juan Escot
> >
> >
> >
> >
> > 2015-01-20 12:41 GMT+01:00 Stian Thorgersen <stian at redhat.com
> <mailto:stian at redhat.com>
> > <mailto:stian at redhat.com <mailto:stian at redhat.com>>>:
> >
> > For the security context to propagate to EJBs you need to
> create a
> > shared security domain, see
> >
> http://docs.jboss.org/keycloak/docs/1.1.0.Beta2/userguide/html/ch07.html#jboss-adapter-installation
> >
> > ----- Original Message -----
> > > From: "Juan Escot" <juan.escot at cdtec.es
> <mailto:juan.escot at cdtec.es> <mailto:juan.escot at cdtec.es
> <mailto:juan.escot at cdtec.es>>>
> > > To: keycloak-dev at lists.jboss.org
> <mailto:keycloak-dev at lists.jboss.org>
> > <mailto:keycloak-dev at lists.jboss.org
> <mailto:keycloak-dev at lists.jboss.org>>
> > > Sent: Tuesday, 20 January, 2015 11:46:36 AM
> > > Subject: [keycloak-dev] Rest Service authentication.
> > >
> > > Hi,
> > > I'm developing an application with AngularJS and Rest
> Services.
> > I'm using
> > > Keycloak for authentication and role management.
> > >
> > > Mi Angular project is registered as 'confidential' and work's
> > fine. It
> > > refresh tokens and sends it on header like this:
> > 'Authorization:Bearer
> > > eyJhbGciOiJSUzI1Ni...'
> > >
> > > Mi java project is defined as 'bearer only' and it's developed
> > with Java EJBs
> > > as Rest Services. I need more control over permissions and
> roles,
> > so I don't
> > > want to secure my project with security-contraints at web.xml.
> > I'd like to
> > > get user info and roles inside my Rest methods from token
> > received. I have
> > > checked I received the token with this line:
> > >
> > > String token = request.getHeader("authorization");
> > >
> > > But, I can't get any additional information about user. I
> have tried
> > > different approaches but I can't fin a solution. Could I
> have a
> > Keycloak
> > > object with user info?.
> > >
> > > This is a fragment of my code with all my attemps:
> > >
> > > @Stateless
> > > @LocalBean
> > > @Path("/promociones")
> > > @SecurityDomain("keycloak")
> > > public class PromocionRest {
> > > @Context
> > > HttpServletRequest request;
> > > @Context
> > > SecurityContext securityContext;
> > > @Resource
> > > SessionContext sc;
> > > @GET
> > > @Produces("application/json")
> > > @Path("/list")
> > > //@RolesAllowed({ "user" }) <-- If I use this annotation y
> get an
> > error.
> > > @PermitAll
> > > public RespuestaListaBase<Promocion> listadoPromociones(...){
> > > KeycloakPrincipal principal =
> > > (KeycloakPrincipal)securityContext.getUserPrincipal();
> > > KeycloakSecurityContext session = (KeycloakSecurityContext)
> > > request.getAttribute(KeycloakSecurityContext.class.getName());
> > > if (sc!=null && sc.getCallerPrincipal()!=null){
> > > System.out.println("Principal's name according to EJB: " +
> > > sc.getCallerPrincipal().getName());
> > > }
> > >
> > > System.out.println("Is user in role 'user'? " +
> > > request.isUserInRole("user"));
> > >
> > > String token = request.getHeader("authorization");
> > > HttpClient client = new
> > HttpClientBuilder().disableTrustManager().build();
> > > try {
> > > String url = request.getRequestURL().toString();
> > > url = url.substring(0, url.indexOf('/', 8));
> > > HttpGet get = new HttpGet(url +
> "/auth/admin/realms/demo/roles");
> > > get.addHeader("Authorization", "Bearer " + token);
> > > try {
> > > HttpResponse response = client.execute(get);
> > > if (response.getStatusLine().getStatusCode() != 200) {
> > > //throw new Failure(response.getStatusLine().getStatusCode());
> > > }
> > > HttpEntity entity = response.getEntity();
> > > InputStream is = entity.getContent();
> > >
> > > } catch (IOException e) {
> > > throw new RuntimeException(e);
> > > }
> > > } finally {
> > > client.getConnectionManager().shutdown();
> > > }
> > > }
> > > }
> > >
> > > I also have configured jboss-web.xml like this:
> > > <jboss-web>
> > > <security-domain>keycloak</security-domain>
> > > </jboss-web>
> > >
> > > And web.xml like this:
> > > <login-config>
> > > <auth-method>KEYCLOAK</auth-method>
> > > <realm-name>demo</realm-name>
> > > </login-config>
> > >
> > > <security-role>
> > > <role-name>user</role-name>
> > > </security-role>
> > >
> > > Some notes about the code:
> > > - KeycloakPrincipal principal =
> > > (KeycloakPrincipal)securityContext.getUserPrincipal(); <--
> > principal is
> > > always null
> > > - KeycloakSecurityContext session = (KeycloakSecurityContext)
> > > request.getAttribute(KeycloakSecurityContext.class.getName());
> > <-- session
> > > is always null
> > > - sc.getCallerPrincipal().getName() <-- returns
> 'anonymous', so
> > it seems it
> > > isn't taking security-domain?
> > > - request.isUserInRole("user") <-- returns null
> > > - HttpResponse response = client.execute(get) <-- throws an
> > exception:
> > > org.jboss.resteasy.spi.UnauthorizedException: Bearer
> > > - If I use @RolesAllowed({ "user" }) annotation I get this
> error:
> > JBAS014502:
> > > The invocation is not allowed in the method
> > > - String token = request.getHeader("authorization"); <-- I get
> > > 'Authorization:Bearer eyJhbGciOiJSUzI1Ni...'
> > >
> > > I suppose i'm doing it wrong, but I don't know what is the
> > correct form.
> > > Could I get user information from token received?
> > >
> > > Thanks in advance,
> > > Juan Escot
> > >
> > > _______________________________________________
> > > keycloak-dev mailing list
> > > keycloak-dev at lists.jboss.org
> <mailto:keycloak-dev at lists.jboss.org>
> <mailto:keycloak-dev at lists.jboss.org
> <mailto:keycloak-dev at lists.jboss.org>>
> > > https://lists.jboss.org/mailman/listinfo/keycloak-dev
> >
> >
> >
> >
> > _______________________________________________
> > keycloak-dev mailing list
> > keycloak-dev at lists.jboss.org <mailto:keycloak-dev at lists.jboss.org>
> > https://lists.jboss.org/mailman/listinfo/keycloak-dev
> >
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org <mailto:keycloak-dev at lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
More information about the keycloak-dev
mailing list