<div dir="ltr"><div>Hi,</div><div>I&#39;m developing an application with AngularJS and Rest Services. I&#39;m using Keycloak for authentication and role management. </div><div><br></div><div>Mi Angular project is registered as &#39;confidential&#39; and work&#39;s fine. It refresh tokens and sends it on header like this: &#39;Authorization:Bearer eyJhbGciOiJSUzI1Ni...&#39;</div><div><br></div><div>Mi java project is defined as &#39;bearer only&#39; and it&#39;s developed with Java EJBs as Rest Services. I need more control over permissions and roles, so I don&#39;t want to secure my project with  security-contraints at web.xml. I&#39;d like to get user info and roles inside my Rest methods from token received. I have checked I received the token with this line:</div><div><br></div><div>String token = request.getHeader(&quot;authorization&quot;);</div><div><br></div><div>But, I can&#39;t get any additional information about user. I have tried different approaches but I can&#39;t fin a solution. Could I have a Keycloak object with user info?.</div><div><br></div><div>This is a fragment of my code with all my attemps:</div><div><br></div><div>@Stateless</div><div>@LocalBean</div><div>@Path(&quot;/promociones&quot;)</div><div>@SecurityDomain(&quot;keycloak&quot;)</div><div>public class PromocionRest  {</div><div><span class="" style="white-space:pre">        </span></div><div>    @Context</div><div>    HttpServletRequest request;</div><div>    </div><div>    @Context</div><div>    SecurityContext securityContext;    </div><div>    </div><div><span class="" style="white-space:pre">        </span>@Resource</div><div><span class="" style="white-space:pre">        </span>SessionContext sc;</div><div>   </div><div><span class="" style="white-space:pre">        </span>@GET</div><div><span class="" style="white-space:pre">        </span>@Produces(&quot;application/json&quot;)</div><div><span class="" style="white-space:pre">        </span>@Path(&quot;/list&quot;)</div><div><span class="" style="white-space:pre">        </span>//@RolesAllowed({ &quot;user&quot; }) &lt;-- If I use this annotation y get an error.</div><div><span class="" style="white-space:pre">        </span>@PermitAll</div><div><span class="" style="white-space:pre">        </span>public RespuestaListaBase&lt;Promocion&gt; listadoPromociones(...){</div><div><span class="" style="white-space:pre">        </span></div><div><span class="" style="white-space:pre">                </span>KeycloakPrincipal principal = (KeycloakPrincipal)securityContext.getUserPrincipal();</div><div><span class="" style="white-space:pre">                </span> <span class="" style="white-space:pre">                </span></div><div><span class="" style="white-space:pre">                </span>KeycloakSecurityContext session = (KeycloakSecurityContext) request.getAttribute(KeycloakSecurityContext.class.getName());</div><div><span class="" style="white-space:pre">                </span></div><div><span class="" style="white-space:pre">                </span>if (sc!=null &amp;&amp; sc.getCallerPrincipal()!=null){</div><div><span class="" style="white-space:pre">                        </span>System.out.println(&quot;Principal&#39;s name according to EJB: &quot; + sc.getCallerPrincipal().getName());</div><div><span class="" style="white-space:pre">                </span>}</div><div><br></div><div>        System.out.println(&quot;Is user in role &#39;user&#39;? &quot; + request.isUserInRole(&quot;user&quot;));</div><div><br></div><div><span class="" style="white-space:pre">                </span></div><div>        String token = request.getHeader(&quot;authorization&quot;);</div><div>        </div><div>        HttpClient client = new HttpClientBuilder().disableTrustManager().build();</div><div><span class="" style="white-space:pre">                </span>try {</div><div><span class="" style="white-space:pre">                        </span>String url = request.getRequestURL().toString();</div><div><span class="" style="white-space:pre">        </span>        url = url.substring(0, url.indexOf(&#39;/&#39;, 8));</div><div><span class="" style="white-space:pre">                </span>    </div><div><span class="" style="white-space:pre">        </span>        HttpGet get = new HttpGet(url + &quot;/auth/admin/realms/demo/roles&quot;);</div><div><span class="" style="white-space:pre">                </span>    get.addHeader(&quot;Authorization&quot;, &quot;Bearer &quot; + token);</div><div><span class="" style="white-space:pre">                </span>    try {</div><div><span class="" style="white-space:pre">                </span>        HttpResponse response = client.execute(get);</div><div><span class="" style="white-space:pre">                </span>        if (response.getStatusLine().getStatusCode() != 200) {</div><div><span class="" style="white-space:pre">                </span>            //throw new Failure(response.getStatusLine().getStatusCode());</div><div><span class="" style="white-space:pre">                </span>        }</div><div><span class="" style="white-space:pre">                </span>        HttpEntity entity = response.getEntity();</div><div><span class="" style="white-space:pre">                </span>        InputStream is = entity.getContent();</div><div><br></div><div><span class="" style="white-space:pre">                </span>    } catch (IOException e) {</div><div><span class="" style="white-space:pre">                </span>        throw new RuntimeException(e);</div><div><span class="" style="white-space:pre">                </span>    }</div><div><span class="" style="white-space:pre">                </span>} finally {</div><div><span class="" style="white-space:pre">                </span>    client.getConnectionManager().shutdown();</div><div><span class="" style="white-space:pre">                </span>}   </div><div><span class="" style="white-space:pre">        </span>}<span class="" style="white-space:pre">        </span></div><div>}</div><div><br></div><div>I also have configured jboss-web.xml like this:</div><div>&lt;jboss-web&gt;</div><div>    &lt;security-domain&gt;keycloak&lt;/security-domain&gt;</div><div>&lt;/jboss-web&gt;</div><div><br></div><div>And web.xml like this:</div><div>    &lt;login-config&gt;</div><div>        &lt;auth-method&gt;KEYCLOAK&lt;/auth-method&gt;</div><div>        &lt;realm-name&gt;demo&lt;/realm-name&gt;</div><div>    &lt;/login-config&gt;     </div><div><br></div><div>    &lt;security-role&gt;</div><div>        &lt;role-name&gt;user&lt;/role-name&gt;</div><div>    &lt;/security-role&gt;</div><div><br></div><div>Some notes about the code:</div><div>- KeycloakPrincipal principal = (KeycloakPrincipal)securityContext.getUserPrincipal();  &lt;-- principal is always null</div><div>- KeycloakSecurityContext session = (KeycloakSecurityContext) request.getAttribute(KeycloakSecurityContext.class.getName()); &lt;-- session is always null</div><div>- sc.getCallerPrincipal().getName() &lt;-- returns &#39;anonymous&#39;, so it seems it isn&#39;t taking security-domain? </div><div>- request.isUserInRole(&quot;user&quot;) &lt;-- returns null</div><div>- HttpResponse response = client.execute(get) &lt;-- throws an exception: org.jboss.resteasy.spi.UnauthorizedException: Bearer</div><div>- If I use @RolesAllowed({ &quot;user&quot; }) annotation I get this error:<span class="" style="white-space:pre">        </span>JBAS014502: The invocation is not allowed in the method</div><div>- String token = request.getHeader(&quot;authorization&quot;); &lt;-- I get &#39;Authorization:Bearer eyJhbGciOiJSUzI1Ni...&#39;</div><div><br></div><div>I suppose i&#39;m doing it wrong, but I don&#39;t know what is the correct form. Could I get user information from token received?</div><div><br></div><div>Thanks in advance,</div><div>Juan Escot</div></div>