<div dir="ltr">Yes, I already have created it. I'm using Jboss EAP 6.3. I have installed the adapter. But I have found a difference between adapter installation in Keycloak 1.0.4.Final and 1.1.0.beta2.<div><br></div><div>I'm using 1.0.4.Final and I add this line (as described at for Jboss EAP at <a href="http://docs.jboss.org/keycloak/docs/1.0.4.Final/userguide/html/ch07.html#jboss-adapter-installation">http://docs.jboss.org/keycloak/docs/1.0.4.Final/userguide/html/ch07.html#jboss-adapter-installation</a> ):</div><div><extension module="org.keycloak.keycloak-as7-subsystem"/></div><div><br></div><div>In 1.1.0.beta2 this configuration seems to be only for AS7. Should I use this? If I try it, I get an error (JBAS014674 module cannot be loaded)</div><div><extension module="org.keycloak.keycloak-subsystem"/></div><div><br></div><div>All changes made at my standalone.xml are:<br></div><div><div><br></div><div><extensions></div><div><span class="" style="white-space:pre"> </span><extension module="org.keycloak.keycloak-as7-subsystem"/></div><div><span class="" style="white-space:pre"> </span>...</div><div></extensions></div><div>...</div><div><security-domains></div><div><span class="" style="white-space:pre"> </span><security-domain name="keycloak"></div><div><span class="" style="white-space:pre"> </span><authentication></div><div><span class="" style="white-space:pre"> </span><login-module code="org.keycloak.adapters.jboss.KeycloakLoginModule" flag="required"/></div><div><span class="" style="white-space:pre"> </span></authentication></div><div><span class="" style="white-space:pre"> </span></security-domain></div><div><span class="" style="white-space:pre"> </span>...</div><div></security-domains><span class="" style="white-space:pre"> </span></div></div><div><span class="" style="white-space:pre"><br></span></div><div><span class="" style="white-space:pre">Do you think is a configuration problem? Do any of my attemps to get user information should work? Which one?</span></div><div><br></div><div><span style="white-space:pre">Regards,</span></div><div><span style="white-space:pre">Juan Escot</span></div><div><br></div><div><br></div><div><br><div class="gmail_extra"><br><div class="gmail_quote">2015-01-20 12:41 GMT+01:00 Stian Thorgersen <span dir="ltr"><<a href="mailto:stian@redhat.com" target="_blank">stian@redhat.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">For the security context to propagate to EJBs you need to create a shared security domain, see <a href="http://docs.jboss.org/keycloak/docs/1.1.0.Beta2/userguide/html/ch07.html#jboss-adapter-installation" target="_blank">http://docs.jboss.org/keycloak/docs/1.1.0.Beta2/userguide/html/ch07.html#jboss-adapter-installation</a><br>
<br>
----- Original Message -----<br>
> From: "Juan Escot" <<a href="mailto:juan.escot@cdtec.es">juan.escot@cdtec.es</a>><br>
> To: <a href="mailto:keycloak-dev@lists.jboss.org">keycloak-dev@lists.jboss.org</a><br>
> Sent: Tuesday, 20 January, 2015 11:46:36 AM<br>
> Subject: [keycloak-dev] Rest Service authentication.<br>
><br>
> Hi,<br>
> I'm developing an application with AngularJS and Rest Services. I'm using<br>
> Keycloak for authentication and role management.<br>
><br>
> Mi Angular project is registered as 'confidential' and work's fine. It<br>
> refresh tokens and sends it on header like this: 'Authorization:Bearer<br>
> eyJhbGciOiJSUzI1Ni...'<br>
><br>
> Mi java project is defined as 'bearer only' and it's developed with Java EJBs<br>
> as Rest Services. I need more control over permissions and roles, so I don't<br>
> want to secure my project with security-contraints at web.xml. I'd like to<br>
> get user info and roles inside my Rest methods from token received. I have<br>
> checked I received the token with this line:<br>
><br>
> String token = request.getHeader("authorization");<br>
><br>
> But, I can't get any additional information about user. I have tried<br>
> different approaches but I can't fin a solution. Could I have a Keycloak<br>
> object with user info?.<br>
><br>
> This is a fragment of my code with all my attemps:<br>
><br>
> @Stateless<br>
> @LocalBean<br>
> @Path("/promociones")<br>
> @SecurityDomain("keycloak")<br>
> public class PromocionRest {<br>
> @Context<br>
> HttpServletRequest request;<br>
> @Context<br>
> SecurityContext securityContext;<br>
> @Resource<br>
> SessionContext sc;<br>
> @GET<br>
> @Produces("application/json")<br>
> @Path("/list")<br>
> //@RolesAllowed({ "user" }) <-- If I use this annotation y get an error.<br>
> @PermitAll<br>
> public RespuestaListaBase<Promocion> listadoPromociones(...){<br>
> KeycloakPrincipal principal =<br>
> (KeycloakPrincipal)securityContext.getUserPrincipal();<br>
> KeycloakSecurityContext session = (KeycloakSecurityContext)<br>
> request.getAttribute(KeycloakSecurityContext.class.getName());<br>
> if (sc!=null && sc.getCallerPrincipal()!=null){<br>
> System.out.println("Principal's name according to EJB: " +<br>
> sc.getCallerPrincipal().getName());<br>
> }<br>
><br>
> System.out.println("Is user in role 'user'? " +<br>
> request.isUserInRole("user"));<br>
><br>
> String token = request.getHeader("authorization");<br>
> HttpClient client = new HttpClientBuilder().disableTrustManager().build();<br>
> try {<br>
> String url = request.getRequestURL().toString();<br>
> url = url.substring(0, url.indexOf('/', 8));<br>
> HttpGet get = new HttpGet(url + "/auth/admin/realms/demo/roles");<br>
> get.addHeader("Authorization", "Bearer " + token);<br>
> try {<br>
> HttpResponse response = client.execute(get);<br>
> if (response.getStatusLine().getStatusCode() != 200) {<br>
> //throw new Failure(response.getStatusLine().getStatusCode());<br>
> }<br>
> HttpEntity entity = response.getEntity();<br>
> InputStream is = entity.getContent();<br>
><br>
> } catch (IOException e) {<br>
> throw new RuntimeException(e);<br>
> }<br>
> } finally {<br>
> client.getConnectionManager().shutdown();<br>
> }<br>
> }<br>
> }<br>
><br>
> I also have configured jboss-web.xml like this:<br>
> <jboss-web><br>
> <security-domain>keycloak</security-domain><br>
> </jboss-web><br>
><br>
> And web.xml like this:<br>
> <login-config><br>
> <auth-method>KEYCLOAK</auth-method><br>
> <realm-name>demo</realm-name><br>
> </login-config><br>
><br>
> <security-role><br>
> <role-name>user</role-name><br>
> </security-role><br>
><br>
> Some notes about the code:<br>
> - KeycloakPrincipal principal =<br>
> (KeycloakPrincipal)securityContext.getUserPrincipal(); <-- principal is<br>
> always null<br>
> - KeycloakSecurityContext session = (KeycloakSecurityContext)<br>
> request.getAttribute(KeycloakSecurityContext.class.getName()); <-- session<br>
> is always null<br>
> - sc.getCallerPrincipal().getName() <-- returns 'anonymous', so it seems it<br>
> isn't taking security-domain?<br>
> - request.isUserInRole("user") <-- returns null<br>
> - HttpResponse response = client.execute(get) <-- throws an exception:<br>
> org.jboss.resteasy.spi.UnauthorizedException: Bearer<br>
> - If I use @RolesAllowed({ "user" }) annotation I get this error: JBAS014502:<br>
> The invocation is not allowed in the method<br>
> - String token = request.getHeader("authorization"); <-- I get<br>
> 'Authorization:Bearer eyJhbGciOiJSUzI1Ni...'<br>
><br>
> I suppose i'm doing it wrong, but I don't know what is the correct form.<br>
> Could I get user information from token received?<br>
><br>
> Thanks in advance,<br>
> Juan Escot<br>
><br>
> _______________________________________________<br>
> keycloak-dev mailing list<br>
> <a href="mailto:keycloak-dev@lists.jboss.org">keycloak-dev@lists.jboss.org</a><br>
> <a href="https://lists.jboss.org/mailman/listinfo/keycloak-dev" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a><br>
</blockquote></div><br></div></div></div>