<div dir="ltr"><div>Thanks for your answer. Once I have configured correctly the servlet, I can use <span style="font-size:13px">@RolesAllowed on my EJBs. </span>KeycloakPrincipal and KeycloakSecurityContext are now filled. <br></div><div><br></div><div>But now, I have a new issue. When users haven't permissions, jboss server is returning 500 (Internal Server Error) error code. Exact error is this:</div><div>javax.ejb.ejbaccessexception: jbas014502: invocation on method: public xxxx is not allowed.<br></div><div><br></div><div>I think it should return 403 (Forbidden) or 401 (Unauthorized), isn't it? Is this behavior correct? Is it a JBoss or Keycloak issue? Is it possible to configure status code returned? </div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">2015-01-20 15:13 GMT+01:00 Bill Burke <span dir="ltr"><<a href="mailto:bburke@redhat.com" target="_blank">bburke@redhat.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">You still need to set up servlet security though and all the security<br>
constraints. Set up your security constraints to be very broad, i.e.<br>
"*", then use @RolesAllowed within your EJBs.<br>
<br>
On 1/20/2015 8:15 AM, Juan Escot wrote:<br>
> Yes, I already have created it. I'm using Jboss EAP 6.3. I have<br>
> installed the adapter. But I have found a difference between adapter<br>
> installation in Keycloak 1.0.4.Final and 1.1.0.beta2.<br>
><br>
> I'm using 1.0.4.Final and I add this line (as described at for Jboss EAP<br>
> at<br>
> <a href="http://docs.jboss.org/keycloak/docs/1.0.4.Final/userguide/html/ch07.html#jboss-adapter-installation" target="_blank">http://docs.jboss.org/keycloak/docs/1.0.4.Final/userguide/html/ch07.html#jboss-adapter-installation</a><br>
> ):<br>
> <extension module="org.keycloak.keycloak-as7-subsystem"/><br>
><br>
> In 1.1.0.beta2 this configuration seems to be only for AS7. Should I use<br>
> this? If I try it, I get an error (JBAS014674 module cannot be loaded)<br>
> <extension module="org.keycloak.keycloak-subsystem"/><br>
><br>
> All changes made at my standalone.xml are:<br>
><br>
> <extensions><br>
> <extension module="org.keycloak.keycloak-as7-subsystem"/><br>
> ...<br>
> </extensions><br>
> ...<br>
> <security-domains><br>
> <security-domain name="keycloak"><br>
> <authentication><br>
> <login-module code="org.keycloak.adapters.jboss.KeycloakLoginModule"<br>
> flag="required"/><br>
> </authentication><br>
> </security-domain><br>
> ...<br>
> </security-domains><br>
><br>
> Do you think is a configuration problem? Do any of my attemps to get<br>
> user information should work? Which one?<br>
><br>
> Regards,<br>
> Juan Escot<br>
><br>
><br>
><br>
><br>
> 2015-01-20 12:41 GMT+01:00 Stian Thorgersen <<a href="mailto:stian@redhat.com">stian@redhat.com</a><br>
> <mailto:<a href="mailto:stian@redhat.com">stian@redhat.com</a>>>:<br>
><br>
> For the security context to propagate to EJBs you need to create a<br>
> shared security domain, see<br>
> <a href="http://docs.jboss.org/keycloak/docs/1.1.0.Beta2/userguide/html/ch07.html#jboss-adapter-installation" target="_blank">http://docs.jboss.org/keycloak/docs/1.1.0.Beta2/userguide/html/ch07.html#jboss-adapter-installation</a><br>
><br>
> ----- Original Message -----<br>
> > From: "Juan Escot" <<a href="mailto:juan.escot@cdtec.es">juan.escot@cdtec.es</a> <mailto:<a href="mailto:juan.escot@cdtec.es">juan.escot@cdtec.es</a>>><br>
> > To: <a href="mailto:keycloak-dev@lists.jboss.org">keycloak-dev@lists.jboss.org</a><br>
> <mailto:<a href="mailto:keycloak-dev@lists.jboss.org">keycloak-dev@lists.jboss.org</a>><br>
> > Sent: Tuesday, 20 January, 2015 11:46:36 AM<br>
> > Subject: [keycloak-dev] Rest Service authentication.<br>
> ><br>
> > Hi,<br>
> > I'm developing an application with AngularJS and Rest Services.<br>
> I'm using<br>
> > Keycloak for authentication and role management.<br>
> ><br>
> > Mi Angular project is registered as 'confidential' and work's<br>
> fine. It<br>
> > refresh tokens and sends it on header like this:<br>
> 'Authorization:Bearer<br>
> > eyJhbGciOiJSUzI1Ni...'<br>
> ><br>
> > Mi java project is defined as 'bearer only' and it's developed<br>
> with Java EJBs<br>
> > as Rest Services. I need more control over permissions and roles,<br>
> so I don't<br>
> > want to secure my project with security-contraints at web.xml.<br>
> I'd like to<br>
> > get user info and roles inside my Rest methods from token<br>
> received. I have<br>
> > checked I received the token with this line:<br>
> ><br>
> > String token = request.getHeader("authorization");<br>
> ><br>
> > But, I can't get any additional information about user. I have tried<br>
> > different approaches but I can't fin a solution. Could I have a<br>
> Keycloak<br>
> > object with user info?.<br>
> ><br>
> > This is a fragment of my code with all my attemps:<br>
> ><br>
> > @Stateless<br>
> > @LocalBean<br>
> > @Path("/promociones")<br>
> > @SecurityDomain("keycloak")<br>
> > public class PromocionRest {<br>
> > @Context<br>
> > HttpServletRequest request;<br>
> > @Context<br>
> > SecurityContext securityContext;<br>
> > @Resource<br>
> > SessionContext sc;<br>
> > @GET<br>
> > @Produces("application/json")<br>
> > @Path("/list")<br>
> > //@RolesAllowed({ "user" }) <-- If I use this annotation y get an<br>
> error.<br>
> > @PermitAll<br>
> > public RespuestaListaBase<Promocion> listadoPromociones(...){<br>
> > KeycloakPrincipal principal =<br>
> > (KeycloakPrincipal)securityContext.getUserPrincipal();<br>
> > KeycloakSecurityContext session = (KeycloakSecurityContext)<br>
> > request.getAttribute(KeycloakSecurityContext.class.getName());<br>
> > if (sc!=null && sc.getCallerPrincipal()!=null){<br>
> > System.out.println("Principal's name according to EJB: " +<br>
> > sc.getCallerPrincipal().getName());<br>
> > }<br>
> ><br>
> > System.out.println("Is user in role 'user'? " +<br>
> > request.isUserInRole("user"));<br>
> ><br>
> > String token = request.getHeader("authorization");<br>
> > HttpClient client = new<br>
> HttpClientBuilder().disableTrustManager().build();<br>
> > try {<br>
> > String url = request.getRequestURL().toString();<br>
> > url = url.substring(0, url.indexOf('/', 8));<br>
> > HttpGet get = new HttpGet(url + "/auth/admin/realms/demo/roles");<br>
> > get.addHeader("Authorization", "Bearer " + token);<br>
> > try {<br>
> > HttpResponse response = client.execute(get);<br>
> > if (response.getStatusLine().getStatusCode() != 200) {<br>
> > //throw new Failure(response.getStatusLine().getStatusCode());<br>
> > }<br>
> > HttpEntity entity = response.getEntity();<br>
> > InputStream is = entity.getContent();<br>
> ><br>
> > } catch (IOException e) {<br>
> > throw new RuntimeException(e);<br>
> > }<br>
> > } finally {<br>
> > client.getConnectionManager().shutdown();<br>
> > }<br>
> > }<br>
> > }<br>
> ><br>
> > I also have configured jboss-web.xml like this:<br>
> > <jboss-web><br>
> > <security-domain>keycloak</security-domain><br>
> > </jboss-web><br>
> ><br>
> > And web.xml like this:<br>
> > <login-config><br>
> > <auth-method>KEYCLOAK</auth-method><br>
> > <realm-name>demo</realm-name><br>
> > </login-config><br>
> ><br>
> > <security-role><br>
> > <role-name>user</role-name><br>
> > </security-role><br>
> ><br>
> > Some notes about the code:<br>
> > - KeycloakPrincipal principal =<br>
> > (KeycloakPrincipal)securityContext.getUserPrincipal(); <--<br>
> principal is<br>
> > always null<br>
> > - KeycloakSecurityContext session = (KeycloakSecurityContext)<br>
> > request.getAttribute(KeycloakSecurityContext.class.getName());<br>
> <-- session<br>
> > is always null<br>
> > - sc.getCallerPrincipal().getName() <-- returns 'anonymous', so<br>
> it seems it<br>
> > isn't taking security-domain?<br>
> > - request.isUserInRole("user") <-- returns null<br>
> > - HttpResponse response = client.execute(get) <-- throws an<br>
> exception:<br>
> > org.jboss.resteasy.spi.UnauthorizedException: Bearer<br>
> > - If I use @RolesAllowed({ "user" }) annotation I get this error:<br>
> JBAS014502:<br>
> > The invocation is not allowed in the method<br>
> > - String token = request.getHeader("authorization"); <-- I get<br>
> > 'Authorization:Bearer eyJhbGciOiJSUzI1Ni...'<br>
> ><br>
> > I suppose i'm doing it wrong, but I don't know what is the<br>
> correct form.<br>
> > Could I get user information from token received?<br>
> ><br>
> > Thanks in advance,<br>
> > Juan Escot<br>
> ><br>
> > _______________________________________________<br>
> > keycloak-dev mailing list<br>
> > <a href="mailto:keycloak-dev@lists.jboss.org">keycloak-dev@lists.jboss.org</a> <mailto:<a href="mailto:keycloak-dev@lists.jboss.org">keycloak-dev@lists.jboss.org</a>><br>
> > <a href="https://lists.jboss.org/mailman/listinfo/keycloak-dev" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a><br>
><br>
><br>
><br>
><br>
> _______________________________________________<br>
> keycloak-dev mailing list<br>
> <a href="mailto:keycloak-dev@lists.jboss.org">keycloak-dev@lists.jboss.org</a><br>
> <a href="https://lists.jboss.org/mailman/listinfo/keycloak-dev" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a><br>
><br>
<span class="HOEnZb"><font color="#888888"><br>
--<br>
Bill Burke<br>
JBoss, a division of Red Hat<br>
<a href="http://bill.burkecentral.com" target="_blank">http://bill.burkecentral.com</a><br>
_______________________________________________<br>
keycloak-dev mailing list<br>
<a href="mailto:keycloak-dev@lists.jboss.org">keycloak-dev@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-dev" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a><br>
</font></span></blockquote></div><br></div>