[keycloak-user] How to secure JAX-RS service based on reasteasy running on undertow
Davide Ungari
ungarida at gmail.com
Tue Apr 15 05:51:03 EDT 2014
Hi Marek,
I started thinking to a public REST API because I want to offer this
service also to third parties, but I see your point.
I must organize in a different way the authentication of my frontend and
then the authentication of third parties.
Thank for your suggestions are very welcome.
--
Davide
On Tue, Apr 15, 2014 at 11:28 AM, Marek Posolda <mposolda at redhat.com> wrote:
> Hi Davide,
>
> I would suggest to change your flow a bit. You have frontend JEE servlet
> application, which is authenticated with Keycloak. So I think that you
> don't need any Keycloak accessTokens to be shared with your AngularJS
> dashboard at all. I would suggest that your AngularJS dashboard won't
> communicate directly with your JAX-RS backend application, but instead it
> will communicate just with your servlet JEE application, which will then
> re-send request to JAX-RS application with the usage of
> KeycloakSecurityContext as shown in the customer-portal example. So
> assuming that your frontend application is on
> "http://localhost:8080/frontend" <http://localhost:8080/frontend> and
> your JAX-RS is at "http://localhost:8080/backend"<http://localhost:8080/backend>you can do:
>
> 1- The user call http://.../frontend
>
> 2- The frontend server redirects to the keycloak login
>
> 3- Keycloak authenticates the user and redirects to frontend server
>
> 4- The frontend server serves the AngularJS dashboard but NOT injecting the token (So angularJS and your browser don't have direct access to token at all)
>
> 5- User clicks to something in AngularJS app, which will send request to http://localhost:8080/frontend/someEndpoint
>
> 6- Frontend will re-send this to http://localhost:8080/backend/someBackendEndpoint similarly as shown in examples, which will ensure that frontend application will attach Bearer token to the request
>
> 7- After backend request is done and received in "frontend" app, it will resend it back to AngularJS with all the data.
>
> So your frontend app will be defacto proxy between AngularJS and "backend" JAX-RS application. With this design, you won't see any CORS related issues, which you currently have. And also you won't need to solve things like
> refreshing tokens etc. as this is done automatically by adapter of JEE frontend application. So that's my suggestion.
>
> Marek
>
>
>
> On 15.4.2014 01:43, Davide Ungari wrote:
>
> Hi Bill,it's a mixed approach, maybe this is confusing you.
>
> > I don't understand what the flow is below. In your flow above you said
> > your server is making a call to the backend service with the token and
> > is authenticated correctly, right?
>
> My frontend is a WAR running on Tomcat and it is secured by keycloak.
>
> > What I don't understand is what you are doing below. Are you saying you > have a Browser client (Javascript) making a call to your backend?
>
> The WAR serves also an AngularJS dashboard, in this dashboard I "inject" the token from the server but then I make client side calls.
>
> The flow is:
>
> 1- The user call http://.../dashboard
>
> 2- The frontend server redirects to the keycloak login
>
> 3- Keycloak authenticates the user and redirects to frontend server
>
> 4- The frontend server serves the AngularJS dashboard injecting the token
>
> 5- The client side dashboard makes ajax calls to the backend to load data
>
> At point 5 I see my backend is logging that the call is AUTHENTICATED but on client side I see the response is failing.
>
> --
> Davide
>
>
> _______________________________________________
> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140415/0c0d6c3e/attachment.html
More information about the keycloak-user
mailing list