[keycloak-user] How to authorize JAX-RS service based on reasteasy

Davide Ungari ungarida at gmail.com
Wed Apr 23 17:34:29 EDT 2014


Hi everybody,
I followed some suggestion and now I made authentication works as follow:

1- The user call http://.../frontend

2- The frontend server redirects to the keycloak login

3- Keycloak authenticates the user and redirects to frontend server

4- The frontend server serves the AngularJS dashboard


5- User clicks to something in AngularJS app, which will send request
to http://localhost:8080/frontend/someEndpoint

6- Frontend will re-send this to
http://localhost:8080/backend/someBackendEndpoint

7- After backend request is done and received in "frontend" app, it
will resend it back to AngularJS with all the data.


Now I would like to add authorization to backend api, so I added @RolesAllowed
("role") but it does not work:
2014-04-23 23:17:10,694|WARN |core.ExceptionHandler|failed to execute
javax.ws.rs.ForbiddenException: HTTP 403 Forbidden
at
org.jboss.resteasy.plugins.interceptors.RoleBasedSecurityFilter.filter(RoleBasedSecurityFilter.java:45)
at
org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:256)
at
org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:242)
at
org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:229)
at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:356)
at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:179)
at
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:220)
at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)

I found out that the realmAccess is null and debugging I thinks the problem
is during authentication when in org.keycloak.RSATokenVerifier at line:
            token = input.readJsonContent(AccessToken.class);

What do you think? What am I doing wrong this time?

Thanks.




--
Davide
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140423/c1050d14/attachment.html 


More information about the keycloak-user mailing list