[keycloak-user] @RolesAllowed on @Stateless

Bill Burke bburke at redhat.com
Fri Feb 21 15:39:16 EST 2014 

This should only be a JAX-RS issue.  You need to define a allow all 
roles security constraint for your JAX-RS services:

     <security-constraint>
         <web-resource-collection>
             <url-pattern>/v1/*</url-pattern>
         </web-resource-collection>
<!--        <user-data-constraint>
             <transport-guarantee>CONFIDENTIAL</transport-guarantee>
         </user-data-constraint>  -->
         <auth-constraint>
             <role-name>*</role-name>
         </auth-constraint>
     </security-constraint>

You may also need to define all the security roles in web.xml too, I 
don't remember.  So, you're telling the servlet layer to authenticate 
but to allow all roles, then, in the EJB/JAX-RS layer it should be 
checking against @RolesAllowed.  Let me know if that helps.




On 2/21/2014 2:45 PM, Juraci Paixão Kröhling wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> Hello,
>
> I'm playing with Keycloak on a pet project, and I'm really impressed
> with it. It looks really nice and it's easy to get it working fast.
>
> I have one question, though. I know it's early and it's alpha, but I
> wonder if this is a bug or a non-implemented feature :-)
>
> Basically, I wanted to annotate a REST method with
> @RolesAllowed("admin") for a DELETE request, and @RolesAllowed("user")
> for a @GET, something that works on with the usual scenario.
>
> With Keycloak, however, it seems that it's not being properly
> propagated to the EJB layer, so, I get a execution denied on the GET,
> even if the user has the "user" role.
>
> I've done a quick experiment, and it's available here:
>
> https://github.com/jpkrohling/sample-ejb-roles-basic
>
> On the master branch, the implementation with Keycloak. At the
> "Endpoint" class, I've added the output from Wildfly 8 as a comment:
>
> https://github.com/jpkrohling/sample-ejb-roles-basic/blob/master/src/main/java/org/sample/ejb/basic/Endpoint.java#L25
>
> On the "QuickStartCode" branch, I've done the same:
>
> https://github.com/jpkrohling/sample-ejb-roles-basic/blob/QuickstartCode/src/main/java/org/sample/ejb/basic/Endpoint.java#L25
>
> So, is this scenario supposed to work already, or is it planned for a
> future release?
>
> Thanks!
> Juca.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.22 (GNU/Linux)
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQEcBAEBCgAGBQJTB6zYAAoJEDnJtskdmzLMtM4H/R231Yuyt0oTUEn6sOTkwEW+
> jZmB61agIOuIa5ZqMukPVozH6xB4RGEUtSBjaC4a3+wdZeEm7jEg/ERqp4XoM2up
> 53u0v6sWLJRve8Te3L4P2SD9rsiS6Gro54/Wn+ITMcnJt/ERlwQKlwiwj/zEdvNq
> nmrr2ZUBDCHmgN9qAbSjjWAP+jRelKd/1yZLhiXmRAnrS21+rMe5hRTV/XFKwmDK
> UFO13BKHDlF43OYZTdcYDZwAw8Zj15pewTfti0t7IbjoFKAfzfs3zWuhC8sB4GCp
> vHR4CEa/NeOeQVcAPQ9bHcDu3g7QPTqHSY3LzSUVeJ3gOCDG1eO4KaGM4slfp4c=
> =fE0v
> -----END PGP SIGNATURE-----
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

More information about the keycloak-user mailing list