[keycloak-user] user panel everywhere - no automatic redirect

Marek Posolda mposolda at redhat.com
Thu Aug 17 03:30:56 EDT 2017 

Hi Michal,

Nice to see Brno guy from StudentAgency using Keycloak :)

I suppose you're using servlet adapter? The servlet specs actually 
enforces the security based on the URL request path declared in web.xml, 
which is not ideal for some applications though. However there are ways 
to solve this somehow. Few things:

- OpenID Connect has support for "prompt=none" feature and Keycloak 
supports it. In shortcut, it allows the application to redirect to 
Keycloak. Keycloak would never display login screen. In case that user 
is not already logged, it directly redirects back to app with the error. 
If he is logged, it redirects back to the app with success.

- So you can perhaps do something like at the beginning, try to visit: 
http://yourhost/yourapp/secured?prompt=none . In case that user is not 
logged, you will receive error from KC and hence you can redirect your 
app to the http://yourhost/yourapp/unsecured and display that the user 
is not yet logged. Otherwise user is logged.

- Once user clicks "login" you will just redirect to 
http://yourhost/yourapp/secured, which will enforce displaying login 
screen on Keycloak side.

- If the approach above is too quirky, you can perhaps achieve it some 
other way if user is already logged. Maybe use iframe talking to 
Keycloak? We have some support for session iframe in keycloak.js adapter 
OOTB, in servlet adapter there is no support OOTB, but I think you 
should be able to use it from your app. This may be a bit harder to 
setup though, but likely doable.

Marek


On 15/08/17 16:59, Michal Keda wrote:
> Both
>
> Principal userPrincipal = httpServletRequest.getUserPrincipal();
> RefreshableKeycloakSecurityContext  context =
> (RefreshableKeycloakSecurityContext)
> httpServletRequest.getAttribute(KeycloakSecurityContext.class.getName());
>
> are null when visiting unprotected homepage, even if user is logged
> (directly in keycloak) until I visit my protected page.
>
> Is this configuration error?
>
> Dne 15.8.2017 v 8:57 Stian Thorgersen napsal(a):
>> Wouldn't
>> http://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.html#getUserPrincipal()
>> <http://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.html#getUserPrincipal%28%29>
>> do the trick?
>>
>> On 14 August 2017 at 17:22, Michal Keda <michal.keda at studentagency.cz
>> <mailto:michal.keda at studentagency.cz>> wrote:
>>
>>      Hello,
>>      I want to implement simple panel showing information about user logged
>>      into sso. The catch is that I need this panel even on pages that
>>      should
>>      not redirect to KC server when no user is logged in.
>>
>>      This seems like basic behaviour for any homepage (show if user is
>>      logged
>>      in, but do not force immidiate redirect if isn't), but
>>      RefreshableKeycloakSecurityContext starts to pop up in my
>>      HttpServletRequest only after I access some protected page
>>      (specified in
>>      web.xml).
>>
>>      So my question is (I guess..)  if it is possible to get currently
>>      logged
>>      user, on page that is not protected by KC.
>>
>>      I am using tomcat 7, java 8 (+wicket)
>>
>>      Best regards,
>>
>>      Michal Keda
>>      --
>>
>>      Bc. Michal Keda
>>      programátor
>>
>>      telefon: +420 539 000 711 <tel:%2B420%20539%20000%20711>
>>
>>      StudentAgency logo <https://www.studentagency.cz/>
>>      AUTOBUSY | <https://jizdenky.studentagency.cz/
>>      <https://jizdenky.studentagency.cz/>> VLAKY |
>>      <https://www.regiojet.cz/> DOVOLENÁ | <https://www.dovolena.cz/>
>>      LETENKY
>>      | <https://www.studentagency.cz/letenky/index.html
>>      <https://www.studentagency.cz/letenky/index.html>> JAZYKOVÉ POBYTY |
>>      <https://www.jazykovepobyty.cz/ <https://www.jazykovepobyty.cz/>>
>>        PRACOVNÍ A AU PAIR POBYTY
>>      <https://www.pracovnipobyty.cz/ <https://www.pracovnipobyty.cz/>>
>>      STUDENT AGENCY k.s.
>>      Dům pánů z Lipé         nám. Svobody 17
>>      602 00 Brno     infolinka: 800 100 300
>>      fax: +420 539 000 540 <tel:%2B420%20539%20000%20540>
>>       *www.studentagency.cz <http://www.studentagency.cz>*
>>      <https://www.studentagency.cz>
>>      STUDENT AGENCY cestování pro každého v každém věku.
>>
>>
>>      _______________________________________________
>>      keycloak-user mailing list
>>      keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>>      https://lists.jboss.org/mailman/listinfo/keycloak-user
>>      <https://lists.jboss.org/mailman/listinfo/keycloak-user>
>>
>>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

More information about the keycloak-user mailing list