[keycloak-user] cxf filter
Dmitry Telegin
dt at acutus.pro
Mon Aug 27 17:59:35 EDT 2018
Hello Thai,
Seems like you've been watching the OSGification PR attentively :)
I'm sorry we didn't make it for Keycloak 4.3.0. Should get included in 4.4.0, hopefully.
Just in case anyone else is interested:
PR for Keycloak OIDC servlet filter adapter OSGification https://github.com/keycloak/keycloak/pull/5383
PR for the docs https://github.com/keycloak/keycloak-documentation/pull/453
Built docs: https://keycloak-docs.github.io/deploy-docs-pullrequest/PR/453/securing_apps/index.html#using-on-osgi
As for your question, could you please elaborate? What are you trying
to achieve? For REST services, you should normally use bearer token
authorization. In this mode, the adapter would expect a valid token in
"Authorization: Bearer XXX" HTTP header, otherwise it would return
HTTP 401. Is this what you're after?
Cheers,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training
Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info at acutus.pro
On Mon, 2018-08-27 at 14:52 -0400, Nhut Thai Le wrote:
> Hello,
>
> I have a web app and a REST API running inside an OSGI environment.
>
> The web app has some servlets registered with the web container (jetty) as
> OSGI whiteboard services. All of these servlets are configured to be
> protected (authentication required) by keycloak servlet filter.
>
> Dictionary<String, String> props;
> props = new Hashtable<>();
> props.put("alias", "/whiteboard");
> servletReg = context.registerService(Servlet.class, new
> WhiteboardServlet("/test"), props);
>
> Dictionary<String, Object> filterProps = new Hashtable<String, Object>();
> String[] urls = { "/*" }; //$NON-NLS-1$
> filterProps.put(HttpWhiteboardConstants.HTTP_WHITEBOARD_FILTER_NAME,
> "keycloakFilter");
> filterProps.put(HttpWhiteboardConstants.HTTP_WHITEBOARD_FILTER_PATTERN,
> urls);
> keycloakFilter = context.registerService(Filter.class, new
> KeycloakOIDCFilter(), filterProps);
>
> The REST api is hosted by aries-jax-rs-whiteboard.
> @Component(
> immediate = true,
> property = JAX_RS_APPLICATION_BASE + "=/rest",
> service = Application.class
> )
> @Path("/common")
> public final class RestAPI extends Application {
> public static final Response EMPTY_RESPONSE =
> Response.noContent().type(MediaType.TEXT_HTML_TYPE).build();
> @Override
> public Set<Object> getSingletons() {
> return Collections.singleton(this);
> }
>
> @GET
> @Path("/getObject")
> @Produces(MediaType.APPLICATION_JSON)
> public String getObject() {
> return "Rest call"; //$NON-NLS-1$
> }
> }
>
> The web app has some JS code executed on user browser that make an ajax
> call to the REST service above. Since this call happen after user has been
> auithenticated with keycloak and originate from the same browser session, I
> assume the ajax request also contains KeycloakSecurityContext. Thus this
> call should be allowed to reach the REST service. What I want is to
> register a filter (ContainerRequestFilter) to deny access to the REST
> service if user has not been authenticated.
> Is there an existing implementation of ContainerRequestFilter by keycloak
> that can do this?
>
>
> Thai
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
More information about the keycloak-user
mailing list