[keycloak-user] keycloak without token
Marek Posolda
mposolda at redhat.com
Tue Jun 19 10:57:32 EDT 2018
On 19/06/18 14:24, rdg77390 wrote:
> Hi, I created an application using tomcat 8 and keycloak.
> The application has some rest API that will call from the browser. So the
> application is both server and application. I believe with Jsessionid in a
> cookie, I do not need to pass authentication token if I'm talking to the
> same server in the same session. isn't it? Could someone clear this for me?
Yes, you're right. The path should be authenticated by the cookie
"JSessionId", so you don't need token. Token is needed just if something
else calls this REST endpoint under "orbeon" path.
Marek
> or should I have to pass access token even if I'm talking to the same
> server?
> also, I want to use Orbeon in the same tomcat, I set up crosscontext as
> true.
> I want it to be secure, but without setup security-constraint, it seems like
> keycloak does not protect orbeon path. but it should be protected and should
> be able to access without passing access token. Is this make sense? I do not
> know if I'm right track or not.
>
>
>
>
> --
> Sent from: http://keycloak-user.88327.x6.nabble.com/
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
More information about the keycloak-user
mailing list