[keycloak-user] Securing tomcat-based web applications without using container-security(i.e. without using filters, constraints and valves)?
Schenk, Manfred
Manfred.Schenk at iosb.fraunhofer.de
Thu Mar 29 09:23:39 EDT 2018
Hello Luis,
Your approach will not work for me: In my setup there is no predefined set of secure and unsecure URLs: there are many URLs which can be accessed without any login and also with login. But the content which is displayed when accessing these URLs depends if the user is authenticated or not.
That’s the reason why all those filters and valves will not work for me.
My idea is as follows:
When a request comes in, I will check if it contains some token. If yes, the system should try to identify the user using keycloak, otherwise the username iss et to anonymous.
In the next step the system checks if the user has sufficient rights for viewing/editing/deleting the entity identified by the requested URL. If the rights are sufficient (even with the anonymous user) all as well, otherwise the system will redirect to the keycloak server to obtain such a token mentioned above.
But I haven’t found any detailed documentation on that use case.
Regards,
Manfred
--
Manfred Schenk, Fraunhofer IOSB
Informationsmanagement und Leittechnik
Fraunhoferstraße 1,76131 Karlsruhe, Germany
Telefon +49 721 6091-391
mailto:Manfred.Schenk at iosb.fraunhofer.de
http://www.iosb.fraunhofer.de
Von: Luis Rodríguez Fernández <uo67113 at gmail.com>
Gesendet: Donnerstag, 29. März 2018 15:13
An: Schenk, Manfred <Manfred.Schenk at iosb.fraunhofer.de>
Betreff: Re: [keycloak-user] Securing tomcat-based web applications without using container-security(i.e. without using filters, constraints and valves)?
Hello Schenk,
If your Identity Provider "speaks" SAML, you can give a try to http://www.keycloak.org/docs/latest/securing_apps/index.html#java-servlet-filter-adapter. I am testing it for some of our tomcat-based application and it works out-of-the-box (BTW thanks keycloak folks!).
My deployment descriptors (web.xml) looks like this:
<filter>
<filter-name>Keycloak Filter</filter-name>
<filter-class>org.keycloak.adapters.saml.servlet.SamlFilter</filter-class>
<init-param>
<param-name>keycloak.config.file</param-name>
<param-value>/usr/local/tomcat/keycloak-saml-servlet-adapter.xml</param-value>
</init-param>
</filter>
<!-- From the docs: "You must have a filter mapping that covers /saml. -->
<filter-mapping>
<filter-name>Keycloak Filter</filter-name>
<url-pattern>/saml</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>Keycloak Filter</filter-name>
<url-pattern>/secure/*</url-pattern>
</filter-mapping>
In this way, just playing with the url-patterns of my resources I can make them private or public. E.g.
<servlet-mapping>
<servlet-name>SessionExampleServlet</servlet-name>
<url-pattern>/SessionExample</url-pattern>
<url-pattern>/secure/SessionExample</url-pattern>
</servlet-mapping>
Hope it helps,
Luis
2018-03-29 14:38 GMT+02:00 Schenk, Manfred <Manfred.Schenk at iosb.fraunhofer.de<mailto:Manfred.Schenk at iosb.fraunhofer.de>>:
Hello,
I want to use keycloak for user Authentication in my tomcat based web application.
But since the web application should also be accessible without any login, I think I will not be able to use the container-based security and handle the keycloak communication by myself from within my web application.
Are there any tutorials or recommandation around for my use case?
Which (keycloak-)jars do I need for this task?
Thanks in advance,
Manfred
--
Manfred Schenk, Fraunhofer IOSB
Informationsmanagement und Leittechnik
Fraunhoferstraße 1,76131 Karlsruhe, Germany
Telefon +49 721 6091-391<tel:%2B49%20721%206091-391>
mailto:Manfred.Schenk at iosb.fraunhofer.de<mailto:Manfred.Schenk at iosb.fraunhofer.de>
http://www.iosb.fraunhofer.de
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user
--
"Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better."
- Samuel Beckett
More information about the keycloak-user
mailing list