[keycloak-user] Securing tomcat-based web applications without using container-security(i.e. without using filters, constraints and valves)?
Luis Rodríguez Fernández
uo67113 at gmail.com
Thu Mar 29 12:29:28 EDT 2018
Hello Manfred,
mmm, OK, I see. We have an application that I do think that match your
scenario: https://phonebook.cern.ch In this one only one resource is behind
a security-constraint, the singin link: /phonebook/secure/sso This trigger
the login request to our identity provider. This one challenges the user,
and after authentication the response with the user information is sent
back to the application. With this information the application creates the
java.security.Principal objects. Then the application's code can make
checks like this one:
java.security.Principal principal = request.getUserPrincipal();
if (principal != null) {
if(request.isUserInRole("THE_ROLE"){
.../...
} else{
response.sendError(SC_FORBIDDEN)
}
} else {
.../...
}
In this way you are relying in the standard servlet specification making
your application completely independent of keycloak or any other identiy
and access management you use and portable.
Afterwards nothing stop you from use the keycloak APIs to get any user data
you need. Me, for example, in my applications I get all the user data (e.g.
telephonenumber, department) from
the org.keycloak.adapters.saml.SamlPrincipal
The good and old examples application that comes in any tomcat distribution
is a great place to start. On this specific issue you can have a look at
$CATALINA_BASE/webapps/examples/jsp/security/protected/index.jsp
Hope it helps,
Luis
2018-03-29 15:23 GMT+02:00 Schenk, Manfred <
Manfred.Schenk at iosb.fraunhofer.de>:
> Hello Luis,
>
>
>
> Your approach will not work for me: In my setup there is no predefined set
> of secure and unsecure URLs: there are many URLs which can be accessed
> without any login and also with login. But the content which is displayed
> when accessing these URLs depends if the user is authenticated or not.
>
> That’s the reason why all those filters and valves will not work for me.
>
>
>
>
>
> My idea is as follows:
>
>
>
> When a request comes in, I will check if it contains some token. If yes,
> the system should try to identify the user using keycloak, otherwise the
> username iss et to anonymous.
>
> In the next step the system checks if the user has sufficient rights for
> viewing/editing/deleting the entity identified by the requested URL. If the
> rights are sufficient (even with the anonymous user) all as well, otherwise
> the system will redirect to the keycloak server to obtain such a token
> mentioned above.
>
>
>
> But I haven’t found any detailed documentation on that use case.
>
>
>
> Regards,
>
> Manfred
>
>
>
> --
> Manfred Schenk, Fraunhofer IOSB
> Informationsmanagement und Leittechnik
> Fraunhoferstraße 1,76131 Karlsruhe, Germany
> Telefon +49 721 6091-391 <+49%20721%206091391>
> mailto:Manfred.Schenk at iosb.fraunhofer.de
> http://www.iosb.fraunhofer.de
>
>
>
> *Von:* Luis Rodríguez Fernández <uo67113 at gmail.com>
> *Gesendet:* Donnerstag, 29. März 2018 15:13
> *An:* Schenk, Manfred <Manfred.Schenk at iosb.fraunhofer.de>
> *Betreff:* Re: [keycloak-user] Securing tomcat-based web applications
> without using container-security(i.e. without using filters, constraints
> and valves)?
>
>
>
> Hello Schenk,
>
>
>
> If your Identity Provider "speaks" SAML, you can give a try to
> http://www.keycloak.org/docs/latest/securing_apps/index.
> html#java-servlet-filter-adapter. I am testing it for some of our
> tomcat-based application and it works out-of-the-box (BTW thanks keycloak
> folks!).
>
>
>
> My deployment descriptors (web.xml) looks like this:
>
>
>
> <filter>
>
> <filter-name>Keycloak Filter</filter-name>
>
> <filter-class>org.keycloak.adapters.saml.servlet.
> SamlFilter</filter-class>
>
> <init-param>
>
> <param-name>keycloak.config.file</param-name>
>
> <param-value>/usr/local/tomcat/keycloak-saml-servlet-
> adapter.xml</param-value>
>
> </init-param>
>
> </filter>
>
> <!-- From the docs: "You must have a filter mapping that covers /saml.
> -->
>
> <filter-mapping>
>
> <filter-name>Keycloak Filter</filter-name>
>
> <url-pattern>/saml</url-pattern>
>
> </filter-mapping>
>
> <filter-mapping>
>
> <filter-name>Keycloak Filter</filter-name>
>
> <url-pattern>/secure/*</url-pattern>
>
> </filter-mapping>
>
>
>
>
>
> In this way, just playing with the url-patterns of my resources I can make
> them private or public. E.g.
>
>
>
> <servlet-mapping>
>
> <servlet-name>SessionExampleServlet</servlet-name>
>
> <url-pattern>/SessionExample</url-pattern>
>
> <url-pattern>/secure/SessionExample</url-pattern>
>
> </servlet-mapping>
>
>
>
> Hope it helps,
>
>
>
> Luis
>
>
>
>
>
>
>
> 2018-03-29 14:38 GMT+02:00 Schenk, Manfred <Manfred.Schenk at iosb.
> fraunhofer.de>:
>
> Hello,
>
> I want to use keycloak for user Authentication in my tomcat based web
> application.
> But since the web application should also be accessible without any login,
> I think I will not be able to use the container-based security and handle
> the keycloak communication by myself from within my web application.
>
> Are there any tutorials or recommandation around for my use case?
> Which (keycloak-)jars do I need for this task?
>
> Thanks in advance,
> Manfred
>
> --
> Manfred Schenk, Fraunhofer IOSB
> Informationsmanagement und Leittechnik
> Fraunhoferstraße 1,76131 Karlsruhe, Germany
> Telefon +49 721 6091-391
> mailto:Manfred.Schenk at iosb.fraunhofer.de
> http://www.iosb.fraunhofer.de
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
>
>
> --
>
> "Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better."
>
> - Samuel Beckett
>
--
"Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better."
- Samuel Beckett
More information about the keycloak-user
mailing list