[keycloak-user] How can I use Keycloak to support my architecture?

Luis Rodríguez Fernández uo67113 at gmail.com
Thu Nov 8 04:07:52 EST 2018 

Hello Ola,

I've tested exactly the same approach as yours. In my case I am using SAML:

1. /login-module with
org.keycloak.adapters.saml.tomcat.SamlAuthenticatorValve registered in IdP.
It declares a <security-constraint> for "/*" [1]
2. Any request to /login-module pass through a filter [2] that looks in the
request for a secret (cookie). If there is no secret the request is
redirected to a servlet [3]. If the user has a valid session in the IdP the
secret is created and it is redirected to the original request.
3. The rest of the modules are "protected" by the custom filter [4]

Answering your questions:

- Can this be possible...? Yes it can, but personally I do not like it
- It is mandatory to register...? I do believe that it is preferrable

I developed this PoC for this scenario: I have a big legacy enterprise app
(.ear) with several modules that make requests between them for getting
protected resources. E.g. /module1 requests /module2/images/calendar.gif or
/module1/ requests /module2/search. I do this because I want to avoid to
touch the legacy and sometimes obscure code of the ear app :)

Probably to use OAUTH2/OpenId Connect would be a better idea for these kind
of scenarios.

Hope it helps,

Luis

[1] https://gist.github.com/lurodrig/deb2e086fa425f2d64111b325caf1b96
[2] https://gist.github.com/lurodrig/7b157e6ebcfe857c86218eabd8063c6d
[3] https://gist.github.com/lurodrig/e1a20f480f3c4202c083a091ed68b0d7
[4] https://gist.github.com/lurodrig/84c0bf35f184059fe27bb47e377f09af








El jue., 8 nov. 2018 a las 8:15, ola rob (<robstyle1234 at gmail.com>)
escribió:

> Hi,
>
> I need some help in securing my applications with keycloak:
>
> I have couple of grails applications (App1 and App2) using spring security.
> However, currently I am using keycloak REST API to authenticate users by
> passing username and password and receive token without registering these
> applications as clients in the keycloak.  But this approach seems to be
> inefficient when we want to support SSO, kerberos and other lot of powerful
> features that Keycloak offers.
> So I came up with the below approach to support SSO/kerberos but wanted to
> know if Keycloak can solve our problem.
>
> "Create a new spring boot master application (App3) and register with
> Keycloak and redirect the login page to Keycloak. Once login is successful,
> use the token that keycloak provides and pass it on to App1 and App2 and
> tweak my existing code flow to handle this. Can this be possible because I
> am not registering/creating any clients for app1 and app2 in keycloak here
> but only creating for app3 which is the master application and using the
> access token? Is it mandatory to register/create all clients in Keycloak to
> support SSO?"
>
> Any help would be highly appreciated.
>
> Thanks in advance!
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>


-- 

"Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better."

- Samuel Beckett

More information about the keycloak-user mailing list