<div dir="ltr">Thanks Marek,<div>the information I need were these lines :<div><pre style="margin-top:0px;margin-bottom:0px"><div style="color:rgb(51,51,51);line-height:18px"><span><div><font face="arial, helvetica, sans-serif">KeycloakSecurityContext session = (KeycloakSecurityContext) getServletRequest().getAttribute(KeycloakSecurityContext.class.getName());</font></div>
<div><font face="arial, helvetica, sans-serif">String token = session.getIdTokenString();</font></div></span></div><div><br></div><div><font face="arial"><span style="white-space:normal">I use this token to add an header to every call:</span></font></div>
<div><font face="arial"><span style="white-space:normal">$httpProvider.defaults.headers.common.Authorization = 'Bearer '+keycloak.token;<br>
</span></font></div><div><font face="arial"><span style="white-space:normal"><br></span></font></div><div><br></div><div>I see my backend is authenticating the call infact:</div><div>2014-04-15 00:00:52,868|INFO |adapters.RequestAuthenticator|Bearer AUTHENTICATED
</div><div><br></div><div><br></div><div>Now I have a different issue, that I hope you can help to figure out.</div><div><br></div><div>On the browser I see two calls:</div><div>1- I dont expect, it is an OPTIONS call</div>
<div>2- I expected, it fails is a <span style="font-family:arial">GET call </span><br style="font-family:arial"></div><div><br></div><div>I try to do the second call directly with cURL:</div><div>curl '<a href="http://localhost:8000/1/documents/" target="_blank">http://localhost:8000/1/documents/</a>' -H 'Accept: application/json, text/plain, */*' -H 'Referer: <a href="http://localhost:8080/dashboard/" target="_blank">http://localhost:8080/dashboard/</a>' -H 'Origin: <a href="http://localhost:8080" target="_blank">http://localhost:8080</a>' -H 'Authorization: Bearer eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiI2ZWIwYzc1Mi1kZTc2LTQ1ZjQtYTAxNi1mMTQ1OTZmMTc1OTUiLCJleHAiOjEzOTc1MTYyMTgsIm5iZiI6MCwiaWF0IjoxMzk3NTE1OTE4LCJpc3MiOiJiaWxsZHJhd2VyIiwiYXVkIjoiYmlsbGRyYXdlciIsInN1YiI6IjQyNGZlZDlkLTk3MDQtNDUwNS04NTcwLWQ4N2I5MWVjNDM1NCIsImF6cCI6IndlYnNpdGUiLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJkYXZpZGUifQ.epRcVbsN_wS44uOMOCyCQ6qkj8JAFn875-N_QYIakom4SPFYBWjU9jS9eBdXsvltwlT-NjlmCOlzbjGT32ZN0bj-_oQ449G9pN35tzzIN0_HXM14cIGdyOchluu4DQz3W6ZKF5m1jm6aFmwPD39ld_Zn7yGoBPPh_3qaYNFy-wl8YJBCCb34BvSRLZhtGdcVLYT4EJW8Y3R_YSnybrPqKr8eJOriLWOl-VOAJrtxT-MAvTDo0rXSubvpZF1CwQKuXHC9AkJ-NM582puVUZkZXt0AgBGJOjxlV7zJr4hLPYaXUG9JX2KMQUMvkhpXuug_tmu1ZR43UnxwLzoJey9C2Q' -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.152 Safari/537.36' --compressed<br>
</div><div>And the response is:</div><div><span style="font-family:arial"><html><head><title>Error</title></head><body>Forbidden</body></html></span><br></div><div><span style="font-family:arial"><br>
</span></div><div><font face="arial">If I try:</font></div><div><font face="arial">curl '<a href="http://localhost:8000/1/documents/">http://localhost:8000/1/documents/</a>' -H 'Accept: application/json, text/plain, */*'
The response is:</font></div><div><font face="arial"><html><head><title>Error</title></head><body>Unauthorized</body></html>% <br></font></div><div><br></div><div><br></div>
<div>What am I doing wrong?</div><div><br></div><div>I tried to put play with annotation @RolesAllowed("user") on the JAX-RS but it does not the difference. </div><div><br></div><div><br></div></pre></div></div>
</div><div class="gmail_extra"><br clear="all"><div><div>--</div>Davide</div>
<br><br><div class="gmail_quote">On Mon, Apr 14, 2014 at 9:56 AM, Marek Posolda <span dir="ltr"><<a href="mailto:mposolda@redhat.com" target="_blank">mposolda@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"><div class="">
<div>On 14.4.2014 09:18, Davide Ungari
wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">Hi Marek,
<div>I worked on it during the weekend.</div>
<div><br>
</div>
<div>Now my problem is <span style="font-family:arial,sans-serif;font-size:13px">the
header like: Authorization: Bearer <your_access_token>
.</span></div>
<div><span style="font-family:arial,sans-serif;font-size:13px"><br>
</span></div>
<div><font face="arial, sans-serif">I'm running the frontend on
Tomcat, I made an adapter for it <a href="https://github.com/ungarida/keycloak/" target="_blank">https://github.com/ungarida/keycloak/</a>,
I adapted AS7.</font></div>
<div><font face="arial, sans-serif"><br>
</font></div>
<div><font face="arial, sans-serif">Now I can not figure out how
to retrieve the access token to include it in the JS that
call the JAX-RS service.</font></div>
</div>
</blockquote>
</div><font face="arial, sans-serif">If your frontend is JEE application,
then you can use something like this example is doing
<a href="https://github.com/keycloak/keycloak/blob/master/examples/demo-template/customer-app/src/main/java/org/keycloak/example/CustomerDatabaseClient.java#L46" target="_blank">https://github.com/keycloak/keycloak/blob/master/examples/demo-template/customer-app/src/main/java/org/keycloak/example/CustomerDatabaseClient.java#L46</a>
. Note that </font><span>KeycloakSecurityContext is
added automatically to request by the adapter of your frontend
application (In this case customer-portal application, which is
just simple servlet JEE application). So you need to make sure
that your Tomcat adapter is adding it as well.<br>
<br>
You can take a deeper look at existing examples and try them on
AS7 for inspiration. I think that your Tomcat adapter should be
quite similar to the already existing AS7 adapter as AS7 is using
jboss-web, which is defacto Tomcat stuff<span><span> :-) </span></span><br><span class="HOEnZb"><font color="#888888">
<br>
Marek<br>
</font></span></span><div class="">
<blockquote type="cite">
<div dir="ltr">
<div><br>
</div>
<div><br>
</div>
</div>
<div class="gmail_extra"><br clear="all">
<div>
<div>--</div>
Davide</div>
<br>
<br>
<div class="gmail_quote">On Mon, Apr 14, 2014 at 8:44 AM, Marek
Posolda <span dir="ltr"><<a href="mailto:mposolda@redhat.com" target="_blank">mposolda@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div>Hi Davide,<br>
<br>
I think that this exactly is already addressed by our
examples. You can take a look especially at this example
<a href="https://github.com/keycloak/keycloak/tree/master/examples/demo-template/database-service" target="_blank">https://github.com/keycloak/keycloak/tree/master/examples/demo-template/database-service</a>
which is JAX-RS service service based on resteasy, which
requires Bearer token authentication, so all requests
sent to it from "frontend" applications like
"customer-portal" or "product-portal" need to contain
header like: Authorization: Bearer
<your_access_token> .<br>
<br>
You can try existing set of examples to see how it all
works together. See instructions in README files under <a href="https://github.com/keycloak/keycloak/tree/master/examples/demo-template" target="_blank">https://github.com/keycloak/keycloak/tree/master/examples/demo-template</a><br>
<br>
Marek
<div>
<div><br>
<br>
On 12.4.2014 10:58, Davide Ungari wrote:<br>
</div>
</div>
</div>
<blockquote type="cite">
<div>
<div>
<div dir="ltr">Hi everybody,
<div>I configured keycloak with mongodb,<br>
<div>then I secured frontend on Tomcat making an
adapter.</div>
<div><br>
</div>
<div>I need to secure backend, it is an JAX-RS
service based on resteasy and running on
undertow.</div>
<div><br>
</div>
<div>I do not use EJB so I need some help to
figure out the best way to implement security
with keycloak in my scenario.</div>
<div><br>
</div>
<div>Suggestions?</div>
<div><br clear="all">
<div>
<div>--</div>
Davide</div>
</div>
</div>
</div>
<br>
<fieldset></fieldset>
<br>
</div>
</div>
<pre>_______________________________________________
keycloak-user mailing list
<a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></pre>
</blockquote>
<br>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</div></div>
</blockquote></div><br></div>