<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
</head>
<body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; color: rgb(0, 0, 0); font-size: 14px; font-family: Calibri, sans-serif;">
<div>Make sure you have the following settings configured for your database service:</div>
<div><br>
</div>
<div><img src="cid:7FB161C8-9169-498E-BE38-35D4735A9146" type="image/png"></div>
<div><br>
</div>
<div><br>
</div>
<div><img src="cid:F53847FE-4703-4AB3-9C06-790DC32B5A75" type="image/png"></div>
<div><br>
</div>
<div><br>
</div>
<div>In the web.xml, make sure you have the security setup with the appropriate user role:</div>
<div>
<div><?xml version="1.0" encoding="UTF-8"?></div>
<div><web-app xmlns="http://java.sun.com/xml/ns/javaee"</div>
<div> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"</div>
<div> xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"</div>
<div> version="3.0"></div>
<div><br>
</div>
<div><span class="Apple-tab-span" style="white-space:pre"></span><module-name>database</module-name></div>
<div><span class="Apple-tab-span" style="white-space:pre"></span></div>
<div> <security-constraint></div>
<div> <web-resource-collection></div>
<div> <url-pattern>/*</url-pattern></div>
<div> </web-resource-collection></div>
<div><!-- <user-data-constraint></div>
<div> <transport-guarantee>CONFIDENTIAL</transport-guarantee></div>
<div> </user-data-constraint> --></div>
<div> <auth-constraint></div>
<div> <role-name>user</role-name></div>
<div> </auth-constraint></div>
<div> </security-constraint></div>
<div><br>
</div>
<div> <login-config></div>
<div> <auth-method>KEYCLOAK</auth-method></div>
<div> <realm-name>demo</realm-name></div>
<div> </login-config></div>
<div><br>
</div>
<div> <security-role></div>
<div> <role-name>user</role-name></div>
<div> </security-role></div>
<div></web-app></div>
</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<span id="OLK_SRC_BODY_SECTION">
<div style="font-family:Calibri; font-size:11pt; text-align:left; color:black; BORDER-BOTTOM: medium none; BORDER-LEFT: medium none; PADDING-BOTTOM: 0in; PADDING-LEFT: 0in; PADDING-RIGHT: 0in; BORDER-TOP: #b5c4df 1pt solid; BORDER-RIGHT: medium none; PADDING-TOP: 3pt">
<span style="font-weight:bold">From: </span>Rodrigo Sasaki <<a href="mailto:rodrigopsasaki@gmail.com">rodrigopsasaki@gmail.com</a>><br>
<span style="font-weight:bold">Date: </span>Tuesday, July 29, 2014 at 12:51 PM<br>
<span style="font-weight:bold">To: </span>Bill Burke <<a href="mailto:bburke@redhat.com">bburke@redhat.com</a>><br>
<span style="font-weight:bold">Cc: </span>"<a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a>" <<a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a>><br>
<span style="font-weight:bold">Subject: </span>Re: [keycloak-user] Bearer Only Application access with token<br>
</div>
<div><br>
</div>
<div>
<div>
<div dir="ltr">It is defined under the application itself, so I it's under the scope. This should be working right?</div>
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">On Tue, Jul 29, 2014 at 11:59 AM, Bill Burke <span dir="ltr">
<<a href="mailto:bburke@redhat.com" target="_blank">bburke@redhat.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
What kind of role is it? Is the new role defined under the<br>
"database-service" application? If not, then you must add this role to<br>
the "database-service"'s scope in the admin console.<br>
<div class=""><br>
On 7/29/2014 10:51 AM, Rodrigo Sasaki wrote:<br>
> Hi,<br>
><br>
> I'm trying to secure a bearer-only application with keycloak, to access<br>
> it with access tokens, but I think I'm missing something.<br>
><br>
> I tried it with the database-service of the unconfigured demo.<br>
><br>
> 1. I created the user role in the application.<br>
> 2. I assigned that role to my user<br>
> 3. I copied the contents of the installation json to<br>
</div>
> *webapp/META-INF/keycloak.json*<br>
<div class="">><br>
> {<br>
> "realm": "demo",<br>
> "realm-public-key":<br>
> "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCwRayjzh7W+EfPaeSdyXWLyXof7c3fwD7vb0AEtG+ogLHtMkYiTdX9y/JXOmXwWDzGhx7NM3Q6vkCG0F3lZqOVsSlYH56c5+Ev4QmSGK/+6e+WcZMcgmscoz1OoXKom4+pzqMey42hqdwwMhkvCq/jxJSmUGnZJQuqEKVH00NZ1wIDAQAB",<br>
> "bearer-only": true,<br>
> "ssl-not-required": true,<br>
> "resource": "database-service",<br>
> "use-resource-role-mappings": true<br>
> }<br>
><br>
</div>
> 4. Set the auth-method to *KEYCLOAK* on web.xml<br>
> 5. Started the server deploying the *database-service*<br>
> 6. Generated a token using *security-admin-console* client_id and my user<br>
> 7. Submitted a GET request to /localhost:8080/database/customers/<br>
<div class="">><br>
> After these steps I get a 403 error, saying that I'm not authorized to<br>
> access the resource, wasn't this supposed to work?<br>
><br>
> --<br>
> Rodrigo Sasaki<br>
><br>
><br>
</div>
> _______________________________________________<br>
> keycloak-user mailing list<br>
> <a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
> <a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" target="_blank">
https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br>
><br>
<span class="HOEnZb"><font color="#888888"><br>
--<br>
Bill Burke<br>
JBoss, a division of Red Hat<br>
<a href="http://bill.burkecentral.com" target="_blank">http://bill.burkecentral.com</a><br>
_______________________________________________<br>
keycloak-user mailing list<br>
<a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br>
</font></span></blockquote>
</div>
<br>
<br clear="all">
<div><br>
</div>
-- <br>
<div dir="ltr"><font face="Times New Roman">Rodrigo Sasaki</font>
<div></div>
</div>
</div>
</div>
</div>
</span>
</body>
</html>