<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">Hi,<br>
<br>
I afraid that we don't have support for the usecase like this yet
afaik, as adapters are driven by servlet security and if you
access protected URL without token, you will just receive 401.
Maybe optional support for guest authentication in rest requests
is something to consider to add into keycloak though...<br>
<br>
One possible alternative we have is pure jaxrs filter, which you
can possibly add to your REST application if you're using jaxrs:
<a class="moz-txt-link-freetext" href="https://github.com/keycloak/keycloak/blob/master/integration/jaxrs-oauth-client/src/main/java/org/keycloak/jaxrs/JaxrsBearerTokenFilterImpl.java">https://github.com/keycloak/keycloak/blob/master/integration/jaxrs-oauth-client/src/main/java/org/keycloak/jaxrs/JaxrsBearerTokenFilterImpl.java</a>
. Problem is that you will still have to override at least method
"bearerAuthentication" to not send error in case of missing token,
but use your guest account instead . Also I am really not sure if
jaxrs SecurityContext will be propagated to EJB layer, probably
not.<br>
<br>
Marek<br>
<br>
<br>
On 8.12.2014 11:15, Jérôme Blanchard wrote:<br>
</div>
<blockquote
cite="mid:CAPNq5vbvMdKtZ2XKK-G=aKOUKN6O04NaJm+=JARWfjtxF3Q7+w@mail.gmail.com"
type="cite">Hi all,
<div>I have a question about migrating my application to keycloak.</div>
<div>My application is based on : </div>
<div>- some EJB components</div>
<div>- a main REST interface driving the EJB components, </div>
<div>- a HTML5/Angular GUI client</div>
<div>- some remote REST api acting as clients of the main REST
api. </div>
<div>According to the documentation, I plane to use the adapters
according to my components but I'm facing a problame for the
main REST interface.</div>
<div><br>
</div>
<div>By default, the main REST interface handles requests using a
dedicated GUEST account. It's a kind of default account that is
propagated to the EJB container using a classic login mechanism.
This is handle in a ServletFilter that looks for HTTP
Authentication headers. If headers are not found, authentication
on the container is done using the default login 'guest'.</div>
<div>For this special account, a dedicated login-module is used in
the wildfly security domain (<login-module code="Identity"
flag="required">)</div>
<div><br>
</div>
<div>I'm trying to migrate to keycloak using the undertow adapter
but I'm not able to handle a default login propagated to the EJB
layer.</div>
<div><br>
</div>
<div>The use case is that a simpe call to the REST api without
authentication token header should result as a container
authenticated user guest whereas requests with token included
should try to perform the token base authentication. In that
way, unauthenticated usage of HTML5/JS interface should result
as guest requests and login process only required when main REST
api throws AccessDeniedException.</div>
<div><br>
</div>
<div>Is there is any way to perform this using the KEYCLOAK
auth-method or do I have to write a specific Filter handling a
kind of dual auth mechanism (guest and keycloak) ?</div>
<div><br>
</div>
<div>Best regards, Jérôme.</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
keycloak-user mailing list
<a class="moz-txt-link-abbreviated" href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a>
<a class="moz-txt-link-freetext" href="https://lists.jboss.org/mailman/listinfo/keycloak-user">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></pre>
</blockquote>
<br>
</body>
</html>