Hi, <br><br><div>I've finally change my use case to avoid giving the guest user a particular rôle (user) and switch to a completely anonymous way of working in EJB. In this case, avoiding a particular security-constraint in the webapp let the keycloak undertow adapter pass some anonymous request goes throught EJB and, in the case of an existing Bearer token, authenticate and propagate principal.</div><div><br></div><div>So now, we have a working solution that fits with our needs. Next step is configuration of Grant Token for external webapps to access REST interface using a Grant Token, but it's another story. </div><div><br></div><div>Thank for your support. Best regards, Jérôme.</div><br><div class="gmail_quote">Le Fri Dec 12 2014 at 11:18:30, Marek Posolda <<a href="mailto:mposolda@redhat.com">mposolda@redhat.com</a>> a écrit :<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div bgcolor="#FFFFFF" text="#000000">
<div>On 11.12.2014 11:31, Jérôme Blanchard
wrote:<br>
</div>
<blockquote type="cite">Hi everybody,
<div><br>
</div>
<div>I'm trying to migrate an existing application to keycloak and
I'm facing some problems.</div>
<div>My application is an ear composed of :</div>
<div>- one war containing Servlet and JaxRS resources (which are
not session beans but only rest resources calling EJBs)</div>
<div>- one jar containing EJB components secured with a dedicated
SecurityDomain.</div>
<div>-one HTML5/Angular client application</div>
<div><br>
</div>
<div>I've configured the security domain in standalone-full.xml
using the KeycloakLoginModule .</div>
<div>I've also configured the war using jboss-web.xml to use the
security domain of EJBs</div>
<div>Finally I've include the JAX-RS filter in order to allows
BearerToken authentication on the REST api in the WAR.</div>
<div><br>
</div>
<div>Angular application is able to loggin and to send the bearer
token in the http header. The jaxRS logs shows that token is
received and user name is retreive.</div>
<div>What happens is that authentication is not propagated to the
EJB Layer and the LoginModule is never called.</div>
</blockquote></div><div bgcolor="#FFFFFF" text="#000000">
yes, the propagation from Jax-rs filter to EJB unfortunately doesn't
work. You can use the adapter and servlet authentication and in this
case it should be propagated as described in reference guide -
<a href="http://docs.jboss.org/keycloak/docs/1.1.0.Beta2/userguide/html/ch07.html#jboss-adapter" target="_blank">http://docs.jboss.org/keycloak/docs/1.1.0.Beta2/userguide/html/ch07.html#jboss-adapter</a>
. But in another thread you also mention the requirement of "guest"
authentication (like if Authorization header with bearer token is
not present, your app will use some kind of guest account instead of
sending back 401 error). Is it still requirement?<br>
<br>
It seems that easiest short-term solution might be to add support
for guest authentication to our KC adapter. It will be optional
feature, which will be disabled by default. If it's enabled, it will
use some predefined guest account and guest roles in case that
Authorization header is not present. But I am not sure if it's
something, which we want to support in KC...<br>
<br>
Marek<br>
<blockquote type="cite"></blockquote></div><div bgcolor="#FFFFFF" text="#000000"><blockquote type="cite">
<div><br>
</div>
<div>Anybody has an idea on how to make this propagation works ?</div>
<div><br>
</div>
<div>Thanks for your help, best regards, Jérôme.</div>
<br>
<fieldset></fieldset>
<br>
</blockquote></div><div bgcolor="#FFFFFF" text="#000000"><blockquote type="cite"><pre>_______________________________________________
keycloak-user mailing list
<a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></pre>
</blockquote>
<br>
</div>
</blockquote></div>