Hi, by mentionning the servlet adapter, you mean the WAR configured using web.xml (server side) ? or the client servlet adapter ?<div><br></div><div>In our configuration we have a REST API prtoected using the WAR wildfly adapter (ensuring EJB auth propagation) and a JS client.<br><div><br></div><div>I tried using the configuration of cookie token store (<a id="stateless-token-store"><pre class="" style="display:inline!important">"token-store": "cookie"</pre></a>) in the wildfly adapter (server side) but no cookie is set in my HTML5/JS client and it seem no cookie is catched by the wildfly adapter... </div><div>Did I missed something ?</div><div><br></div><div>Best regards, Jérôme.</div><div><br><div class="gmail_quote">Le Mon Dec 22 2014 at 16:24:58, Bill Burke <<a href="mailto:bburke@redhat.com" target="_blank">bburke@redhat.com</a>> a écrit :</div><div class="gmail_quote"><br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Servlet adapter already does this.<br>
<br>
* 1.0.x Keycloak attaches the token to the Http Session.<br>
* 1.1 Beta+ Keycloak adapter has an option to store the token in a<br>
cookie instead of the HttpSession.<br>
<br>
On 12/18/2014 12:07 PM, Jérôme Blanchard wrote:<br>
> Hi all,<br>
><br>
> Is it possible to configure the servlet adapter to check presence of a<br>
> bearer token in a cookie instead of in a header ?<br>
> This question is about the download file usecase. If the bearer token<br>
> will be placed in a cookie by the javascript client at the same time<br>
> settnig the header, his will ensure that this cookie will be sent by the<br>
> navigator in the case of a download file or a <img> tag that would<br>
> happen outside of a XHR.<br>
><br>
> Thanks, Best Regards, Jérôme.<br>
><br>
> Le Wed Dec 17 2014 at 18:12:35, Jérôme Blanchard <<a href="mailto:jayblanc@gmail.com" target="_blank">jayblanc@gmail.com</a><br>
> <mailto:<a href="mailto:jayblanc@gmail.com" target="_blank">jayblanc@gmail.com</a>>> a écrit :<br>
><br>
> Hi Stian,<br>
><br>
> Thanks for your precisions, we have choose to implement the solution<br>
> of a time based password.<br>
> Using a ServletFilter and the Servlet 3.0 HttpRequest.login()<br>
> feature we're able to intercept token from query parameter and<br>
> propagate it to the JAAS stack. A dedicated LoginModule validate<br>
> this token to enforce principal in the EJB SecurityContext and,<br>
> according to this, our custom authorisation system is used ASIS<br>
> without the need to create a hook in the download operation.<br>
> This solution give the advantage to not interfer with the classic<br>
> OAuth authentication in case of using a XHR Header nor a RESTClient<br>
> that programmatically include the bearer token in the request header.<br>
><br>
> Thanks a lot for your support, Best Regards, Jérôme.<br>
><br>
><br>
><br>
> Le Wed Dec 17 2014 at 09:05:22, Stian Thorgersen <<a href="mailto:stian@redhat.com" target="_blank">stian@redhat.com</a><br>
> <mailto:<a href="mailto:stian@redhat.com" target="_blank">stian@redhat.com</a>>> a écrit :<br>
><br>
><br>
><br>
> ----- Original Message -----<br>
> > From: "Jérôme Blanchard" <<a href="mailto:jayblanc@gmail.com" target="_blank">jayblanc@gmail.com</a><br>
> <mailto:<a href="mailto:jayblanc@gmail.com" target="_blank">jayblanc@gmail.com</a>>><br>
> > To: "Stian Thorgersen" <<a href="mailto:stian@redhat.com" target="_blank">stian@redhat.com</a><br>
> <mailto:<a href="mailto:stian@redhat.com" target="_blank">stian@redhat.com</a>>><br>
> > Cc: <a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a><br>
> <mailto:<a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.<u></u>j<u></u>boss.org</a>><br>
> > Sent: Tuesday, 16 December, 2014 5:51:37 PM<br>
> > Subject: Re: [keycloak-user] HTML5/JS and download URL.<br>
> ><br>
> > Hi,<br>
> ><br>
> > Thank you for your answer. Sorry for my lake of knowledge in<br>
> OAuth but<br>
> > speaking about generating a temporary token to include in the<br>
> link, what<br>
> > kind of token do you mean and what is the best way to do that<br>
> with Keycloak.<br>
><br>
> We don't have any support for this at the moment so you would<br>
> have to make it yourself. With regards to token all I mean is a<br>
> something temporary that allows the server to verify the user<br>
> has permissions to download the file.<br>
><br>
> For example the token could be the base64 encoded signature<br>
> (hmac, rsa or whatever you'd like) of userid,<br>
> timestamp/expiration and file-url. That way the server can<br>
> simply verify the signature on the server-side when the user is<br>
> trying to download the file and check that it matches.<br>
><br>
> ><br>
> > Best regards, Jérôme.<br>
> ><br>
> > 2014-12-15 16:49 GMT+01:00 Stian Thorgersen <<a href="mailto:stian@redhat.com" target="_blank">stian@redhat.com</a><br>
> <mailto:<a href="mailto:stian@redhat.com" target="_blank">stian@redhat.com</a>>>:<br>
> > ><br>
> > ><br>
> > ><br>
> > > ----- Original Message -----<br>
> > > > From: "Jérôme Blanchard" <<a href="mailto:jayblanc@gmail.com" target="_blank">jayblanc@gmail.com</a><br>
> <mailto:<a href="mailto:jayblanc@gmail.com" target="_blank">jayblanc@gmail.com</a>>><br>
> > > > To: <a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a><br>
> <mailto:<a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.<u></u>j<u></u>boss.org</a>><br>
> > > > Sent: Monday, 15 December, 2014 3:13:06 PM<br>
> > > > Subject: [keycloak-user] HTML5/JS and download URL.<br>
> > > ><br>
> > > > Hi all,<br>
> > > > We have a use case where an HTML5/Angular application is<br>
> calling a REST<br>
> > > > interface using keycloak for authentication SSO.<br>
> Everything works fine<br>
> > > until<br>
> > > > we need to download files or preview images (using <img><br>
> tag). In both<br>
> > > case,<br>
> > > > this is the browser which perform the request on the REST<br>
> url and,<br>
> > > because<br>
> > > > of a specific XHR authentication putting the bearer token<br>
> in the<br>
> > > headers, a<br>
> > > > 'classic' browser request for downloading a file result in an<br>
> > > > UNauthenticated request because of unexisting bearer token.<br>
> > > ><br>
> > > > We're minding if there is a best practice to handle this<br>
> case. We plan to<br>
> > > > include a dedicated token as a download request parameter<br>
> and to check<br>
> > > this<br>
> > > > particular query paramter programmatically in the<br>
> /download JAX-RS<br>
> > > > operation. What kind of token should have to put in the<br>
> query and is<br>
> > > there<br>
> > > > an already existing mechanism to catch such token in<br>
> jax-rs server-side<br>
> > > > operations nor programmatically ?<br>
> > ><br>
> > > We actually had the same issue in our admin console as we<br>
> provide a<br>
> > > download option for the application config. AFAIK there's<br>
> two solutions:<br>
> > ><br>
> > > * Generate a temporary token - basically what you're<br>
> suggesting. There's<br>
> > > two ways you can do this, always generate one and add it to<br>
> the link,<br>
> > > second is to use a redirect that only generates the token<br>
> on demand<br>
> > > * Use XHR to get the file, which allows setting the<br>
> Authorization header,<br>
> > > then use JavaScript to download<br>
> > ><br>
> > > There's currently no direct support for this in Keycloak,<br>
> but it would be<br>
> > > interesting to add.<br>
> > ><br>
> > > ><br>
> > > > Thanks a lot for your support and so good work, Best<br>
> Regards, Jérôme.<br>
> > > ><br>
> > > > ______________________________<u></u><u></u>_____________________<br>
> > > > keycloak-user mailing list<br>
> > > > <a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a><br>
> <mailto:<a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.<u></u>j<u></u>boss.org</a>><br>
> > > ><br>
> <a href="https://lists.jboss.org/__mailma__n/listinfo/keycloak-user" target="_blank">https://lists.jboss.org/__<u></u>mai<u></u>lma__n/listinfo/keycloak-<u></u>user</a><br>
> <<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" target="_blank">https://lists.jboss.org/<u></u>mail<u></u>man/listinfo/keycloak-user</a><u></u>><br>
> > ><br>
> ><br>
><br>
><br>
><br>
> ______________________________<u></u><u></u>_________________<br>
> keycloak-user mailing list<br>
> <a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a><br>
> <a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" target="_blank">https://lists.jboss.org/<u></u>mailma<u></u>n/listinfo/keycloak-user</a><br>
><br>
<br>
--<br>
Bill Burke<br>
JBoss, a division of Red Hat<br>
<a href="http://bill.burkecentral.com" target="_blank">http://bill.burkecentral.com</a><br>
______________________________<u></u><u></u>_________________<br>
keycloak-user mailing list<br>
<a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" target="_blank">https://lists.jboss.org/<u></u>mailma<u></u>n/listinfo/keycloak-user</a><br>
</blockquote></div></div></div>