<div dir="ltr"><div><div>Hi, <br><br></div>Marek, the tips of building a simple redirect servlet protected by a user role constraint and let the other servlets unconstrained is working like a charm. This simple servlet act as a redirect point to ensure keycloak adapter handling of authentication without writing new code. A perfect solution in fact.<br><br></div>Thank you very much for your support, best regards, Jérôme.<br></div><br><div class="gmail_quote">Le jeu. 23 avr. 2015 à 18:34, Bill Burke <<a href="mailto:bburke@redhat.com">bburke@redhat.com</a>> a écrit :<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Please read this:<br>
<br>
<a href="http://docs.jboss.org/keycloak/docs/1.2.0.Beta1/userguide/html/ch08.html#jboss-adapter" target="_blank">http://docs.jboss.org/keycloak/docs/1.2.0.Beta1/userguide/html/ch08.html#jboss-adapter</a><br>
<br>
add a @SecurityDomain("keycloak") to your EJB and it will pick up the<br>
Keylcoak context.<br>
<br>
On 4/23/2015 12:16 PM, Marek Posolda wrote:<br>
> You're not wrong. With ServletOAuthClient you have control when you<br>
> redirect user to the KC login screen. But you're completely independent<br>
> on Wildfly container security layers, hence no propagation to EJB layer.<br>
><br>
> If ServletOAuthClient is good for you, depends on the usecase you want<br>
> to achieve. Maybe it is better for you to add some security-constraints<br>
> URL to your web.xml (for example "/my-protected-url") and you will<br>
> redirect your application to /my-protected-url (with<br>
> httpResponse.sendRedirect) whenever you want your application to be<br>
> logged with keycloak. Then once KC authentication is finished and your<br>
> application will visit "/my-protected-url" as authenticated user, you<br>
> will redirect back to the original URL before authentication.<br>
><br>
> Not sure if EJB propagation will happen once you're authenticated, but<br>
> visit unprotected URL though... But at least you can give it a shot.<br>
><br>
> Marek<br>
><br>
> On 23.4.2015 15:35, Jérôme Blanchard wrote:<br>
>> Hi,<br>
>> I wonder that the Servlet OAuth Client won't propagate authentication<br>
>> to wildfy EJB layer... Am I wrong ?<br>
>> Jérôme.<br>
>><br>
>> Le mar. 21 avr. 2015 à 18:13, Marek Posolda <<a href="mailto:mposolda@redhat.com" target="_blank">mposolda@redhat.com</a><br>
>> <mailto:<a href="mailto:mposolda@redhat.com" target="_blank">mposolda@redhat.com</a>>> a écrit :<br>
>><br>
>> You can take a look at our examples for how to use<br>
>> ServletOAuthClient. Hopefully it could help with your usecase:<br>
>> <a href="https://github.com/keycloak/keycloak/tree/master/examples/demo-template/third-party" target="_blank">https://github.com/keycloak/keycloak/tree/master/examples/demo-template/third-party</a><br>
>> <a href="https://github.com/keycloak/keycloak/tree/master/examples/demo-template/third-party-cdi" target="_blank">https://github.com/keycloak/keycloak/tree/master/examples/demo-template/third-party-cdi</a><br>
>><br>
>> Marek<br>
>><br>
>><br>
>> On 21.4.2015 12:14, Jérôme Blanchard wrote:<br>
>>> Hi all,<br>
>>><br>
>>> I'm trying to protect a servlet application which can be accessed<br>
>>> either as anonymous user and as authenticated user. Some<br>
>>> resources are protected and my application takes in charge the<br>
>>> access control (not role based) so I can't use the war protection<br>
>>> using role user constraint.<br>
>>> In this case I've removed the role constraint in the web.xml and<br>
>>> the keycloak wildfly (undertow) adapter let me access the<br>
>>> application as unauthentified user (anonymous) which is perfect.<br>
>>> What I want to handle on some AccessDeniedException is to<br>
>>> redirect the user to the authentication server manually. In this<br>
>>> case, user authentified an come back to the protected URL but is<br>
>>> no more anonymous but a authentified user.<br>
>>> Is ther is a way to handle this redirection to the authentication<br>
>>> server manually (I don't know where to store the state variable<br>
>>> allowing keycloak wildfly adapter to handle properly the auth<br>
>>> redirect that include the code).<br>
>>><br>
>>> Best regards, Jérôme.<br>
>>><br>
>>><br>
>>> _______________________________________________<br>
>>> keycloak-user mailing list<br>
>>> <a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a> <mailto:<a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a>><br>
>>> <a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br>
>><br>
><br>
><br>
><br>
> _______________________________________________<br>
> keycloak-user mailing list<br>
> <a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a><br>
> <a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br>
><br>
<br>
--<br>
Bill Burke<br>
JBoss, a division of Red Hat<br>
<a href="http://bill.burkecentral.com" target="_blank">http://bill.burkecentral.com</a><br>
_______________________________________________<br>
keycloak-user mailing list<br>
<a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br>
</blockquote></div>