<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">If you're focused on security for REST
endpoints, I think it is quite easy to do it programaticaly. You
may just need to parse the "Authorization" header from request
with bearer token and verify it with RSATokenVerifier.<span
style="background-color:#e4e4ff;">verifyToken from which you
also retrieve AccessToken . See BearerTokenRequestAuthenticator
class for the inspiration.<br>
<br>
Marek<br>
</span>
<meta http-equiv="content-type" content="text/html;
charset=windows-1252">
<br>
On 16/09/15 09:04, Orestis Tsakiridis wrote:<br>
</div>
<blockquote
cite="mid:CABjN768+KAzHaqH55bj+J-LJueh1-5iz=c=axKZSLaVQDh0uow@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>
<div>
<div>Thanks Bill, <br>
<br>
</div>
I think i may tackle the issue for now through the
KeycloakConfigResolver. Maybe return an empty deployment if
the API Key is in the request.<br>
<br>
</div>
<br>
Regards<br>
<br>
</div>
Orestis<br>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Wed, Sep 16, 2015 at 2:39 AM, Bill
Burke <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:bburke@redhat.com" target="_blank">bburke@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">I'll
eventually implement adapter as a filter, but right now
security<br>
constraints are required.<br>
<div>
<div class="h5"><br>
On 9/15/2015 5:54 PM, Orestis Tsakiridis wrote:<br>
> Hello,<br>
><br>
> Is it possible to apply programmatic access control
i.e. retrieve<br>
> KeycloakSecurityContext, get token, roles etc, when
the<br>
> <security-contraint/> elements have been
removed from web.xml?<br>
><br>
> The reason for that is that when
<security-constraints/> are present the<br>
> requests get dropped by the keycloak adapter before
reaching the REST<br>
> endpoints implementation in case they are not
carrying a token. I'm<br>
> trying to support an alternative authorization
mechanism using a custom<br>
> API Key parameter in case the Oauth token header is
missing.<br>
><br>
><br>
> Regards<br>
><br>
> Orestis<br>
><br>
><br>
><br>
><br>
><br>
><br>
</div>
</div>
> _______________________________________________<br>
> keycloak-user mailing list<br>
> <a moz-do-not-send="true"
href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
> <a moz-do-not-send="true"
href="https://lists.jboss.org/mailman/listinfo/keycloak-user"
rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br>
><br>
<span class="HOEnZb"><font color="#888888"><br>
--<br>
Bill Burke<br>
JBoss, a division of Red Hat<br>
<a moz-do-not-send="true"
href="http://bill.burkecentral.com" rel="noreferrer"
target="_blank">http://bill.burkecentral.com</a><br>
_______________________________________________<br>
keycloak-user mailing list<br>
<a moz-do-not-send="true"
href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
<a moz-do-not-send="true"
href="https://lists.jboss.org/mailman/listinfo/keycloak-user"
rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br>
</font></span></blockquote>
</div>
<br>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
keycloak-user mailing list
<a class="moz-txt-link-abbreviated" href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a>
<a class="moz-txt-link-freetext" href="https://lists.jboss.org/mailman/listinfo/keycloak-user">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></pre>
</blockquote>
<br>
</body>
</html>