Hello,
I'm rewriting my Java app secured 'classically' using session-stored
credentials to Keycloak. My app is AJAX client with REST channel implemented using
JAX-RS, so I've picked up keycloak-jaxrs-oauth-client and JaxrsBearerTokenFilterImpl.
However, I have one place which I can't (or I don't see the way to do this) secure
using that way: those are URLs that produce binary resources, available as direct
downloads ( window.open ) and images (within img tag). I can't instruct browser to add
Authorization token in that place, however, the classical cookie approach would work.
I can't find a way to use Cookies with given filter, but I ses that
BearerTokenRequestAuthenticator is already made extensible (it has QueryParam
implementation), however the JaxrsBearerTokenFilterImpl doesn't five a way to choose
implementation.
Are there any approaches for (optional) cookie based approach made?
If the change was made to the bearerAuthentication method to replace
BearerTokenRequestAuthenticator authenticator = new
BearerTokenRequestAuthenticator(resolvedDeployment);
With
BearerTokenRequestAuthenticator authenticator =
createBearerTokenRequestAuthenticator(resolvedDeployment);
I could be free to change the implementation of that method in my custom class with the
strategy of my choice (either pure cookie-based strategy, or use cookie only when no
Authorization header is present.
Is such change-request a reasonable approach, that could be accepted for the community
code base?
Best regards,
Lukasz Lech