Yes, you're supposed to add the "Authorization: Bearer access-token-here" header in each REST or WebService request from your frontend application. The adapter on webservice side will always validate the accessToken in each request and it allows it to pass just if it's valid.

Marek

On 5.8.2015 08:35, Satyajit Das wrote:
Hi Bill,

Thanks a lot  for the quick response. Just one more query on the webservice side.

As per the instruction , I made the webservice access type as bearer.

Lets say. I have a service called http://localhost:8082/candidates/.

This in turn has many webservice operation such as
post: http://localhost:8082/candidates/{candidate}
put: http://localhost:8082/candidates/candidate/{id} 
get:http://localhost:8082/candidates/candidate/{id}.

after a successful token verification:
 HttpGet get = new HttpGet(AdapterUtils.getOriginForRestCalls(req.getRequestURL().toString(), session) + "/candidate/{some id}");
            get.addHeader("Authorization", "Bearer " + session.getTokenString());
            try {
                HttpResponse response = client.execute(get);
                if (response.getStatusLine().getStatusCode() != 200) {
                    throw new Failure(response.getStatusLine().getStatusCode());
                }
                HttpEntity entity = response.getEntity();
                InputStream is = entity.getContent();
                try {
                  //  return JsonSerialization.readValue(is, String.class);
                return "hello";
                } finally {
                    is.close();
                }

do i need to further authenticate each call via the same method for other restful call.

Do we have any option where in we can say authenticate once and go ahead with multiple webservice call without further token verification.

Regards,
Satya.

On Tue, Aug 4, 2015 at 7:25 PM, Bill Burke <bburke@redhat.com> wrote:


On 8/4/2015 9:48 AM, Satyajit Das wrote:
> Hi Team,
>
> Kindly respond to the below queries.
>
> 1)What is the limit to the number of realms, roles per realm, and users
> per realm or users per role in key cloak.
>

We haven't really tested the limits.  Should be pretty large.  I know
one keycloak user has a database of around 1 million users.

> 2)what is the expire time of a token id generated in key
> cloak.(session.getTokenString()).
>

Its configurable in admin console

> 3) is there any authentication done after successfull login ,if I visit
> subsequent pages.
>

Do you mean is there any authentication with the Keycloak server?
Once a user is logged in, they do not see any more authentication
screens.  Once you visit one application, you are authenticated for that
application.  If you visit another application, you are redirected to
keycloak auth server, auth server will validate the SSO cookie, then
generate a token for the aplication and send you back there.




--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
keycloak-dev mailing list
keycloak-dev@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev



_______________________________________________
keycloak-dev mailing list
keycloak-dev@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev