Yes, I already have created it. I'm using Jboss EAP 6.3. I have installed the adapter. But I have found a difference between adapter installation in Keycloak 1.0.4.Final and 1.1.0.beta2.

I'm using 1.0.4.Final and I add this line (as described at for Jboss EAP at http://docs.jboss.org/keycloak/docs/1.0.4.Final/userguide/html/ch07.html#jboss-adapter-installation ):
<extension module="org.keycloak.keycloak-as7-subsystem"/>

In 1.1.0.beta2 this configuration seems to be only for AS7. Should I use this? If I try it, I get an error (JBAS014674 module cannot be loaded)
<extension module="org.keycloak.keycloak-subsystem"/>

All changes made at my standalone.xml are:

<extensions>
<extension module="org.keycloak.keycloak-as7-subsystem"/>
...
</extensions>
...
<security-domains>
<security-domain name="keycloak">
<authentication>
<login-module code="org.keycloak.adapters.jboss.KeycloakLoginModule" flag="required"/>
</authentication>
</security-domain>
...
</security-domains>

Do you think is a configuration problem? Do any of my attemps to get user information should work? Which one?

Regards,
Juan Escot




2015-01-20 12:41 GMT+01:00 Stian Thorgersen <stian@redhat.com>:
For the security context to propagate to EJBs you need to create a shared security domain, see http://docs.jboss.org/keycloak/docs/1.1.0.Beta2/userguide/html/ch07.html#jboss-adapter-installation

----- Original Message -----
> From: "Juan Escot" <juan.escot@cdtec.es>
> To: keycloak-dev@lists.jboss.org
> Sent: Tuesday, 20 January, 2015 11:46:36 AM
> Subject: [keycloak-dev] Rest Service authentication.
>
> Hi,
> I'm developing an application with AngularJS and Rest Services. I'm using
> Keycloak for authentication and role management.
>
> Mi Angular project is registered as 'confidential' and work's fine. It
> refresh tokens and sends it on header like this: 'Authorization:Bearer
> eyJhbGciOiJSUzI1Ni...'
>
> Mi java project is defined as 'bearer only' and it's developed with Java EJBs
> as Rest Services. I need more control over permissions and roles, so I don't
> want to secure my project with security-contraints at web.xml. I'd like to
> get user info and roles inside my Rest methods from token received. I have
> checked I received the token with this line:
>
> String token = request.getHeader("authorization");
>
> But, I can't get any additional information about user. I have tried
> different approaches but I can't fin a solution. Could I have a Keycloak
> object with user info?.
>
> This is a fragment of my code with all my attemps:
>
> @Stateless
> @LocalBean
> @Path("/promociones")
> @SecurityDomain("keycloak")
> public class PromocionRest {
> @Context
> HttpServletRequest request;
> @Context
> SecurityContext securityContext;
> @Resource
> SessionContext sc;
> @GET
> @Produces("application/json")
> @Path("/list")
> //@RolesAllowed({ "user" }) <-- If I use this annotation y get an error.
> @PermitAll
> public RespuestaListaBase<Promocion> listadoPromociones(...){
> KeycloakPrincipal principal =
> (KeycloakPrincipal)securityContext.getUserPrincipal();
> KeycloakSecurityContext session = (KeycloakSecurityContext)
> request.getAttribute(KeycloakSecurityContext.class.getName());
> if (sc!=null && sc.getCallerPrincipal()!=null){
> System.out.println("Principal's name according to EJB: " +
> sc.getCallerPrincipal().getName());
> }
>
> System.out.println("Is user in role 'user'? " +
> request.isUserInRole("user"));
>
> String token = request.getHeader("authorization");
> HttpClient client = new HttpClientBuilder().disableTrustManager().build();
> try {
> String url = request.getRequestURL().toString();
> url = url.substring(0, url.indexOf('/', 8));
> HttpGet get = new HttpGet(url + "/auth/admin/realms/demo/roles");
> get.addHeader("Authorization", "Bearer " + token);
> try {
> HttpResponse response = client.execute(get);
> if (response.getStatusLine().getStatusCode() != 200) {
> //throw new Failure(response.getStatusLine().getStatusCode());
> }
> HttpEntity entity = response.getEntity();
> InputStream is = entity.getContent();
>
> } catch (IOException e) {
> throw new RuntimeException(e);
> }
> } finally {
> client.getConnectionManager().shutdown();
> }
> }
> }
>
> I also have configured jboss-web.xml like this:
> <jboss-web>
> <security-domain>keycloak</security-domain>
> </jboss-web>
>
> And web.xml like this:
> <login-config>
> <auth-method>KEYCLOAK</auth-method>
> <realm-name>demo</realm-name>
> </login-config>
>
> <security-role>
> <role-name>user</role-name>
> </security-role>
>
> Some notes about the code:
> - KeycloakPrincipal principal =
> (KeycloakPrincipal)securityContext.getUserPrincipal(); <-- principal is
> always null
> - KeycloakSecurityContext session = (KeycloakSecurityContext)
> request.getAttribute(KeycloakSecurityContext.class.getName()); <-- session
> is always null
> - sc.getCallerPrincipal().getName() <-- returns 'anonymous', so it seems it
> isn't taking security-domain?
> - request.isUserInRole("user") <-- returns null
> - HttpResponse response = client.execute(get) <-- throws an exception:
> org.jboss.resteasy.spi.UnauthorizedException: Bearer
> - If I use @RolesAllowed({ "user" }) annotation I get this error: JBAS014502:
> The invocation is not allowed in the method
> - String token = request.getHeader("authorization"); <-- I get
> 'Authorization:Bearer eyJhbGciOiJSUzI1Ni...'
>
> I suppose i'm doing it wrong, but I don't know what is the correct form.
> Could I get user information from token received?
>
> Thanks in advance,
> Juan Escot
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev@lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev