For the security context to propagate to EJBs you need to create a shared security domain,
see
From: "Juan Escot" <juan.escot(a)cdtec.es>
To: keycloak-dev(a)lists.jboss.org
Sent: Tuesday, 20 January, 2015 11:46:36 AM
Subject: [keycloak-dev] Rest Service authentication.
Hi,
I'm developing an application with AngularJS and Rest Services. I'm using
Keycloak for authentication and role management.
Mi Angular project is registered as 'confidential' and work's fine. It
refresh tokens and sends it on header like this: 'Authorization:Bearer
eyJhbGciOiJSUzI1Ni...'
Mi java project is defined as 'bearer only' and it's developed with Java
EJBs
as Rest Services. I need more control over permissions and roles, so I don't
want to secure my project with security-contraints at web.xml. I'd like to
get user info and roles inside my Rest methods from token received. I have
checked I received the token with this line:
String token = request.getHeader("authorization");
But, I can't get any additional information about user. I have tried
different approaches but I can't fin a solution. Could I have a Keycloak
object with user info?.
This is a fragment of my code with all my attemps:
@Stateless
@LocalBean
@Path("/promociones")
@SecurityDomain("keycloak")
public class PromocionRest {
@Context
HttpServletRequest request;
@Context
SecurityContext securityContext;
@Resource
SessionContext sc;
@GET
@Produces("application/json")
@Path("/list")
//@RolesAllowed({ "user" }) <-- If I use this annotation y get an error.
@PermitAll
public RespuestaListaBase<Promocion> listadoPromociones(...){
KeycloakPrincipal principal =
(KeycloakPrincipal)securityContext.getUserPrincipal();
KeycloakSecurityContext session = (KeycloakSecurityContext)
request.getAttribute(KeycloakSecurityContext.class.getName());
if (sc!=null && sc.getCallerPrincipal()!=null){
System.out.println("Principal's name according to EJB: " +
sc.getCallerPrincipal().getName());
}
System.out.println("Is user in role 'user'? " +
request.isUserInRole("user"));
String token = request.getHeader("authorization");
HttpClient client = new HttpClientBuilder().disableTrustManager().build();
try {
String url = request.getRequestURL().toString();
url = url.substring(0, url.indexOf('/', 8));
HttpGet get = new HttpGet(url + "/auth/admin/realms/demo/roles");
get.addHeader("Authorization", "Bearer " + token);
try {
HttpResponse response = client.execute(get);
if (response.getStatusLine().getStatusCode() != 200) {
//throw new Failure(response.getStatusLine().getStatusCode());
}
HttpEntity entity = response.getEntity();
InputStream is = entity.getContent();
} catch (IOException e) {
throw new RuntimeException(e);
}
} finally {
client.getConnectionManager().shutdown();
}
}
}
I also have configured jboss-web.xml like this:
<jboss-web>
<security-domain>keycloak</security-domain>
</jboss-web>
And web.xml like this:
<login-config>
<auth-method>KEYCLOAK</auth-method>
<realm-name>demo</realm-name>
</login-config>
<security-role>
<role-name>user</role-name>
</security-role>
Some notes about the code:
- KeycloakPrincipal principal =
(KeycloakPrincipal)securityContext.getUserPrincipal(); <-- principal is
always null
- KeycloakSecurityContext session = (KeycloakSecurityContext)
request.getAttribute(KeycloakSecurityContext.class.getName()); <-- session
is always null
- sc.getCallerPrincipal().getName() <-- returns 'anonymous', so it seems it
isn't taking security-domain?
- request.isUserInRole("user") <-- returns null
- HttpResponse response = client.execute(get) <-- throws an exception:
org.jboss.resteasy.spi.UnauthorizedException: Bearer
- If I use @RolesAllowed({ "user" }) annotation I get this error: JBAS014502:
The invocation is not allowed in the method
- String token = request.getHeader("authorization"); <-- I get
'Authorization:Bearer eyJhbGciOiJSUzI1Ni...'
I suppose i'm doing it wrong, but I don't know what is the correct form.
Could I get user information from token received?
Thanks in advance,
Juan Escot
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev