Hi,

I'm developing an application with AngularJS and Rest Services. I'm using Keycloak for authentication and role management. 

Mi Angular project is registered as 'confidential' and work's fine. It refresh tokens and sends it on header like this: 'Authorization:Bearer eyJhbGciOiJSUzI1Ni...'

Mi java project is defined as 'bearer only' and it's developed with Java EJBs as Rest Services. I need more control over permissions and roles, so I don't want to secure my project with  security-contraints at web.xml. I'd like to get user info and roles inside my Rest methods from token received. I have checked I received the token with this line:

String token = request.getHeader("authorization");

But, I can't get any additional information about user. I have tried different approaches but I can't fin a solution. Could I have a Keycloak object with user info?.

This is a fragment of my code with all my attemps:

@Stateless

@LocalBean

@Path("/promociones")

@SecurityDomain("keycloak")

public class PromocionRest  {

    @Context

    HttpServletRequest request;

    

    @Context

    SecurityContext securityContext;    

    

@Resource

SessionContext sc;

   

@GET

@Produces("application/json")

@Path("/list")

//@RolesAllowed({ "user" }) <-- If I use this annotation y get an error.

@PermitAll

public RespuestaListaBase<Promocion> listadoPromociones(...){

KeycloakPrincipal principal = (KeycloakPrincipal)securityContext.getUserPrincipal();

KeycloakSecurityContext session = (KeycloakSecurityContext) request.getAttribute(KeycloakSecurityContext.class.getName());

if (sc!=null && sc.getCallerPrincipal()!=null){

System.out.println("Principal's name according to EJB: " + sc.getCallerPrincipal().getName());

}

        System.out.println("Is user in role 'user'? " + request.isUserInRole("user"));

        String token = request.getHeader("authorization");

        

        HttpClient client = new HttpClientBuilder().disableTrustManager().build();

try {

String url = request.getRequestURL().toString();

       url = url.substring(0, url.indexOf('/', 8));

   

       HttpGet get = new HttpGet(url + "/auth/admin/realms/demo/roles");

   get.addHeader("Authorization", "Bearer " + token);

   try {

       HttpResponse response = client.execute(get);

       if (response.getStatusLine().getStatusCode() != 200) {

           //throw new Failure(response.getStatusLine().getStatusCode());

       }

       HttpEntity entity = response.getEntity();

       InputStream is = entity.getContent();

   } catch (IOException e) {

       throw new RuntimeException(e);

   }

} finally {

   client.getConnectionManager().shutdown();

}   

}

}

I also have configured jboss-web.xml like this:

<jboss-web>

    <security-domain>keycloak</security-domain>

</jboss-web>

And web.xml like this:

    <login-config>

        <auth-method>KEYCLOAK</auth-method>

        <realm-name>demo</realm-name>

    </login-config>     

    <security-role>

        <role-name>user</role-name>

    </security-role>

Some notes about the code:

- KeycloakPrincipal principal = (KeycloakPrincipal)securityContext.getUserPrincipal();  <-- principal is always null

- KeycloakSecurityContext session = (KeycloakSecurityContext) request.getAttribute(KeycloakSecurityContext.class.getName()); <-- session is always null

- sc.getCallerPrincipal().getName() <-- returns 'anonymous', so it seems it isn't taking security-domain? 

- request.isUserInRole("user") <-- returns null

- HttpResponse response = client.execute(get) <-- throws an exception: org.jboss.resteasy.spi.UnauthorizedException: Bearer

- If I use @RolesAllowed({ "user" }) annotation I get this error: JBAS014502: The invocation is not allowed in the method

- String token = request.getHeader("authorization"); <-- I get 'Authorization:Bearer eyJhbGciOiJSUzI1Ni...'

I suppose i'm doing it wrong, but I don't know what is the correct form. Could I get user information from token received?

Thanks in advance,

Juan Escot