10:19 a.m.
Hi Bill,
I’ll try to get some code out soon so we can review. The adapter core does take care of a
lot of the integration with KC and verification, which can be reused. The main component
from adapter core that’s helpful is RequestAuthenticator, which means I'll implement a
few abstract methods, and provide implementations of HttpFacade and AdapterTokenStore.
The main Spring classes for authentication are an AuthenticationProcessingFilter and an
AuthenticationProvider. The AuthenticationProcessingFilter will delegate authentication
and authorization requests to an implementation of RequestAuthenticator and the
AuthenticationProcessingFilter basically votes on whether or not to accept the
authentication.
If I was going to do this without RequestAuthenticator, I may as well write a generic
Spring Security OIDC client, but that would be ton more work and would be more difficult
to configure. I like how the adapters let users get started quickly, by adding a library
and inserting the generated keycloak.json file into their deployment. The main goal of the
Kyecloak Spring Security adapter is to eliminate the requirement that we use web.xml
security constraints and the need for a container specific adapter.
Spring Security is a lot more flexible than the servlet security spec on what endpoints
should be protected and how. A lot of Spring Security users are accustomed to that
flexibility and I'd like to bring that to Keycloak while maintaining your adapter
deployment simplicity.
~ Scott
On Apr 21, 2015, at 10:53 AM, Bill Burke <bburke(a)redhat.com>
wrote:
FYI, Our common adapter module is a bit convoluted as it is shared
between different versions of Jetty, Tomcat, JBoss, and Wildfly who all
do security a bit differently. A pure Spring adapter would be great,
but we have zero experience with Spring Security. I've done some
component integration work with core Spring awhile back, but nothing for
years.
On 4/21/2015 2:47 AM, Stian Thorgersen wrote:
> It's been years since I last looked at Spring, so I'm not the person to ask
;)
>
> It sounds like the pure Spring Security Adapter is the better option. You should at
try to use code from integration/adapter-core module as that's used as the core for
all our current Java based adapters. Also, it should be configurable by supplying a
keycloak.json file.
>
> ----- Original Message -----
>> From: "Scott Rossillo" <srossillo(a)smartling.com>
>> To: "Stian Thorgersen" <stian(a)redhat.com>
>> Cc: "keycloak-dev" <keycloak-dev(a)lists.jboss.org>
>> Sent: Tuesday, 21 April, 2015 1:02:28 AM
>> Subject: Re: [keycloak-dev] Spring Security for Keycloak Contribution
>>
>> Hi,
>>
>> There are two different approaches here. The project I mentioned still relies
>> on a Keycloak adapter being present in the servlet container. It’s not quite
>> the final product I need but it would be useful to people who can declare
>> their protected resources in web.xml.
>>
>> What I’m working on now is a Keycloak adapter-less Spring Security
>> integration. Basically, it’s a Keycloak Spring Security Adapter that can
>> stand on it’s own and protect resources based on the Spring Security
>> configuration. It’s this latter implementation that I believe has the most
>> value.
>>
>> Question for you: Do you want to see both approaches covered or is one
>> approach more in line with the Keycloak project’s goals?
>>
>> In my option, the latter, Keycloak Spring Security Adapter, is of more value,
>> but please let me know your thoughts.
>>
>> Thanks in advance,
>> Scott
>>
>>
>>> On Apr 16, 2015, at 9:24 AM, Stian Thorgersen <stian(a)redhat.com>
wrote:
>>>
>>> If you can prepare a PR for it that'd be great. Please add a
>>> 'spring-security' module within the integration module where all the
other
>>> adapters live. Also, to create a distribution archive for the adapter
>>> please add a module inside distribution that packages it up (look at
>>> existing modules there for a reference).
>>>
>>> ----- Original Message -----
>>>> From: "Scott Rossillo" <srossillo(a)smartling.com>
>>>> To: "keycloak-dev" <keycloak-dev(a)lists.jboss.org>
>>>> Sent: Thursday, April 16, 2015 3:08:13 PM
>>>> Subject: [keycloak-dev] Spring Security for Keycloak Contribution
>>>>
>>>> Good morning,
>>>>
>>>> As I mentioned a few days ago on the users mailing list, we developed an
>>>> integration between the Keycloak Adapter and Spring Security. The
>>>> announcement can be found here:
>>>>
>>>> http://lists.jboss.org/pipermail/keycloak-user/2015-April/001992.html
>>>>
>>>> The code is here:
>>>> http://smartling.github.io/spring-security-keycloak/
>>>> Would you be interested in either:
>>>> 1. Us contributing the code to the Keycloak project or
>>>> 2. You integrating the code into the Keycloak project
>>>>
>>>> We released the code under the Apache 2.0 license to be compatible with
>>>> the
>>>> Keycloak project. Let me know your thoughts.
>>>> Best,
>>>> Scott
>>>>
>>>> _______________________________________________
>>>> keycloak-dev mailing list
>>>> keycloak-dev(a)lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
>>
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev