Re: [keycloak-user] Securing tomcat-based web applications without using container-security(i.e. without using filters, constraints and valves)?
8:23 a.m.
Hello Luis,
Your approach will not work for me: In my setup there is no predefined set of secure and
unsecure URLs: there are many URLs which can be accessed without any login and also with
login. But the content which is displayed when accessing these URLs depends if the user is
authenticated or not.
That’s the reason why all those filters and valves will not work for me.
My idea is as follows:
When a request comes in, I will check if it contains some token. If yes, the system should
try to identify the user using keycloak, otherwise the username iss et to anonymous.
In the next step the system checks if the user has sufficient rights for
viewing/editing/deleting the entity identified by the requested URL. If the rights are
sufficient (even with the anonymous user) all as well, otherwise the system will redirect
to the keycloak server to obtain such a token mentioned above.
But I haven’t found any detailed documentation on that use case.
Regards,
Manfred
--
Manfred Schenk, Fraunhofer IOSB
Informationsmanagement und Leittechnik
Fraunhoferstraße 1,76131 Karlsruhe, Germany
Telefon +49 721 6091-391
mailto:Manfred.Schenk@iosb.fraunhofer.de
http://www.iosb.fraunhofer.de
Von: Luis Rodríguez Fernández <uo67113(a)gmail.com>
Gesendet: Donnerstag, 29. März 2018 15:13
An: Schenk, Manfred <Manfred.Schenk(a)iosb.fraunhofer.de>
Betreff: Re: [keycloak-user] Securing tomcat-based web applications without using
container-security(i.e. without using filters, constraints and valves)?
Hello Schenk,
If your Identity Provider "speaks" SAML, you can give a try to
http://www.keycloak.org/docs/latest/securing_apps/index.html#java-servlet....
I am testing it for some of our tomcat-based application and it works out-of-the-box (BTW
thanks keycloak folks!).
My deployment descriptors (web.xml) looks like this:
<filter>
<filter-name>Keycloak Filter</filter-name>
<filter-class>org.keycloak.adapters.saml.servlet.SamlFilter</filter-class>
<init-param>
<param-name>keycloak.config.file</param-name>
<param-value>/usr/local/tomcat/keycloak-saml-servlet-adapter.xml</param-value>
</init-param>
</filter>
<!-- From the docs: "You must have a filter mapping that covers /saml.
-->
<filter-mapping>
<filter-name>Keycloak Filter</filter-name>
<url-pattern>/saml</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>Keycloak Filter</filter-name>
<url-pattern>/secure/*</url-pattern>
</filter-mapping>
In this way, just playing with the url-patterns of my resources I can make them private or
public. E.g.
<servlet-mapping>
<servlet-name>SessionExampleServlet</servlet-name>
<url-pattern>/SessionExample</url-pattern>
<url-pattern>/secure/SessionExample</url-pattern>
</servlet-mapping>
Hope it helps,
Luis
2018-03-29 14:38 GMT+02:00 Schenk, Manfred
<Manfred.Schenk@iosb.fraunhofer.de<mailto:Manfred.Schenk@iosb.fraunhofer.de>>:
Hello,
I want to use keycloak for user Authentication in my tomcat based web application.
But since the web application should also be accessible without any login, I think I will
not be able to use the container-based security and handle the keycloak communication by
myself from within my web application.
Are there any tutorials or recommandation around for my use case?
Which (keycloak-)jars do I need for this task?
Thanks in advance,
Manfred
--
Manfred Schenk, Fraunhofer IOSB
Informationsmanagement und Leittechnik
Fraunhoferstraße 1,76131 Karlsruhe, Germany
Telefon +49 721 6091-391<tel:%2B49%20721%206091-391>
mailto:Manfred.Schenk@iosb.fraunhofer.de<mailto:Manfred.Schenk@iosb.fraunhofer.de>
http://www.iosb.fraunhofer.de
_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user
--
"Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better."
- Samuel Beckett
11:29 a.m.
New subject: Securing tomcat-based web applications without using container-security(i.e. without using filters, constraints and valves)?
Hello Manfred,
mmm, OK, I see. We have an application that I do think that match your
scenario: https://phonebook.cern.ch In this one only one resource is behind
a security-constraint, the singin link: /phonebook/secure/sso This trigger
the login request to our identity provider. This one challenges the user,
and after authentication the response with the user information is sent
back to the application. With this information the application creates the
java.security.Principal objects. Then the application's code can make
checks like this one:
java.security.Principal principal = request.getUserPrincipal();
if (principal != null) {
if(request.isUserInRole("THE_ROLE"){
.../...
} else{
response.sendError(SC_FORBIDDEN)
}
} else {
.../...
}
In this way you are relying in the standard servlet specification making
your application completely independent of keycloak or any other identiy
and access management you use and portable.
Afterwards nothing stop you from use the keycloak APIs to get any user data
you need. Me, for example, in my applications I get all the user data (e.g.
telephonenumber, department) from
the org.keycloak.adapters.saml.SamlPrincipal
The good and old examples application that comes in any tomcat distribution
is a great place to start. On this specific issue you can have a look at
$CATALINA_BASE/webapps/examples/jsp/security/protected/index.jsp
Hope it helps,
Luis
2018-03-29 15:23 GMT+02:00 Schenk, Manfred <
Manfred.Schenk(a)iosb.fraunhofer.de>:
Hello Luis,
Your approach will not work for me: In my setup there is no predefined set
of secure and unsecure URLs: there are many URLs which can be accessed
without any login and also with login. But the content which is displayed
when accessing these URLs depends if the user is authenticated or not.
That’s the reason why all those filters and valves will not work for me.
My idea is as follows:
When a request comes in, I will check if it contains some token. If yes,
the system should try to identify the user using keycloak, otherwise the
username iss et to anonymous.
In the next step the system checks if the user has sufficient rights for
viewing/editing/deleting the entity identified by the requested URL. If the
rights are sufficient (even with the anonymous user) all as well, otherwise
the system will redirect to the keycloak server to obtain such a token
mentioned above.
But I haven’t found any detailed documentation on that use case.
Regards,
Manfred
--
Manfred Schenk, Fraunhofer IOSB
Informationsmanagement und Leittechnik
Fraunhoferstraße 1,76131 Karlsruhe, Germany
Telefon +49 721 6091-391 <+49%20721%206091391>
mailto:Manfred.Schenk@iosb.fraunhofer.de
http://www.iosb.fraunhofer.de
*Von:* Luis Rodríguez Fernández <uo67113(a)gmail.com>
*Gesendet:* Donnerstag, 29. März 2018 15:13
*An:* Schenk, Manfred <Manfred.Schenk(a)iosb.fraunhofer.de>
*Betreff:* Re: [keycloak-user] Securing tomcat-based web applications
without using container-security(i.e. without using filters, constraints
and valves)?
Hello Schenk,
If your Identity Provider "speaks" SAML, you can give a try to
http://www.keycloak.org/docs/latest/securing_apps/index.
html#java-servlet-filter-adapter. I am testing it for some of our
tomcat-based application and it works out-of-the-box (BTW thanks keycloak
folks!).
My deployment descriptors (web.xml) looks like this:
<filter>
<filter-name>Keycloak Filter</filter-name>
<filter-class>org.keycloak.adapters.saml.servlet.
SamlFilter</filter-class>
<init-param>
<param-name>keycloak.config.file</param-name>
<param-value>/usr/local/tomcat/keycloak-saml-servlet-
adapter.xml</param-value>
</init-param>
</filter>
<!-- From the docs: "You must have a filter mapping that covers /saml.
-->
<filter-mapping>
<filter-name>Keycloak Filter</filter-name>
<url-pattern>/saml</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>Keycloak Filter</filter-name>
<url-pattern>/secure/*</url-pattern>
</filter-mapping>
In this way, just playing with the url-patterns of my resources I can make
them private or public. E.g.
<servlet-mapping>
<servlet-name>SessionExampleServlet</servlet-name>
<url-pattern>/SessionExample</url-pattern>
<url-pattern>/secure/SessionExample</url-pattern>
</servlet-mapping>
Hope it helps,
Luis
2018-03-29 14:38 GMT+02:00 Schenk, Manfred <Manfred.Schenk@iosb.
fraunhofer.de>:
Hello,
I want to use keycloak for user Authentication in my tomcat based web
application.
But since the web application should also be accessible without any login,
I think I will not be able to use the container-based security and handle
the keycloak communication by myself from within my web application.
Are there any tutorials or recommandation around for my use case?
Which (keycloak-)jars do I need for this task?
Thanks in advance,
Manfred
--
Manfred Schenk, Fraunhofer IOSB
Informationsmanagement und Leittechnik
Fraunhoferstraße 1,76131 Karlsruhe, Germany
Telefon +49 721 6091-391
mailto:Manfred.Schenk@iosb.fraunhofer.de
http://www.iosb.fraunhofer.de
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
--
"Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better."
- Samuel Beckett
--
"Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better."
- Samuel Beckett
2465
days inactive
2465
days old
1 comments
2 participants
participants (2)
-
Luis Rodríguez Fernández -
Schenk, Manfred