Hello Thai,
Seems like you've been watching the OSGification PR attentively :)
I'm sorry we didn't make it for Keycloak 4.3.0. Should get included in 4.4.0,
hopefully.
Just in case anyone else is interested:
PR for Keycloak OIDC servlet filter adapter OSGification
https://github.com/keycloak/keycloak/pull/5383
PR for the docs
https://github.com/keycloak/keycloak-documentation/pull/453
Built docs:
https://keycloak-docs.github.io/deploy-docs-pullrequest/PR/453/securing_a...
As for your question, could you please elaborate? What are you trying
to achieve? For REST services, you should normally use bearer token
authorization. In this mode, the adapter would expect a valid token in
"Authorization: Bearer XXX" HTTP header, otherwise it would return
HTTP 401. Is this what you're after?
Cheers,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training
Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info(a)acutus.pro
On Mon, 2018-08-27 at 14:52 -0400, Nhut Thai Le wrote:
Hello,
I have a web app and a REST API running inside an OSGI environment.
The web app has some servlets registered with the web container (jetty) as
OSGI whiteboard services. All of these servlets are configured to be
protected (authentication required) by keycloak servlet filter.
Dictionary<String, String> props;
props = new Hashtable<>();
props.put("alias", "/whiteboard");
servletReg = context.registerService(Servlet.class, new
WhiteboardServlet("/test"), props);
Dictionary<String, Object> filterProps = new Hashtable<String, Object>();
String[] urls = { "/*" }; //$NON-NLS-1$
filterProps.put(HttpWhiteboardConstants.HTTP_WHITEBOARD_FILTER_NAME,
"keycloakFilter");
filterProps.put(HttpWhiteboardConstants.HTTP_WHITEBOARD_FILTER_PATTERN,
urls);
keycloakFilter = context.registerService(Filter.class, new
KeycloakOIDCFilter(), filterProps);
The REST api is hosted by aries-jax-rs-whiteboard.
@Component(
immediate = true,
property = JAX_RS_APPLICATION_BASE + "=/rest",
service = Application.class
)
@Path("/common")
public final class RestAPI extends Application {
public static final Response EMPTY_RESPONSE =
Response.noContent().type(MediaType.TEXT_HTML_TYPE).build();
@Override
public Set<Object> getSingletons() {
return Collections.singleton(this);
}
@GET
@Path("/getObject")
@Produces(MediaType.APPLICATION_JSON)
public String getObject() {
return "Rest call"; //$NON-NLS-1$
}
}
The web app has some JS code executed on user browser that make an ajax
call to the REST service above. Since this call happen after user has been
auithenticated with keycloak and originate from the same browser session, I
assume the ajax request also contains KeycloakSecurityContext. Thus this
call should be allowed to reach the REST service. What I want is to
register a filter (ContainerRequestFilter) to deny access to the REST
service if user has not been authenticated.
Is there an existing implementation of ContainerRequestFilter by keycloak
that can do this?
Thai
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user