If you're focused on security for REST endpoints, I think it is quite easy to do it programaticaly. You may just need to parse the "Authorization" header from request with bearer token and verify it with RSATokenVerifier.verifyToken from which you also retrieve AccessToken . See BearerTokenRequestAuthenticator class for the inspiration.

Marek

On 16/09/15 09:04, Orestis Tsakiridis wrote:

Thanks Bill,

I think i may tackle the issue for now through the KeycloakConfigResolver. Maybe return an empty deployment if the API Key is in the request.

Regards

Orestis

On Wed, Sep 16, 2015 at 2:39 AM, Bill Burke <bburke@redhat.com> wrote:

I'll eventually implement adapter as a filter, but right now security
constraints are required.

On 9/15/2015 5:54 PM, Orestis Tsakiridis wrote:
> Hello,
>
> Is it possible to apply programmatic access control i.e. retrieve
> KeycloakSecurityContext, get token, roles etc, when the
> <security-contraint/> elements have been removed from web.xml?
>
> The reason for that is that when <security-constraints/> are present the
> requests get dropped by the keycloak adapter before reaching the REST
> endpoints implementation in case they are not carrying a token. I'm
> trying to support an alternative authorization mechanism using a custom
> API Key parameter in case the Oauth token header is missing.
>
>
> Regards
>
> Orestis
>
>
>
>
>
>

> _______________________________________________
> keycloak-user mailing list
> keycloak-user@lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user