Re: [keycloak-user] Securing tomcat-based web applications without using container-security(i.e. without using filters, constraints and valves)?

Thursday, 29 March 2018

Hello Manfred,

mmm, OK, I see. We have an application that I do think that match your
scenario: https://phonebook.cern.ch In this one only one resource is behind
a security-constraint, the singin link: /phonebook/secure/sso This trigger
the login request to our identity provider. This one challenges the user,
and after authentication the response with the user information is sent
back to the application. With this information the application creates the
java.security.Principal objects.  Then the application's  code can make
checks like this one:

java.security.Principal principal = request.getUserPrincipal();
if (principal != null) {
   if(request.isUserInRole("THE_ROLE"){
      .../...
   } else{
      response.sendError(SC_FORBIDDEN)
   }
} else {
.../...
}

In this way you are relying in the standard servlet specification making
your application completely independent of keycloak or any other identiy
and access management you use and portable.

Afterwards nothing stop you from use the keycloak APIs to get any user data
you need. Me, for example, in my applications I get all the user data (e.g.
telephonenumber, department) from
the org.keycloak.adapters.saml.SamlPrincipal

The good and old examples application that comes in any tomcat distribution
is a great place to start. On this specific issue you can have a look at
$CATALINA_BASE/webapps/examples/jsp/security/protected/index.jsp

Hope it helps,

Luis

2018-03-29 15:23 GMT+02:00 Schenk, Manfred <
Manfred.Schenk(a)iosb.fraunhofer.de&gt;:

...
 Hello Luis,

 Your approach will not work for me: In my setup there is no predefined set
 of secure and unsecure URLs: there are many URLs which can be accessed
 without any login and also with login. But the content which is displayed
 when accessing these URLs depends if the user is authenticated or not.

 That’s the reason why all those filters and valves will not work for me.

 My idea is as follows:

 When a request comes in, I will check if it contains some token. If yes,
 the system should try to identify the user using keycloak, otherwise the
 username iss et to anonymous.

 In the next step the system checks if the user has sufficient rights for
 viewing/editing/deleting the entity identified by the requested URL. If the
 rights are sufficient (even with the anonymous user) all as well, otherwise
 the system will redirect to the keycloak server to obtain such a token
 mentioned above.

 But I haven’t found any detailed documentation on that use case.

 Regards,

 Manfred

 --
 Manfred Schenk, Fraunhofer IOSB
 Informationsmanagement und Leittechnik
 Fraunhoferstraße 1,76131 Karlsruhe, Germany
 Telefon +49 721 6091-391 <+49%20721%206091391>
 mailto:Manfred.Schenk@iosb.fraunhofer.de
 http://www.iosb.fraunhofer.de

 *Von:* Luis Rodríguez Fernández <uo67113(a)gmail.com&gt;
 *Gesendet:* Donnerstag, 29. März 2018 15:13
 *An:* Schenk, Manfred <Manfred.Schenk(a)iosb.fraunhofer.de&gt;
 *Betreff:* Re: [keycloak-user] Securing tomcat-based web applications
 without using container-security(i.e. without using filters, constraints
 and valves)?

 Hello Schenk,

 If your Identity Provider "speaks" SAML, you can give a try to
 http://www.keycloak.org/docs/latest/securing_apps/index.
 html#java-servlet-filter-adapter. I am testing it for some of our
 tomcat-based application and it works out-of-the-box (BTW thanks keycloak
 folks!).

 My deployment descriptors (web.xml) looks like this:

     <filter>

         <filter-name>Keycloak Filter</filter-name>

         <filter-class>org.keycloak.adapters.saml.servlet.
 SamlFilter</filter-class>

         <init-param>

             <param-name>keycloak.config.file</param-name>

             <param-value>/usr/local/tomcat/keycloak-saml-servlet-
 adapter.xml</param-value>

         </init-param>

     </filter>

     <!-- From the docs: "You must have a filter mapping that covers /saml.
 -->

     <filter-mapping>

         <filter-name>Keycloak Filter</filter-name>

         <url-pattern>/saml</url-pattern>

     </filter-mapping>

     <filter-mapping>

         <filter-name>Keycloak Filter</filter-name>

         <url-pattern>/secure/*</url-pattern>

     </filter-mapping>

 In this way, just playing with the url-patterns of my resources I can make
 them private or public. E.g.

     <servlet-mapping>

         <servlet-name>SessionExampleServlet</servlet-name>

         <url-pattern>/SessionExample</url-pattern>

         <url-pattern>/secure/SessionExample</url-pattern>

     </servlet-mapping>

 Hope it helps,

 Luis

 2018-03-29 14:38 GMT+02:00 Schenk, Manfred <Manfred.Schenk@iosb.
 fraunhofer.de>:

 Hello,

 I want to use keycloak for user Authentication in my tomcat based web
 application.
 But since the web application should also be accessible without any login,
 I think I will not be able to use the container-based security and handle
 the keycloak communication by myself from within my web application.

 Are there any tutorials or recommandation around for my use case?
 Which (keycloak-)jars do I need for this task?

 Thanks in advance,
 Manfred

 --
 Manfred Schenk, Fraunhofer IOSB
 Informationsmanagement und Leittechnik
 Fraunhoferstraße 1,76131 Karlsruhe, Germany
 Telefon +49 721 6091-391
 mailto:Manfred.Schenk@iosb.fraunhofer.de
 http://www.iosb.fraunhofer.de

 _______________________________________________
 keycloak-user mailing list
 keycloak-user(a)lists.jboss.org
 https://lists.jboss.org/mailman/listinfo/keycloak-user

 --

 "Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better."

 - Samuel Beckett

-- 

"Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better."

- Samuel Beckett

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

Re: [keycloak-user] Securing tomcat-based web applications without using container-security(i.e. without using filters, constraints and valves)?