3:07 a.m.
Hello Ola,
I've tested exactly the same approach as yours. In my case I am using SAML:
1. /login-module with
org.keycloak.adapters.saml.tomcat.SamlAuthenticatorValve registered in IdP.
It declares a <security-constraint> for "/*" [1]
2. Any request to /login-module pass through a filter [2] that looks in the
request for a secret (cookie). If there is no secret the request is
redirected to a servlet [3]. If the user has a valid session in the IdP the
secret is created and it is redirected to the original request.
3. The rest of the modules are "protected" by the custom filter [4]
Answering your questions:
- Can this be possible...? Yes it can, but personally I do not like it
- It is mandatory to register...? I do believe that it is preferrable
I developed this PoC for this scenario: I have a big legacy enterprise app
(.ear) with several modules that make requests between them for getting
protected resources. E.g. /module1 requests /module2/images/calendar.gif or
/module1/ requests /module2/search. I do this because I want to avoid to
touch the legacy and sometimes obscure code of the ear app :)
Probably to use OAUTH2/OpenId Connect would be a better idea for these kind
of scenarios.
Hope it helps,
Luis
[1] https://gist.github.com/lurodrig/deb2e086fa425f2d64111b325caf1b96
[2] https://gist.github.com/lurodrig/7b157e6ebcfe857c86218eabd8063c6d
[3] https://gist.github.com/lurodrig/e1a20f480f3c4202c083a091ed68b0d7
[4] https://gist.github.com/lurodrig/84c0bf35f184059fe27bb47e377f09af
El jue., 8 nov. 2018 a las 8:15, ola rob (<robstyle1234(a)gmail.com>)
escribió:
Hi,
I need some help in securing my applications with keycloak:
I have couple of grails applications (App1 and App2) using spring security.
However, currently I am using keycloak REST API to authenticate users by
passing username and password and receive token without registering these
applications as clients in the keycloak. But this approach seems to be
inefficient when we want to support SSO, kerberos and other lot of powerful
features that Keycloak offers.
So I came up with the below approach to support SSO/kerberos but wanted to
know if Keycloak can solve our problem.
"Create a new spring boot master application (App3) and register with
Keycloak and redirect the login page to Keycloak. Once login is successful,
use the token that keycloak provides and pass it on to App1 and App2 and
tweak my existing code flow to handle this. Can this be possible because I
am not registering/creating any clients for app1 and app2 in keycloak here
but only creating for app3 which is the master application and using the
access token? Is it mandatory to register/create all clients in Keycloak to
support SSO?"
Any help would be highly appreciated.
Thanks in advance!
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
--
"Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better."
- Samuel Beckett