Hi,
I was thinking of creating a custom Valve and doing the extra rights mapping work in the
invoke method, but with JBoss 7.1.1 I couldn't figure out how to get my custom Valve
to be invoked after Keycloaks. I configured my custom Valve by adding a
<valve>...</valve> element to the jboss-web.xml of my app, but with this my
custom Valve was always invoked before Keycloak.
So instead I created a Servlet Filter and do the extra rights mapping work in the doFilter
method by getting the AccessToken from the Request like this:
AccessToken token =
((KeycloakPrincipal)((HttpServletRequest)request).getUserPrincipal()).getKeycloakSecurityContext().getToken();
Based on the info in the AccessToken I can do the extra work I need.
Does this seem like a reasonable approach?
Thanks
-Jim
-----Original Message-----
From: Boettcher, Jim
Sent: Monday, June 09, 2014 3:45 PM
To: 'Bill Burke'; keycloak-user(a)lists.jboss.org
Subject: RE: [keycloak-user] Add additional rights mapping step to request chain
These are specific rights that are associated to different roles, such as the "backup
right" can be associated to a backup role or an admin role.
We were looking to do this on the application server side perhaps as some sort of
extension or add on or post processor to the keycloak-as7-adapter that is installed and
configured as a module for JBoss.
Thanks
-Jim
-----Original Message-----
From: keycloak-user-bounces(a)lists.jboss.org [mailto:keycloak-user-bounces@lists.jboss.org]
On Behalf Of Bill Burke
Sent: Monday, June 09, 2014 3:11 PM
To: keycloak-user(a)lists.jboss.org
Subject: Re: [keycloak-user] Add additional rights mapping step to request chain
For "rights" you mean user role mappings? I'd have to create an SPI for
that.
FYI, you can't modify the token itself as it is digitally signed.
On 6/9/2014 2:51 PM, Boettcher, Jim wrote:
Hi,
We are using the keycloak-as7-adapter from beta2 and have configured
the adapter to use bearer token.
We would like to add in some extra processing after the bearer token
has been validated in order to map user rights for the user identified
by the bearer token using some proprietary code. This is currently
done with a custom LoginModule configured for the security-domain of the app.
Can you suggest how we might go about adding this extra rights mapping
to the request chain after the keycloak adapter has validated the
bearer token?
Thank you,
Jim
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user