Re: [keycloak-user] servlet filter and roles
On 22/03/16 15:10, Bill Burke wrote:
On 3/22/2016 4:33 AM, Simon Gordon wrote:
> Hi
>
> My client applications (some SAML, some OIDC) are all running within Tomcat
> 7 on OpenShift. Since the Keycloak Tomcat adapter is a Valve, the jar needs
> adding into the server classpath which of course I can't do on OpenShift.
> (Or I've struggled to at least!)
>
> Hence I'm using the generic servlet filter adapter. Looking here for SAML:
> http://keycloak.github.io/docs/userguide/saml-client-adapter/html/ch07.html
>
> and here for OIDC:
> http://keycloak.github.io/docs/userguide/keycloak-server/html/ch08.html#d...
>
> I can't see how to achieve the security-constraints (roles primarily). Do I
> need to resort to coding those in the apps, or maybe using JAAS?
You have to code into the app. You could write a filter that did a
HttpServletRequest.isUserInRole() We should probably provide something
like that...
+1
Servlet specs has HttpServletRequestWrapper where we can easily override
all the methods like isUserInRole, getRemoteUser, getUserPrincipal etc
and fill with the stuff from the token and send this request wrapper
down to filter chain. Not sure if we should do it automatically or have
configurable flag for it.
Marek
Bill