On 1/30/2014 9:29 AM, Nils Preusker wrote:
Hey Bill, thanks for the clarification, I didn't realize that the
cookie
was Http-only, neat!
We are building a pure HTML5 client that is also hosted separately from
the REST-backends. The thing is that we use a reverse proxy so for the
browser it all looks like one app since everything comes from different
paths in the same domain.
I'll try to clarify the last part of my last mail: We are currently
using org.jboss.resteasy.skeleton.key.as7.OAuthAuthenticationServerValve
(skeleton-key-as7) in our REST-backend modules. If I'm not mistaken,
some parts of the code base and concepts are the same as in keycloak, right?
So far, in the AngularJS application we've been adding bearer tokens to
the HTTP Authorization header. Since the backend uses JAX-RS/ RestEasy,
the verification of the bearer tokens was done transparently by
OAuthAuthenticationServerValve and RESTEasy automatically added the
roles etc. to the HttpServletRequest. Now in the REST backend of the
admin app in keycloak you're doing the same thing (validating the tokens
and extracting the roles) manually with the AuthenticationManager
(authenticateSaasIdentityCookie(...)). So I was just wondering whether
you are planning to make that process more transparent in the future?
We're doing it manually because the original idea was that the admin
service could manage multiple organizations (a SaaS), so you'd have to
set up the cookie path's correctly.
For your app, it sounds like @RolesAllowed will work. You just have to
set up the appropriate web.xml security constraints for your REST urls
in web.xml. Just set up the REST apis to require authentication and let
@RolesAllowed do the rest. The keycloak jboss/wildfly adapter can
handle BEARER token auth at the same time as regular browser oauth. If
the server is initiating the login, then you can just follow the current
keycloak examples. If not, then the Javascript lib Stian wrote is an
option (and something we'll have to document).
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com