Hi,
if you want to use keycloak for authentication you should rather use:
<auth-method>KEYCLOAK</auth-method>
Also I don't know how are you sending request to "/api/*" . I guess it
is javascript application or some other servlet application, which is
sending jax-rs requests to api? In this cases, you should add manually
"Authorization" header with either "Authorization: Bearer ..." with
bearer token attached or "Authorization: Basic ...." with keycloak
username/password attached (bearer token is much better, so you can
avoid direct grant and you don't need to share credentials with your
application)
Marek
On 12.12.2014 14:06, Eric Wittmann wrote:
In apiman I have a bit of an edge case that currently isn't
working as I
was hoping (running in wildfly 8.2 - not tested on any other platform).
The issue is that I have a WAR with two sub-contexts:
/api - JAX-RS endpoints to configure the API Gateway
/gateway - the API Gateway (reverse proxy)
I wanted /api to be protected by keycloak, but for /gateway to be
unprotected.
My web.xml looks like this:
<security-constraint>
<web-resource-collection>
<web-resource-name>apiman-gateway</web-resource-name>
<url-pattern>/api/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>apiadmin</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>apiman</realm-name>
</login-config>
<security-role>
<role-name>apiadmin</role-name>
</security-role>
It all works great until I send a request to /gateway/* that includes an
"Authorization" http header. If I do that, the adapter tries to
authenticate with those credentials and fails with a 401 if they don't
match (which they don't).
I realize this is an odd case, but I did expect that if the web.xml
specified that only /api/* were protected then other paths would simply
pass through any Authorization headers. That may be an incorrect
expectation - not sure what the servlet spec requires in this case.
Thoughts?
Currently I'm probably going to work around this by splitting up the API
and Gateway servlets into separate WARs.
-Eric
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user