4:15 a.m.
Hi all,
I have a question about migrating my application to keycloak.
My application is based on :
- some EJB components
- a main REST interface driving the EJB components,
- a HTML5/Angular GUI client
- some remote REST api acting as clients of the main REST api.
According to the documentation, I plane to use the adapters according to my
components but I'm facing a problame for the main REST interface.
By default, the main REST interface handles requests using a dedicated
GUEST account. It's a kind of default account that is propagated to the EJB
container using a classic login mechanism. This is handle in a
ServletFilter that looks for HTTP Authentication headers. If headers are
not found, authentication on the container is done using the default login
'guest'.
For this special account, a dedicated login-module is used in the wildfly
security domain (<login-module code="Identity"
flag="required">)
I'm trying to migrate to keycloak using the undertow adapter but I'm not
able to handle a default login propagated to the EJB layer.
The use case is that a simpe call to the REST api without authentication
token header should result as a container authenticated user guest whereas
requests with token included should try to perform the token base
authentication. In that way, unauthenticated usage of HTML5/JS interface
should result as guest requests and login process only required when main
REST api throws AccessDeniedException.
Is there is any way to perform this using the KEYCLOAK auth-method or do I
have to write a specific Filter handling a kind of dual auth mechanism
(guest and keycloak) ?
Best regards, Jérôme.
7:04 a.m.
Hi,
I afraid that we don't have support for the usecase like this yet afaik,
as adapters are driven by servlet security and if you access protected
URL without token, you will just receive 401. Maybe optional support for
guest authentication in rest requests is something to consider to add
into keycloak though...
One possible alternative we have is pure jaxrs filter, which you can
possibly add to your REST application if you're using jaxrs:
https://github.com/keycloak/keycloak/blob/master/integration/jaxrs-oauth-...
. Problem is that you will still have to override at least method
"bearerAuthentication" to not send error in case of missing token, but
use your guest account instead . Also I am really not sure if jaxrs
SecurityContext will be propagated to EJB layer, probably not.
Marek
On 8.12.2014 11:15, Jérôme Blanchard wrote:
Hi all,
I have a question about migrating my application to keycloak.
My application is based on :
- some EJB components
- a main REST interface driving the EJB components,
- a HTML5/Angular GUI client
- some remote REST api acting as clients of the main REST api.
According to the documentation, I plane to use the adapters according
to my components but I'm facing a problame for the main REST interface.
By default, the main REST interface handles requests using a dedicated
GUEST account. It's a kind of default account that is propagated to
the EJB container using a classic login mechanism. This is handle in a
ServletFilter that looks for HTTP Authentication headers. If headers
are not found, authentication on the container is done using the
default login 'guest'.
For this special account, a dedicated login-module is used in the
wildfly security domain (<login-module code="Identity"
flag="required">)
I'm trying to migrate to keycloak using the undertow adapter but I'm
not able to handle a default login propagated to the EJB layer.
The use case is that a simpe call to the REST api without
authentication token header should result as a container authenticated
user guest whereas requests with token included should try to perform
the token base authentication. In that way, unauthenticated usage of
HTML5/JS interface should result as guest requests and login process
only required when main REST api throws AccessDeniedException.
Is there is any way to perform this using the KEYCLOAK auth-method or
do I have to write a specific Filter handling a kind of dual auth
mechanism (guest and keycloak) ?
Best regards, Jérôme.
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
4:31 a.m.
Hi everybody,
I'm trying to migrate an existing application to keycloak and I'm facing
some problems.
My application is an ear composed of :
- one war containing Servlet and JaxRS resources (which are not session
beans but only rest resources calling EJBs)
- one jar containing EJB components secured with a dedicated SecurityDomain.
-one HTML5/Angular client application
I've configured the security domain in standalone-full.xml using the
KeycloakLoginModule .
I've also configured the war using jboss-web.xml to use the security domain
of EJBs
Finally I've include the JAX-RS filter in order to allows BearerToken
authentication on the REST api in the WAR.
Angular application is able to loggin and to send the bearer token in the
http header. The jaxRS logs shows that token is received and user name is
retreive.
What happens is that authentication is not propagated to the EJB Layer and
the LoginModule is never called.
Anybody has an idea on how to make this propagation works ?
Thanks for your help, best regards, Jérôme.
4:18 a.m.
On 11.12.2014 11:31, Jérôme Blanchard wrote:
Hi everybody,
I'm trying to migrate an existing application to keycloak and I'm
facing some problems.
My application is an ear composed of :
- one war containing Servlet and JaxRS resources (which are not
session beans but only rest resources calling EJBs)
- one jar containing EJB components secured with a dedicated
SecurityDomain.
-one HTML5/Angular client application
I've configured the security domain in standalone-full.xml using the
KeycloakLoginModule .
I've also configured the war using jboss-web.xml to use the security
domain of EJBs
Finally I've include the JAX-RS filter in order to allows BearerToken
authentication on the REST api in the WAR.
Angular application is able to loggin and to send the bearer token in
the http header. The jaxRS logs shows that token is received and user
name is retreive.
What happens is that authentication is not propagated to the EJB Layer
and the LoginModule is never called.
yes, the propagation from Jax-rs filter to EJB
unfortunately doesn't
work. You can use the adapter and servlet authentication and in this
case it should be propagated as described in reference guide -
http://docs.jboss.org/keycloak/docs/1.1.0.Beta2/userguide/html/ch07.html#...
. But in another thread you also mention the requirement of "guest"
authentication (like if Authorization header with bearer token is not
present, your app will use some kind of guest account instead of sending
back 401 error). Is it still requirement?
It seems that easiest short-term solution might be to add support for
guest authentication to our KC adapter. It will be optional feature,
which will be disabled by default. If it's enabled, it will use some
predefined guest account and guest roles in case that Authorization
header is not present. But I am not sure if it's something, which we
want to support in KC...
Marek
Anybody has an idea on how to make this propagation works ?
Thanks for your help, best regards, Jérôme.
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
7:27 a.m.
Hi,
I've finally change my use case to avoid giving the guest user a particular
rôle (user) and switch to a completely anonymous way of working in EJB. In
this case, avoiding a particular security-constraint in the webapp let the
keycloak undertow adapter pass some anonymous request goes throught EJB
and, in the case of an existing Bearer token, authenticate and propagate
principal.
So now, we have a working solution that fits with our needs. Next step is
configuration of Grant Token for external webapps to access REST interface
using a Grant Token, but it's another story.
Thank for your support. Best regards, Jérôme.
Le Fri Dec 12 2014 at 11:18:30, Marek Posolda <mposolda(a)redhat.com> a
écrit :
On 11.12.2014 11:31, Jérôme Blanchard wrote:
Hi everybody,
I'm trying to migrate an existing application to keycloak and I'm facing
some problems.
My application is an ear composed of :
- one war containing Servlet and JaxRS resources (which are not session
beans but only rest resources calling EJBs)
- one jar containing EJB components secured with a dedicated
SecurityDomain.
-one HTML5/Angular client application
I've configured the security domain in standalone-full.xml using the
KeycloakLoginModule .
I've also configured the war using jboss-web.xml to use the security
domain of EJBs
Finally I've include the JAX-RS filter in order to allows BearerToken
authentication on the REST api in the WAR.
Angular application is able to loggin and to send the bearer token in
the http header. The jaxRS logs shows that token is received and user name
is retreive.
What happens is that authentication is not propagated to the EJB Layer and
the LoginModule is never called.
yes, the propagation from Jax-rs filter to EJB unfortunately doesn't work.
You can use the adapter and servlet authentication and in this case it
should be propagated as described in reference guide -
http://docs.jboss.org/keycloak/docs/1.1.0.Beta2/userguide/html/ch07.html#...
. But in another thread you also mention the requirement of "guest"
authentication (like if Authorization header with bearer token is not
present, your app will use some kind of guest account instead of sending
back 401 error). Is it still requirement?
It seems that easiest short-term solution might be to add support for
guest authentication to our KC adapter. It will be optional feature, which
will be disabled by default. If it's enabled, it will use some predefined
guest account and guest roles in case that Authorization header is not
present. But I am not sure if it's something, which we want to support in
KC...
Marek
Anybody has an idea on how to make this propagation works ?
Thanks for your help, best regards, Jérôme.
_______________________________________________
keycloak-user mailing
listkeycloak-user@lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
3695
days inactive
3699
days old
4 comments
2 participants
participants (2)
-
Jérôme Blanchard -
Marek Posolda