Securing tomcat-based web applications without using container-security(i.e. without using filters, constraints and valves)?
7:38 a.m.
Hello,
I want to use keycloak for user Authentication in my tomcat based web application.
But since the web application should also be accessible without any login, I think I will
not be able to use the container-based security and handle the keycloak communication by
myself from within my web application.
Are there any tutorials or recommandation around for my use case?
Which (keycloak-)jars do I need for this task?
Thanks in advance,
Manfred
--
Manfred Schenk, Fraunhofer IOSB
Informationsmanagement und Leittechnik
Fraunhoferstraße 1,76131 Karlsruhe, Germany
Telefon +49 721 6091-391
mailto:Manfred.Schenk@iosb.fraunhofer.de
http://www.iosb.fraunhofer.de
8:13 a.m.
Hello Schenk,
If your Identity Provider "speaks" SAML, you can give a try to
http://www.keycloak.org/docs/latest/securing_apps/index.
html#java-servlet-filter-adapter. I am testing it for some of our
tomcat-based application and it works out-of-the-box (BTW thanks keycloak
folks!).
My deployment descriptors (web.xml) looks like this:
<filter>
<filter-name>Keycloak Filter</filter-name>
<filter-class>org.keycloak.adapters.saml.servlet.
SamlFilter</filter-class>
<init-param>
<param-name>keycloak.config.file</param-name>
<param-value>/usr/local/tomcat/keycloak-saml-servlet-
adapter.xml</param-value>
</init-param>
</filter>
<!-- From the docs: "You must have a filter mapping that covers /saml.
-->
<filter-mapping>
<filter-name>Keycloak Filter</filter-name>
<url-pattern>/saml</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>Keycloak Filter</filter-name>
<url-pattern>/secure/*</url-pattern>
</filter-mapping>
In this way, just playing with the url-patterns of my resources I can make
them private or public. E.g.
<servlet-mapping>
<servlet-name>SessionExampleServlet</servlet-name>
<url-pattern>/SessionExample</url-pattern>
<url-pattern>/secure/SessionExample</url-pattern>
</servlet-mapping>
Hope it helps,
Luis
2018-03-29 14:38 GMT+02:00 Schenk, Manfred <
Manfred.Schenk(a)iosb.fraunhofer.de>:
Hello,
I want to use keycloak for user Authentication in my tomcat based web
application.
But since the web application should also be accessible without any login,
I think I will not be able to use the container-based security and handle
the keycloak communication by myself from within my web application.
Are there any tutorials or recommandation around for my use case?
Which (keycloak-)jars do I need for this task?
Thanks in advance,
Manfred
--
Manfred Schenk, Fraunhofer IOSB
Informationsmanagement und Leittechnik
Fraunhoferstraße 1,76131 Karlsruhe, Germany
Telefon +49 721 6091-391
mailto:Manfred.Schenk@iosb.fraunhofer.de
http://www.iosb.fraunhofer.de
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
--
"Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better."
- Samuel Beckett
2464
days inactive
2464
days old
1 comments
2 participants
participants (2)
-
Luis Rodríguez Fernández -
Schenk, Manfred