3:51 a.m.
I want to change from picketlink to keycloak
In my ee app I use keycloack CDI to check the user roles and grant with
BasicModel.hasRole(relationshipManager, identity.getAccount(),
BasicModel.getRole(identityManager, "admin"))
or
Authorization Util.hasRole(identity, partitionManager, "admin");
in my bean methods
How can I made the same thing with Keycloak?
Thanks in advantage
--
*Stefano*
5:59 p.m.
Hello to all,
I want to change from picketlink to keycloak
In my ee app I use keycloack CDI to check the user roles and grant with
BasicModel.hasRole(relationshipManager, identity.getAccount(),
BasicModel.getRole(identityManager, "admin"))
or
Authorization Util.hasRole(identity, partitionManager, "admin");
in my bean methods
How can I made the same thing with Keycloak?
Thanks in advantage
Stefano
7:37 p.m.
Hi Stefano,
In KC you can use standard JEE security mechanisms to perform RBAC.
Another thing you can do is obtain a KeycloakSecurityContext and get roles or any
other claim from there. Something like:
KeycloakSecurityContext securityContext = (KeycloakSecurityContext)
request.getAttribute(KeycloakSecurityContext.class.getName());
AccessToken token = securityContext.getToken();
AccessToken.Access realmAccess = token.getRealmAccess();
if (realmAccess.isUserInRole("admin")) {
// do admin stuff
}
You can use a lot of information from the AccessToken to perform local authorization
checks. Above is RBAC, but you can also use claims to perform ABAC, for instance.
Regards.
Pedro Igor
----- Original Message -----
From: "Stefano Zaccaria" <zaquas(a)gmail.com>
To: keycloak-user(a)lists.jboss.org
Sent: Tuesday, February 16, 2016 9:59:13 PM
Subject: [keycloak-user] Use keycloak as I used picketlink
Hello to all,
I want to change from picketlink to keycloak
In my ee app I use keycloack CDI to check the user roles and grant with
BasicModel.hasRole(relationshipManager, identity.getAccount(),
BasicModel.getRole(identityManager, "admin"))
or
Authorization Util.hasRole(identity, partitionManager, "admin");
in my bean methods
How can I made the same thing with Keycloak?
Thanks in advantage
Stefano
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
1:41 a.m.
Thanks Pedro!
You are been so clear!!!
So, excuse for my pedantry, the old stuff that I had used with picketlink
and deltaspike I must forget:
es: @LoggedIn, CDI that call picketlink lib etc etc.
In clear I must use only the code that you suggest me... what I read in our
site, in particular in http://picketlink.org/keycloak-merge-faq/
"Q) What happens with PicketLink Java EE related capabilities
A) Based on experience gained with PicketLink project we’ll be introducing
Keycloak SDK component including libraries for easier integration with Java
EE applications"
It must interpret as the code you suggest me?
Thanks very much!
2016-02-17 2:37 GMT+01:00 Pedro Igor Silva <psilva(a)redhat.com>:
Hi Stefano,
In KC you can use standard JEE security mechanisms to perform RBAC.
Another thing you can do is obtain a KeycloakSecurityContext and get
roles or any other claim from there. Something like:
KeycloakSecurityContext securityContext =
(KeycloakSecurityContext)
request.getAttribute(KeycloakSecurityContext.class.getName());
AccessToken token = securityContext.getToken();
AccessToken.Access realmAccess = token.getRealmAccess();
if (realmAccess.isUserInRole("admin")) {
// do admin stuff
}
You can use a lot of information from the AccessToken to perform local
authorization checks. Above is RBAC, but you can also use claims to perform
ABAC, for instance.
Regards.
Pedro Igor
----- Original Message -----
From: "Stefano Zaccaria" <zaquas(a)gmail.com>
To: keycloak-user(a)lists.jboss.org
Sent: Tuesday, February 16, 2016 9:59:13 PM
Subject: [keycloak-user] Use keycloak as I used picketlink
Hello to all,
I want to change from picketlink to keycloak
In my ee app I use keycloack CDI to check the user roles and grant with
BasicModel.hasRole(relationshipManager, identity.getAccount(),
BasicModel.getRole(identityManager, "admin"))
or
Authorization Util.hasRole(identity, partitionManager, "admin");
in my bean methods
How can I made the same thing with Keycloak?
Thanks in advantage
Stefano
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
--
*Stefano*
6:35 a.m.
Yes, that is what you can use. But nothing stops you from creating a CDI layer on top of
it to better integrate with your app.
In your example, you can easily create an Identity-like and AuthorizationManager-like
beans in order to hide/centralize security logic from the rest of your app.
Thanks.
----- Original Message -----
From: "Stefano Zaccaria" <zaquas(a)gmail.com>
To: "Pedro Igor Silva" <psilva(a)redhat.com>
Cc: keycloak-user(a)lists.jboss.org
Sent: Wednesday, February 17, 2016 5:41:59 AM
Subject: Re: [keycloak-user] Use keycloak as I used picketlink
Thanks Pedro!
You are been so clear!!!
So, excuse for my pedantry, the old stuff that I had used with picketlink
and deltaspike I must forget:
es: @LoggedIn, CDI that call picketlink lib etc etc.
In clear I must use only the code that you suggest me... what I read in our
site, in particular in http://picketlink.org/keycloak-merge-faq/
"Q) What happens with PicketLink Java EE related capabilities
A) Based on experience gained with PicketLink project we’ll be introducing
Keycloak SDK component including libraries for easier integration with Java
EE applications"
It must interpret as the code you suggest me?
Thanks very much!
2016-02-17 2:37 GMT+01:00 Pedro Igor Silva <psilva(a)redhat.com>:
Hi Stefano,
In KC you can use standard JEE security mechanisms to perform RBAC.
Another thing you can do is obtain a KeycloakSecurityContext and get
roles or any other claim from there. Something like:
KeycloakSecurityContext securityContext =
(KeycloakSecurityContext)
request.getAttribute(KeycloakSecurityContext.class.getName());
AccessToken token = securityContext.getToken();
AccessToken.Access realmAccess = token.getRealmAccess();
if (realmAccess.isUserInRole("admin")) {
// do admin stuff
}
You can use a lot of information from the AccessToken to perform local
authorization checks. Above is RBAC, but you can also use claims to perform
ABAC, for instance.
Regards.
Pedro Igor
----- Original Message -----
From: "Stefano Zaccaria" <zaquas(a)gmail.com>
To: keycloak-user(a)lists.jboss.org
Sent: Tuesday, February 16, 2016 9:59:13 PM
Subject: [keycloak-user] Use keycloak as I used picketlink
Hello to all,
I want to change from picketlink to keycloak
In my ee app I use keycloack CDI to check the user roles and grant with
BasicModel.hasRole(relationshipManager, identity.getAccount(),
BasicModel.getRole(identityManager, "admin"))
or
Authorization Util.hasRole(identity, partitionManager, "admin");
in my bean methods
How can I made the same thing with Keycloak?
Thanks in advantage
Stefano
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
--
*Stefano*
3027
days inactive
3031
days old
4 comments
2 participants
participants (2)
-
Pedro Igor Silva -
Stefano Zaccaria