Marek, the tips of building a simple redirect servlet protected by a user
role constraint and let the other servlets unconstrained is working like a
charm. This simple servlet act as a redirect point to ensure keycloak
adapter handling of authentication without writing new code. A perfect
solution in fact.
Thank you very much for your support, best regards, Jérôme.
Le jeu. 23 avr. 2015 à 18:34, Bill Burke <bburke(a)redhat.com> a écrit :
Please read this:
add a @SecurityDomain("keycloak") to your EJB and it will pick up the
On 4/23/2015 12:16 PM, Marek Posolda wrote:
> You're not wrong. With ServletOAuthClient you have control when you
> redirect user to the KC login screen. But you're completely independent
> on Wildfly container security layers, hence no propagation to EJB layer.
> If ServletOAuthClient is good for you, depends on the usecase you want
> to achieve. Maybe it is better for you to add some security-constraints
> URL to your web.xml (for example "/my-protected-url") and you will
> redirect your application to /my-protected-url (with
> httpResponse.sendRedirect) whenever you want your application to be
> logged with keycloak. Then once KC authentication is finished and your
> application will visit "/my-protected-url" as authenticated user, you
> will redirect back to the original URL before authentication.
> Not sure if EJB propagation will happen once you're authenticated, but
> visit unprotected URL though... But at least you can give it a shot.
> On 23.4.2015 15:35, Jérôme Blanchard wrote:
>> I wonder that the Servlet OAuth Client won't propagate authentication
>> to wildfy EJB layer... Am I wrong ?
>> Le mar. 21 avr. 2015 à 18:13, Marek Posolda <mposolda(a)redhat.com
>> <mailto:firstname.lastname@example.org>> a écrit :
>> You can take a look at our examples for how to use
>> ServletOAuthClient. Hopefully it could help with your usecase:
>> On 21.4.2015 12:14, Jérôme Blanchard wrote:
>>> Hi all,
>>> I'm trying to protect a servlet application which can be accessed
>>> either as anonymous user and as authenticated user. Some
>>> resources are protected and my application takes in charge the
>>> access control (not role based) so I can't use the war protection
>>> using role user constraint.
>>> In this case I've removed the role constraint in the web.xml and
>>> the keycloak wildfly (undertow) adapter let me access the
>>> application as unauthentified user (anonymous) which is perfect.
>>> What I want to handle on some AccessDeniedException is to
>>> redirect the user to the authentication server manually. In this
>>> case, user authentified an come back to the protected URL but is
>>> no more anonymous but a authentified user.
>>> Is ther is a way to handle this redirection to the authentication
>>> server manually (I don't know where to store the state variable
>>> allowing keycloak wildfly adapter to handle properly the auth
>>> redirect that include the code).
>>> Best regards, Jérôme.
>>> keycloak-user mailing list
>>> keycloak-user(a)lists.jboss.org <mailto:
> keycloak-user mailing list
JBoss, a division of Red Hat
keycloak-user mailing list