12:14 p.m.
Hi all,
I'm trying to protect a servlet application which can be accessed either as
anonymous user and as authenticated user. Some resources are protected and
my application takes in charge the access control (not role based) so I
can't use the war protection using role user constraint.
In this case I've removed the role constraint in the web.xml and the
keycloak wildfly (undertow) adapter let me access the application as
unauthentified user (anonymous) which is perfect.
What I want to handle on some AccessDeniedException is to redirect the user
to the authentication server manually. In this case, user authentified an
come back to the protected URL but is no more anonymous but a authentified
user.
Is ther is a way to handle this redirection to the authentication server
manually (I don't know where to store the state variable allowing keycloak
wildfly adapter to handle properly the auth redirect that include the code).
Best regards, Jérôme.
6:12 p.m.
You can take a look at our examples for how to use ServletOAuthClient.
Hopefully it could help with your usecase:
https://github.com/keycloak/keycloak/tree/master/examples/demo-template/t...
https://github.com/keycloak/keycloak/tree/master/examples/demo-template/t...
Marek
On 21.4.2015 12:14, Jérôme Blanchard wrote:
Hi all,
I'm trying to protect a servlet application which can be accessed
either as anonymous user and as authenticated user. Some resources are
protected and my application takes in charge the access control (not
role based) so I can't use the war protection using role user constraint.
In this case I've removed the role constraint in the web.xml and the
keycloak wildfly (undertow) adapter let me access the application as
unauthentified user (anonymous) which is perfect.
What I want to handle on some AccessDeniedException is to redirect the
user to the authentication server manually. In this case, user
authentified an come back to the protected URL but is no more
anonymous but a authentified user.
Is ther is a way to handle this redirection to the authentication
server manually (I don't know where to store the state variable
allowing keycloak wildfly adapter to handle properly the auth redirect
that include the code).
Best regards, Jérôme.
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
3:35 p.m.
Hi,
I wonder that the Servlet OAuth Client won't propagate authentication to
wildfy EJB layer... Am I wrong ?
Jérôme.
Le mar. 21 avr. 2015 à 18:13, Marek Posolda <mposolda(a)redhat.com> a écrit :
You can take a look at our examples for how to use
ServletOAuthClient.
Hopefully it could help with your usecase:
https://github.com/keycloak/keycloak/tree/master/examples/demo-template/t...
https://github.com/keycloak/keycloak/tree/master/examples/demo-template/t...
Marek
On 21.4.2015 12:14, Jérôme Blanchard wrote:
Hi all,
I'm trying to protect a servlet application which can be accessed either
as anonymous user and as authenticated user. Some resources are protected
and my application takes in charge the access control (not role based) so I
can't use the war protection using role user constraint.
In this case I've removed the role constraint in the web.xml and the
keycloak wildfly (undertow) adapter let me access the application as
unauthentified user (anonymous) which is perfect.
What I want to handle on some AccessDeniedException is to redirect the
user to the authentication server manually. In this case, user authentified
an come back to the protected URL but is no more anonymous but a
authentified user.
Is ther is a way to handle this redirection to the authentication server
manually (I don't know where to store the state variable allowing keycloak
wildfly adapter to handle properly the auth redirect that include the code).
Best regards, Jérôme.
_______________________________________________
keycloak-user mailing
listkeycloak-user@lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
6:16 p.m.
You're not wrong. With ServletOAuthClient you have control when you
redirect user to the KC login screen. But you're completely independent
on Wildfly container security layers, hence no propagation to EJB layer.
If ServletOAuthClient is good for you, depends on the usecase you want
to achieve. Maybe it is better for you to add some security-constraints
URL to your web.xml (for example "/my-protected-url") and you will
redirect your application to /my-protected-url (with
httpResponse.sendRedirect) whenever you want your application to be
logged with keycloak. Then once KC authentication is finished and your
application will visit "/my-protected-url" as authenticated user, you
will redirect back to the original URL before authentication.
Not sure if EJB propagation will happen once you're authenticated, but
visit unprotected URL though... But at least you can give it a shot.
Marek
On 23.4.2015 15:35, Jérôme Blanchard wrote:
Hi,
I wonder that the Servlet OAuth Client won't propagate authentication
to wildfy EJB layer... Am I wrong ?
Jérôme.
Le mar. 21 avr. 2015 à 18:13, Marek Posolda <mposolda(a)redhat.com
<mailto:mposolda@redhat.com>> a écrit :
You can take a look at our examples for how to use
ServletOAuthClient. Hopefully it could help with your usecase:
https://github.com/keycloak/keycloak/tree/master/examples/demo-template/t...
https://github.com/keycloak/keycloak/tree/master/examples/demo-template/t...
Marek
On 21.4.2015 12:14, Jérôme Blanchard wrote:
> Hi all,
>
> I'm trying to protect a servlet application which can be accessed
> either as anonymous user and as authenticated user. Some
> resources are protected and my application takes in charge the
> access control (not role based) so I can't use the war protection
> using role user constraint.
> In this case I've removed the role constraint in the web.xml and
> the keycloak wildfly (undertow) adapter let me access the
> application as unauthentified user (anonymous) which is perfect.
> What I want to handle on some AccessDeniedException is to
> redirect the user to the authentication server manually. In this
> case, user authentified an come back to the protected URL but is
> no more anonymous but a authentified user.
> Is ther is a way to handle this redirection to the authentication
> server manually (I don't know where to store the state variable
> allowing keycloak wildfly adapter to handle properly the auth
> redirect that include the code).
>
> Best regards, Jérôme.
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user
6:34 p.m.
Please read this:
http://docs.jboss.org/keycloak/docs/1.2.0.Beta1/userguide/html/ch08.html#...
add a @SecurityDomain("keycloak") to your EJB and it will pick up the
Keylcoak context.
On 4/23/2015 12:16 PM, Marek Posolda wrote:
You're not wrong. With ServletOAuthClient you have control when
you
redirect user to the KC login screen. But you're completely independent
on Wildfly container security layers, hence no propagation to EJB layer.
If ServletOAuthClient is good for you, depends on the usecase you want
to achieve. Maybe it is better for you to add some security-constraints
URL to your web.xml (for example "/my-protected-url") and you will
redirect your application to /my-protected-url (with
httpResponse.sendRedirect) whenever you want your application to be
logged with keycloak. Then once KC authentication is finished and your
application will visit "/my-protected-url" as authenticated user, you
will redirect back to the original URL before authentication.
Not sure if EJB propagation will happen once you're authenticated, but
visit unprotected URL though... But at least you can give it a shot.
Marek
On 23.4.2015 15:35, Jérôme Blanchard wrote:
> Hi,
> I wonder that the Servlet OAuth Client won't propagate authentication
> to wildfy EJB layer... Am I wrong ?
> Jérôme.
>
> Le mar. 21 avr. 2015 à 18:13, Marek Posolda <mposolda(a)redhat.com
> <mailto:mposolda@redhat.com>> a écrit :
>
> You can take a look at our examples for how to use
> ServletOAuthClient. Hopefully it could help with your usecase:
>
https://github.com/keycloak/keycloak/tree/master/examples/demo-template/t...
>
https://github.com/keycloak/keycloak/tree/master/examples/demo-template/t...
>
> Marek
>
>
> On 21.4.2015 12:14, Jérôme Blanchard wrote:
>> Hi all,
>>
>> I'm trying to protect a servlet application which can be accessed
>> either as anonymous user and as authenticated user. Some
>> resources are protected and my application takes in charge the
>> access control (not role based) so I can't use the war protection
>> using role user constraint.
>> In this case I've removed the role constraint in the web.xml and
>> the keycloak wildfly (undertow) adapter let me access the
>> application as unauthentified user (anonymous) which is perfect.
>> What I want to handle on some AccessDeniedException is to
>> redirect the user to the authentication server manually. In this
>> case, user authentified an come back to the protected URL but is
>> no more anonymous but a authentified user.
>> Is ther is a way to handle this redirection to the authentication
>> server manually (I don't know where to store the state variable
>> allowing keycloak wildfly adapter to handle properly the auth
>> redirect that include the code).
>>
>> Best regards, Jérôme.
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org>
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
9:33 a.m.
Hi,
Marek, the tips of building a simple redirect servlet protected by a user
role constraint and let the other servlets unconstrained is working like a
charm. This simple servlet act as a redirect point to ensure keycloak
adapter handling of authentication without writing new code. A perfect
solution in fact.
Thank you very much for your support, best regards, Jérôme.
Le jeu. 23 avr. 2015 à 18:34, Bill Burke <bburke(a)redhat.com> a écrit :
Please read this:
http://docs.jboss.org/keycloak/docs/1.2.0.Beta1/userguide/html/ch08.html#...
add a @SecurityDomain("keycloak") to your EJB and it will pick up the
Keylcoak context.
On 4/23/2015 12:16 PM, Marek Posolda wrote:
> You're not wrong. With ServletOAuthClient you have control when you
> redirect user to the KC login screen. But you're completely independent
> on Wildfly container security layers, hence no propagation to EJB layer.
>
> If ServletOAuthClient is good for you, depends on the usecase you want
> to achieve. Maybe it is better for you to add some security-constraints
> URL to your web.xml (for example "/my-protected-url") and you will
> redirect your application to /my-protected-url (with
> httpResponse.sendRedirect) whenever you want your application to be
> logged with keycloak. Then once KC authentication is finished and your
> application will visit "/my-protected-url" as authenticated user, you
> will redirect back to the original URL before authentication.
>
> Not sure if EJB propagation will happen once you're authenticated, but
> visit unprotected URL though... But at least you can give it a shot.
>
> Marek
>
> On 23.4.2015 15:35, Jérôme Blanchard wrote:
>> Hi,
>> I wonder that the Servlet OAuth Client won't propagate authentication
>> to wildfy EJB layer... Am I wrong ?
>> Jérôme.
>>
>> Le mar. 21 avr. 2015 à 18:13, Marek Posolda <mposolda(a)redhat.com
>> <mailto:mposolda@redhat.com>> a écrit :
>>
>> You can take a look at our examples for how to use
>> ServletOAuthClient. Hopefully it could help with your usecase:
>>
https://github.com/keycloak/keycloak/tree/master/examples/demo-template/t...
>>
https://github.com/keycloak/keycloak/tree/master/examples/demo-template/t...
>>
>> Marek
>>
>>
>> On 21.4.2015 12:14, Jérôme Blanchard wrote:
>>> Hi all,
>>>
>>> I'm trying to protect a servlet application which can be accessed
>>> either as anonymous user and as authenticated user. Some
>>> resources are protected and my application takes in charge the
>>> access control (not role based) so I can't use the war protection
>>> using role user constraint.
>>> In this case I've removed the role constraint in the web.xml and
>>> the keycloak wildfly (undertow) adapter let me access the
>>> application as unauthentified user (anonymous) which is perfect.
>>> What I want to handle on some AccessDeniedException is to
>>> redirect the user to the authentication server manually. In this
>>> case, user authentified an come back to the protected URL but is
>>> no more anonymous but a authentified user.
>>> Is ther is a way to handle this redirection to the authentication
>>> server manually (I don't know where to store the state variable
>>> allowing keycloak wildfly adapter to handle properly the auth
>>> redirect that include the code).
>>>
>>> Best regards, Jérôme.
>>>
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user(a)lists.jboss.org <mailto:
keycloak-user(a)lists.jboss.org>
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
3279
days inactive
3292
days old
5 comments
3 participants
participants (3)
-
Bill Burke -
Jérôme Blanchard -
Marek Posolda