Hi everybody, I configured keycloak with mongodb, then I secured frontend on Tomcat making an adapter. I need to secure backend, it is an JAX-RS service based on resteasy and running on undertow. I do not use EJB so I need some help to figure out the best way to implement security with keycloak in my scenario. Suggestions? -- Davide _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user

Hi Marek, I worked on it during the weekend. Now my problem is the header like: Authorization: Bearer <your_access_token> . I'm running the frontend on Tomcat, I made an adapter for it https://github.com/ungarida/keycloak/, I adapted AS7. Now I can not figure out how to retrieve the access token to include it in the JS that call the JAX-RS service.

-- Davide On Mon, Apr 14, 2014 at 8:44 AM, Marek Posolda <mposolda(a)redhat.com <mailto:mposolda@redhat.com>> wrote: Hi Davide, I think that this exactly is already addressed by our examples. You can take a look especially at this example https://github.com/keycloak/keycloak/tree/master/examples/demo-template/d... which is JAX-RS service service based on resteasy, which requires Bearer token authentication, so all requests sent to it from "frontend" applications like "customer-portal" or "product-portal" need to contain header like: Authorization: Bearer <your_access_token> . You can try existing set of examples to see how it all works together. See instructions in README files under https://github.com/keycloak/keycloak/tree/master/examples/demo-template Marek On 12.4.2014 10:58, Davide Ungari wrote: > Hi everybody, > I configured keycloak with mongodb, > then I secured frontend on Tomcat making an adapter. > > I need to secure backend, it is an JAX-RS service based on > resteasy and running on undertow. > > I do not use EJB so I need some help to figure out the best way > to implement security with keycloak in my scenario. > > Suggestions? > > -- > Davide > > > _______________________________________________ > keycloak-user mailing list > keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org> > https://lists.jboss.org/mailman/listinfo/keycloak-user

Thanks Marek, the information I need were these lines : KeycloakSecurityContext session = (KeycloakSecurityContext) getServletRequest().getAttribute(KeycloakSecurityContext.class.getName()); String token = session.getIdTokenString(); I use this token to add an header to every call: $httpProvider.defaults.headers.common.Authorization = 'Bearer '+keycloak.token; I see my backend is authenticating the call infact: 2014-04-15 00:00:52,868|INFO |adapters.RequestAuthenticator|Bearer AUTHENTICATED Now I have a different issue, that I hope you can help to figure out.

On the browser I see two calls: 1- I dont expect, it is an OPTIONS call 2- I expected, it fails is a GET call I try to do the second call directly with cURL: curl 'http://localhost:8000/1/documents/' -H 'Accept: application/json, text/plain, */*' -H 'Referer: http://localhost:8080/dashboard/' -H 'Origin: http://localhost:8080' -H 'Authorization: Bearer eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiI2ZWIwYzc1Mi1kZTc2LTQ1ZjQtYTAxNi1mMTQ1OTZmMTc1OTUiLCJleHAiOjEzOTc1MTYyMTgsIm5iZiI6MCwiaWF0IjoxMzk3NTE1OTE4LCJpc3MiOiJiaWxsZHJhd2VyIiwiYXVkIjoiYmlsbGRyYXdlciIsInN1YiI6IjQyNGZlZDlkLTk3MDQtNDUwNS04NTcwLWQ4N2I5MWVjNDM1NCIsImF6cCI6IndlYnNpdGUiLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJkYXZpZGUifQ.epRcVbsN_wS44uOMOCyCQ6qkj8JAFn875-N_QYIakom4SPFYBWjU9jS9eBdXsvltwlT-NjlmCOlzbjGT32ZN0bj-_oQ449G9pN35tzzIN0_HXM14cIGdyOchluu4DQz3W6ZKF5m1jm6aFmwPD39ld_Zn7yGoBPPh_3qaYNFy-wl8YJBCCb34BvSRLZhtGdcVLYT4EJW8Y3R_YSnybrPqKr8eJOriLWOl-VOAJrtxT-MAvTDo0rXSubvpZF1CwQKuXHC9AkJ-NM582puVUZkZXt0AgBGJOjxlV7zJr4hLPYaXUG9JX2KMQUMvkhpXuug_tmu1ZR43UnxwLzoJey9C2Q' -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.152 Safari/537.36' --compressed And the response is: <html><head><title>Error</title></head><body>Forbidden</body></html> If I try: curl 'http://localhost:8000/1/documents/' -H 'Accept: application/json, text/plain, */*' The response is: <html><head><title>Error</title></head><body>Unauthorized</body></html>% What am I doing wrong? I tried to put play with annotation @RolesAllowed("user") on the JAX-RS but it does not the difference. -- Davide On Mon, Apr 14, 2014 at 9:56 AM, Marek Posolda <mposolda(a)redhat.com <mailto:mposolda@redhat.com>> wrote: On 14.4.2014 09:18, Davide Ungari wrote: > Hi Marek, > I worked on it during the weekend. > > Now my problem is the header like: Authorization: Bearer > <your_access_token> . > > I'm running the frontend on Tomcat, I made an adapter for it > https://github.com/ungarida/keycloak/, I adapted AS7. > > Now I can not figure out how to retrieve the access token to > include it in the JS that call the JAX-RS service. If your frontend is JEE application, then you can use something like this example is doing https://github.com/keycloak/keycloak/blob/master/examples/demo-template/c... . Note that KeycloakSecurityContext is added automatically to request by the adapter of your frontend application (In this case customer-portal application, which is just simple servlet JEE application). So you need to make sure that your Tomcat adapter is adding it as well. You can take a deeper look at existing examples and try them on AS7 for inspiration. I think that your Tomcat adapter should be quite similar to the already existing AS7 adapter as AS7 is using jboss-web, which is defacto Tomcat stuff:-) Marek > > > > -- > Davide > > > On Mon, Apr 14, 2014 at 8:44 AM, Marek Posolda > <mposolda(a)redhat.com <mailto:mposolda@redhat.com>> wrote: > > Hi Davide, > > I think that this exactly is already addressed by our > examples. You can take a look especially at this example > https://github.com/keycloak/keycloak/tree/master/examples/demo-template/d... > which is JAX-RS service service based on resteasy, which > requires Bearer token authentication, so all requests sent to > it from "frontend" applications like "customer-portal" or > "product-portal" need to contain header like: Authorization: > Bearer <your_access_token> . > > You can try existing set of examples to see how it all works > together. See instructions in README files under > https://github.com/keycloak/keycloak/tree/master/examples/demo-template > > Marek > > > On 12.4.2014 10:58, Davide Ungari wrote: >> Hi everybody, >> I configured keycloak with mongodb, >> then I secured frontend on Tomcat making an adapter. >> >> I need to secure backend, it is an JAX-RS service based on >> resteasy and running on undertow. >> >> I do not use EJB so I need some help to figure out the best >> way to implement security with keycloak in my scenario. >> >> Suggestions? >> >> -- >> Davide >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org> >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user