[keycloak-dev] Rest Service authentication.
Juan Escot
juan.escot at cdtec.es
Tue Jan 20 08:15:17 EST 2015
Yes, I already have created it. I'm using Jboss EAP 6.3. I have installed
the adapter. But I have found a difference between adapter installation in
Keycloak 1.0.4.Final and 1.1.0.beta2.
I'm using 1.0.4.Final and I add this line (as described at for Jboss EAP at
http://docs.jboss.org/keycloak/docs/1.0.4.Final/userguide/html/ch07.html#jboss-adapter-installation
):
<extension module="org.keycloak.keycloak-as7-subsystem"/>
In 1.1.0.beta2 this configuration seems to be only for AS7. Should I use
this? If I try it, I get an error (JBAS014674 module cannot be loaded)
<extension module="org.keycloak.keycloak-subsystem"/>
All changes made at my standalone.xml are:
<extensions>
<extension module="org.keycloak.keycloak-as7-subsystem"/>
...
</extensions>
...
<security-domains>
<security-domain name="keycloak">
<authentication>
<login-module code="org.keycloak.adapters.jboss.KeycloakLoginModule"
flag="required"/>
</authentication>
</security-domain>
...
</security-domains>
Do you think is a configuration problem? Do any of my attemps to get user
information should work? Which one?
Regards,
Juan Escot
2015-01-20 12:41 GMT+01:00 Stian Thorgersen <stian at redhat.com>:
> For the security context to propagate to EJBs you need to create a shared
> security domain, see
> http://docs.jboss.org/keycloak/docs/1.1.0.Beta2/userguide/html/ch07.html#jboss-adapter-installation
>
> ----- Original Message -----
> > From: "Juan Escot" <juan.escot at cdtec.es>
> > To: keycloak-dev at lists.jboss.org
> > Sent: Tuesday, 20 January, 2015 11:46:36 AM
> > Subject: [keycloak-dev] Rest Service authentication.
> >
> > Hi,
> > I'm developing an application with AngularJS and Rest Services. I'm using
> > Keycloak for authentication and role management.
> >
> > Mi Angular project is registered as 'confidential' and work's fine. It
> > refresh tokens and sends it on header like this: 'Authorization:Bearer
> > eyJhbGciOiJSUzI1Ni...'
> >
> > Mi java project is defined as 'bearer only' and it's developed with Java
> EJBs
> > as Rest Services. I need more control over permissions and roles, so I
> don't
> > want to secure my project with security-contraints at web.xml. I'd like
> to
> > get user info and roles inside my Rest methods from token received. I
> have
> > checked I received the token with this line:
> >
> > String token = request.getHeader("authorization");
> >
> > But, I can't get any additional information about user. I have tried
> > different approaches but I can't fin a solution. Could I have a Keycloak
> > object with user info?.
> >
> > This is a fragment of my code with all my attemps:
> >
> > @Stateless
> > @LocalBean
> > @Path("/promociones")
> > @SecurityDomain("keycloak")
> > public class PromocionRest {
> > @Context
> > HttpServletRequest request;
> > @Context
> > SecurityContext securityContext;
> > @Resource
> > SessionContext sc;
> > @GET
> > @Produces("application/json")
> > @Path("/list")
> > //@RolesAllowed({ "user" }) <-- If I use this annotation y get an error.
> > @PermitAll
> > public RespuestaListaBase<Promocion> listadoPromociones(...){
> > KeycloakPrincipal principal =
> > (KeycloakPrincipal)securityContext.getUserPrincipal();
> > KeycloakSecurityContext session = (KeycloakSecurityContext)
> > request.getAttribute(KeycloakSecurityContext.class.getName());
> > if (sc!=null && sc.getCallerPrincipal()!=null){
> > System.out.println("Principal's name according to EJB: " +
> > sc.getCallerPrincipal().getName());
> > }
> >
> > System.out.println("Is user in role 'user'? " +
> > request.isUserInRole("user"));
> >
> > String token = request.getHeader("authorization");
> > HttpClient client = new
> HttpClientBuilder().disableTrustManager().build();
> > try {
> > String url = request.getRequestURL().toString();
> > url = url.substring(0, url.indexOf('/', 8));
> > HttpGet get = new HttpGet(url + "/auth/admin/realms/demo/roles");
> > get.addHeader("Authorization", "Bearer " + token);
> > try {
> > HttpResponse response = client.execute(get);
> > if (response.getStatusLine().getStatusCode() != 200) {
> > //throw new Failure(response.getStatusLine().getStatusCode());
> > }
> > HttpEntity entity = response.getEntity();
> > InputStream is = entity.getContent();
> >
> > } catch (IOException e) {
> > throw new RuntimeException(e);
> > }
> > } finally {
> > client.getConnectionManager().shutdown();
> > }
> > }
> > }
> >
> > I also have configured jboss-web.xml like this:
> > <jboss-web>
> > <security-domain>keycloak</security-domain>
> > </jboss-web>
> >
> > And web.xml like this:
> > <login-config>
> > <auth-method>KEYCLOAK</auth-method>
> > <realm-name>demo</realm-name>
> > </login-config>
> >
> > <security-role>
> > <role-name>user</role-name>
> > </security-role>
> >
> > Some notes about the code:
> > - KeycloakPrincipal principal =
> > (KeycloakPrincipal)securityContext.getUserPrincipal(); <-- principal is
> > always null
> > - KeycloakSecurityContext session = (KeycloakSecurityContext)
> > request.getAttribute(KeycloakSecurityContext.class.getName()); <--
> session
> > is always null
> > - sc.getCallerPrincipal().getName() <-- returns 'anonymous', so it seems
> it
> > isn't taking security-domain?
> > - request.isUserInRole("user") <-- returns null
> > - HttpResponse response = client.execute(get) <-- throws an exception:
> > org.jboss.resteasy.spi.UnauthorizedException: Bearer
> > - If I use @RolesAllowed({ "user" }) annotation I get this error:
> JBAS014502:
> > The invocation is not allowed in the method
> > - String token = request.getHeader("authorization"); <-- I get
> > 'Authorization:Bearer eyJhbGciOiJSUzI1Ni...'
> >
> > I suppose i'm doing it wrong, but I don't know what is the correct form.
> > Could I get user information from token received?
> >
> > Thanks in advance,
> > Juan Escot
> >
> > _______________________________________________
> > keycloak-dev mailing list
> > keycloak-dev at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20150120/d5e28ab8/attachment-0001.html
More information about the keycloak-dev
mailing list