[keycloak-dev] Rest Service authentication.
Bill Burke
bburke at redhat.com
Tue Jan 20 09:13:44 EST 2015
You still need to set up servlet security though and all the security
constraints. Set up your security constraints to be very broad, i.e.
"*", then use @RolesAllowed within your EJBs.
On 1/20/2015 8:15 AM, Juan Escot wrote:
> Yes, I already have created it. I'm using Jboss EAP 6.3. I have
> installed the adapter. But I have found a difference between adapter
> installation in Keycloak 1.0.4.Final and 1.1.0.beta2.
>
> I'm using 1.0.4.Final and I add this line (as described at for Jboss EAP
> at
> http://docs.jboss.org/keycloak/docs/1.0.4.Final/userguide/html/ch07.html#jboss-adapter-installation
> ):
> <extension module="org.keycloak.keycloak-as7-subsystem"/>
>
> In 1.1.0.beta2 this configuration seems to be only for AS7. Should I use
> this? If I try it, I get an error (JBAS014674 module cannot be loaded)
> <extension module="org.keycloak.keycloak-subsystem"/>
>
> All changes made at my standalone.xml are:
>
> <extensions>
> <extension module="org.keycloak.keycloak-as7-subsystem"/>
> ...
> </extensions>
> ...
> <security-domains>
> <security-domain name="keycloak">
> <authentication>
> <login-module code="org.keycloak.adapters.jboss.KeycloakLoginModule"
> flag="required"/>
> </authentication>
> </security-domain>
> ...
> </security-domains>
>
> Do you think is a configuration problem? Do any of my attemps to get
> user information should work? Which one?
>
> Regards,
> Juan Escot
>
>
>
>
> 2015-01-20 12:41 GMT+01:00 Stian Thorgersen <stian at redhat.com
> <mailto:stian at redhat.com>>:
>
> For the security context to propagate to EJBs you need to create a
> shared security domain, see
> http://docs.jboss.org/keycloak/docs/1.1.0.Beta2/userguide/html/ch07.html#jboss-adapter-installation
>
> ----- Original Message -----
> > From: "Juan Escot" <juan.escot at cdtec.es <mailto:juan.escot at cdtec.es>>
> > To: keycloak-dev at lists.jboss.org
> <mailto:keycloak-dev at lists.jboss.org>
> > Sent: Tuesday, 20 January, 2015 11:46:36 AM
> > Subject: [keycloak-dev] Rest Service authentication.
> >
> > Hi,
> > I'm developing an application with AngularJS and Rest Services.
> I'm using
> > Keycloak for authentication and role management.
> >
> > Mi Angular project is registered as 'confidential' and work's
> fine. It
> > refresh tokens and sends it on header like this:
> 'Authorization:Bearer
> > eyJhbGciOiJSUzI1Ni...'
> >
> > Mi java project is defined as 'bearer only' and it's developed
> with Java EJBs
> > as Rest Services. I need more control over permissions and roles,
> so I don't
> > want to secure my project with security-contraints at web.xml.
> I'd like to
> > get user info and roles inside my Rest methods from token
> received. I have
> > checked I received the token with this line:
> >
> > String token = request.getHeader("authorization");
> >
> > But, I can't get any additional information about user. I have tried
> > different approaches but I can't fin a solution. Could I have a
> Keycloak
> > object with user info?.
> >
> > This is a fragment of my code with all my attemps:
> >
> > @Stateless
> > @LocalBean
> > @Path("/promociones")
> > @SecurityDomain("keycloak")
> > public class PromocionRest {
> > @Context
> > HttpServletRequest request;
> > @Context
> > SecurityContext securityContext;
> > @Resource
> > SessionContext sc;
> > @GET
> > @Produces("application/json")
> > @Path("/list")
> > //@RolesAllowed({ "user" }) <-- If I use this annotation y get an
> error.
> > @PermitAll
> > public RespuestaListaBase<Promocion> listadoPromociones(...){
> > KeycloakPrincipal principal =
> > (KeycloakPrincipal)securityContext.getUserPrincipal();
> > KeycloakSecurityContext session = (KeycloakSecurityContext)
> > request.getAttribute(KeycloakSecurityContext.class.getName());
> > if (sc!=null && sc.getCallerPrincipal()!=null){
> > System.out.println("Principal's name according to EJB: " +
> > sc.getCallerPrincipal().getName());
> > }
> >
> > System.out.println("Is user in role 'user'? " +
> > request.isUserInRole("user"));
> >
> > String token = request.getHeader("authorization");
> > HttpClient client = new
> HttpClientBuilder().disableTrustManager().build();
> > try {
> > String url = request.getRequestURL().toString();
> > url = url.substring(0, url.indexOf('/', 8));
> > HttpGet get = new HttpGet(url + "/auth/admin/realms/demo/roles");
> > get.addHeader("Authorization", "Bearer " + token);
> > try {
> > HttpResponse response = client.execute(get);
> > if (response.getStatusLine().getStatusCode() != 200) {
> > //throw new Failure(response.getStatusLine().getStatusCode());
> > }
> > HttpEntity entity = response.getEntity();
> > InputStream is = entity.getContent();
> >
> > } catch (IOException e) {
> > throw new RuntimeException(e);
> > }
> > } finally {
> > client.getConnectionManager().shutdown();
> > }
> > }
> > }
> >
> > I also have configured jboss-web.xml like this:
> > <jboss-web>
> > <security-domain>keycloak</security-domain>
> > </jboss-web>
> >
> > And web.xml like this:
> > <login-config>
> > <auth-method>KEYCLOAK</auth-method>
> > <realm-name>demo</realm-name>
> > </login-config>
> >
> > <security-role>
> > <role-name>user</role-name>
> > </security-role>
> >
> > Some notes about the code:
> > - KeycloakPrincipal principal =
> > (KeycloakPrincipal)securityContext.getUserPrincipal(); <--
> principal is
> > always null
> > - KeycloakSecurityContext session = (KeycloakSecurityContext)
> > request.getAttribute(KeycloakSecurityContext.class.getName());
> <-- session
> > is always null
> > - sc.getCallerPrincipal().getName() <-- returns 'anonymous', so
> it seems it
> > isn't taking security-domain?
> > - request.isUserInRole("user") <-- returns null
> > - HttpResponse response = client.execute(get) <-- throws an
> exception:
> > org.jboss.resteasy.spi.UnauthorizedException: Bearer
> > - If I use @RolesAllowed({ "user" }) annotation I get this error:
> JBAS014502:
> > The invocation is not allowed in the method
> > - String token = request.getHeader("authorization"); <-- I get
> > 'Authorization:Bearer eyJhbGciOiJSUzI1Ni...'
> >
> > I suppose i'm doing it wrong, but I don't know what is the
> correct form.
> > Could I get user information from token received?
> >
> > Thanks in advance,
> > Juan Escot
> >
> > _______________________________________________
> > keycloak-dev mailing list
> > keycloak-dev at lists.jboss.org <mailto:keycloak-dev at lists.jboss.org>
> > https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
>
>
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
More information about the keycloak-dev
mailing list