[keycloak-dev] Rest Service authentication.

Bill Burke bburke at redhat.com
Thu Jan 22 08:56:26 EST 2015


Now you have to write an exception mapper for EJBException :)  EJB layer 
is throwing exception, JAX-RS sees an unkown exception, so it sends off 
a 500.

On 1/22/2015 7:39 AM, Juan Escot wrote:
> Thanks for your answer. Once I have configured correctly the servlet, I
> can use @RolesAllowed on my EJBs. KeycloakPrincipal
> and KeycloakSecurityContext are now filled.
>
> But now, I have a new issue. When users haven't permissions, jboss
> server is returning 500 (Internal Server Error) error code. Exact error
> is this:
> javax.ejb.ejbaccessexception: jbas014502: invocation on method: public
> xxxx is not allowed.
>
> I think it should return 403 (Forbidden) or 401 (Unauthorized), isn't
> it? Is this behavior correct? Is it a JBoss or Keycloak issue?  Is it
> possible to configure status code returned?
>
>
> 2015-01-20 15:13 GMT+01:00 Bill Burke <bburke at redhat.com
> <mailto:bburke at redhat.com>>:
>
>     You still need to set up servlet security though and all the security
>     constraints.  Set up your security constraints to be very broad, i.e.
>     "*", then use @RolesAllowed within your EJBs.
>
>     On 1/20/2015 8:15 AM, Juan Escot wrote:
>      > Yes, I already have created it. I'm using Jboss EAP 6.3. I have
>      > installed the adapter. But I have found a difference between adapter
>      > installation in Keycloak 1.0.4.Final and 1.1.0.beta2.
>      >
>      > I'm using 1.0.4.Final and I add this line (as described at for
>     Jboss EAP
>      > at
>      >
>     http://docs.jboss.org/keycloak/docs/1.0.4.Final/userguide/html/ch07.html#jboss-adapter-installation
>      > ):
>      > <extension module="org.keycloak.keycloak-as7-subsystem"/>
>      >
>      > In 1.1.0.beta2 this configuration seems to be only for AS7.
>     Should I use
>      > this? If I try it, I get an error (JBAS014674 module cannot be
>     loaded)
>      > <extension module="org.keycloak.keycloak-subsystem"/>
>      >
>      > All changes made at my standalone.xml are:
>      >
>      > <extensions>
>      > <extension module="org.keycloak.keycloak-as7-subsystem"/>
>      > ...
>      > </extensions>
>      > ...
>      > <security-domains>
>      > <security-domain name="keycloak">
>      > <authentication>
>      > <login-module code="org.keycloak.adapters.jboss.KeycloakLoginModule"
>      > flag="required"/>
>      > </authentication>
>      > </security-domain>
>      > ...
>      > </security-domains>
>      >
>      > Do you think is a configuration problem? Do any of my attemps to get
>      > user information should work? Which one?
>      >
>      > Regards,
>      > Juan Escot
>      >
>      >
>      >
>      >
>      > 2015-01-20 12:41 GMT+01:00 Stian Thorgersen <stian at redhat.com
>     <mailto:stian at redhat.com>
>      > <mailto:stian at redhat.com <mailto:stian at redhat.com>>>:
>      >
>      >     For the security context to propagate to EJBs you need to
>     create a
>      >     shared security domain, see
>      >
>     http://docs.jboss.org/keycloak/docs/1.1.0.Beta2/userguide/html/ch07.html#jboss-adapter-installation
>      >
>      >     ----- Original Message -----
>      >      > From: "Juan Escot" <juan.escot at cdtec.es
>     <mailto:juan.escot at cdtec.es> <mailto:juan.escot at cdtec.es
>     <mailto:juan.escot at cdtec.es>>>
>      >      > To: keycloak-dev at lists.jboss.org
>     <mailto:keycloak-dev at lists.jboss.org>
>      >     <mailto:keycloak-dev at lists.jboss.org
>     <mailto:keycloak-dev at lists.jboss.org>>
>      >      > Sent: Tuesday, 20 January, 2015 11:46:36 AM
>      >      > Subject: [keycloak-dev] Rest Service authentication.
>      >      >
>      >      > Hi,
>      >      > I'm developing an application with AngularJS and Rest
>     Services.
>      >     I'm using
>      >      > Keycloak for authentication and role management.
>      >      >
>      >      > Mi Angular project is registered as 'confidential' and work's
>      >     fine. It
>      >      > refresh tokens and sends it on header like this:
>      >     'Authorization:Bearer
>      >      > eyJhbGciOiJSUzI1Ni...'
>      >      >
>      >      > Mi java project is defined as 'bearer only' and it's developed
>      >     with Java EJBs
>      >      > as Rest Services. I need more control over permissions and
>     roles,
>      >     so I don't
>      >      > want to secure my project with security-contraints at web.xml.
>      >     I'd like to
>      >      > get user info and roles inside my Rest methods from token
>      >     received. I have
>      >      > checked I received the token with this line:
>      >      >
>      >      > String token = request.getHeader("authorization");
>      >      >
>      >      > But, I can't get any additional information about user. I
>     have tried
>      >      > different approaches but I can't fin a solution. Could I
>     have a
>      >     Keycloak
>      >      > object with user info?.
>      >      >
>      >      > This is a fragment of my code with all my attemps:
>      >      >
>      >      > @Stateless
>      >      > @LocalBean
>      >      > @Path("/promociones")
>      >      > @SecurityDomain("keycloak")
>      >      > public class PromocionRest {
>      >      > @Context
>      >      > HttpServletRequest request;
>      >      > @Context
>      >      > SecurityContext securityContext;
>      >      > @Resource
>      >      > SessionContext sc;
>      >      > @GET
>      >      > @Produces("application/json")
>      >      > @Path("/list")
>      >      > //@RolesAllowed({ "user" }) <-- If I use this annotation y
>     get an
>      >     error.
>      >      > @PermitAll
>      >      > public RespuestaListaBase<Promocion> listadoPromociones(...){
>      >      > KeycloakPrincipal principal =
>      >      > (KeycloakPrincipal)securityContext.getUserPrincipal();
>      >      > KeycloakSecurityContext session = (KeycloakSecurityContext)
>      >      > request.getAttribute(KeycloakSecurityContext.class.getName());
>      >      > if (sc!=null && sc.getCallerPrincipal()!=null){
>      >      > System.out.println("Principal's name according to EJB: " +
>      >      > sc.getCallerPrincipal().getName());
>      >      > }
>      >      >
>      >      > System.out.println("Is user in role 'user'? " +
>      >      > request.isUserInRole("user"));
>      >      >
>      >      > String token = request.getHeader("authorization");
>      >      > HttpClient client = new
>      >     HttpClientBuilder().disableTrustManager().build();
>      >      > try {
>      >      > String url = request.getRequestURL().toString();
>      >      > url = url.substring(0, url.indexOf('/', 8));
>      >      > HttpGet get = new HttpGet(url +
>     "/auth/admin/realms/demo/roles");
>      >      > get.addHeader("Authorization", "Bearer " + token);
>      >      > try {
>      >      > HttpResponse response = client.execute(get);
>      >      > if (response.getStatusLine().getStatusCode() != 200) {
>      >      > //throw new Failure(response.getStatusLine().getStatusCode());
>      >      > }
>      >      > HttpEntity entity = response.getEntity();
>      >      > InputStream is = entity.getContent();
>      >      >
>      >      > } catch (IOException e) {
>      >      > throw new RuntimeException(e);
>      >      > }
>      >      > } finally {
>      >      > client.getConnectionManager().shutdown();
>      >      > }
>      >      > }
>      >      > }
>      >      >
>      >      > I also have configured jboss-web.xml like this:
>      >      > <jboss-web>
>      >      > <security-domain>keycloak</security-domain>
>      >      > </jboss-web>
>      >      >
>      >      > And web.xml like this:
>      >      > <login-config>
>      >      > <auth-method>KEYCLOAK</auth-method>
>      >      > <realm-name>demo</realm-name>
>      >      > </login-config>
>      >      >
>      >      > <security-role>
>      >      > <role-name>user</role-name>
>      >      > </security-role>
>      >      >
>      >      > Some notes about the code:
>      >      > - KeycloakPrincipal principal =
>      >      > (KeycloakPrincipal)securityContext.getUserPrincipal(); <--
>      >     principal is
>      >      > always null
>      >      > - KeycloakSecurityContext session = (KeycloakSecurityContext)
>      >      > request.getAttribute(KeycloakSecurityContext.class.getName());
>      >     <-- session
>      >      > is always null
>      >      > - sc.getCallerPrincipal().getName() <-- returns
>     'anonymous', so
>      >     it seems it
>      >      > isn't taking security-domain?
>      >      > - request.isUserInRole("user") <-- returns null
>      >      > - HttpResponse response = client.execute(get) <-- throws an
>      >     exception:
>      >      > org.jboss.resteasy.spi.UnauthorizedException: Bearer
>      >      > - If I use @RolesAllowed({ "user" }) annotation I get this
>     error:
>      >     JBAS014502:
>      >      > The invocation is not allowed in the method
>      >      > - String token = request.getHeader("authorization"); <-- I get
>      >      > 'Authorization:Bearer eyJhbGciOiJSUzI1Ni...'
>      >      >
>      >      > I suppose i'm doing it wrong, but I don't know what is the
>      >     correct form.
>      >      > Could I get user information from token received?
>      >      >
>      >      > Thanks in advance,
>      >      > Juan Escot
>      >      >
>      >      > _______________________________________________
>      >      > keycloak-dev mailing list
>      >      > keycloak-dev at lists.jboss.org
>     <mailto:keycloak-dev at lists.jboss.org>
>     <mailto:keycloak-dev at lists.jboss.org
>     <mailto:keycloak-dev at lists.jboss.org>>
>      >      > https://lists.jboss.org/mailman/listinfo/keycloak-dev
>      >
>      >
>      >
>      >
>      > _______________________________________________
>      > keycloak-dev mailing list
>      > keycloak-dev at lists.jboss.org <mailto:keycloak-dev at lists.jboss.org>
>      > https://lists.jboss.org/mailman/listinfo/keycloak-dev
>      >
>
>     --
>     Bill Burke
>     JBoss, a division of Red Hat
>     http://bill.burkecentral.com
>     _______________________________________________
>     keycloak-dev mailing list
>     keycloak-dev at lists.jboss.org <mailto:keycloak-dev at lists.jboss.org>
>     https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com


More information about the keycloak-dev mailing list