[keycloak-user] How to secure JAX-RS service based on reasteasy running on undertow

Mon Apr 14 19:01:50 EDT 2014

Thanks Marek,
the information I need were these lines :

KeycloakSecurityContext session = (KeycloakSecurityContext)
getServletRequest().getAttribute(KeycloakSecurityContext.class.getName());
String token = session.getIdTokenString();

I use this token to add an header to every call:
$httpProvider.defaults.headers.common.Authorization = 'Bearer '+keycloak.token;

I see my backend is authenticating the call infact:
2014-04-15 00:00:52,868|INFO |adapters.RequestAuthenticator|Bearer AUTHENTICATED

Now I have a different issue, that I hope you can help to figure out.

On the browser I see two calls:
1- I dont expect, it is an OPTIONS call
2- I expected, it fails is a GET call

I try to do the second call directly with cURL:
curl 'http://localhost:8000/1/documents/' -H 'Accept:
application/json, text/plain, */*' -H 'Referer:
http://localhost:8080/dashboard/' -H 'Origin: http://localhost:8080'
-H 'Authorization: Bearer
eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiI2ZWIwYzc1Mi1kZTc2LTQ1ZjQtYTAxNi1mMTQ1OTZmMTc1OTUiLCJleHAiOjEzOTc1MTYyMTgsIm5iZiI6MCwiaWF0IjoxMzk3NTE1OTE4LCJpc3MiOiJiaWxsZHJhd2VyIiwiYXVkIjoiYmlsbGRyYXdlciIsInN1YiI6IjQyNGZlZDlkLTk3MDQtNDUwNS04NTcwLWQ4N2I5MWVjNDM1NCIsImF6cCI6IndlYnNpdGUiLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJkYXZpZGUifQ.epRcVbsN_wS44uOMOCyCQ6qkj8JAFn875-N_QYIakom4SPFYBWjU9jS9eBdXsvltwlT-NjlmCOlzbjGT32ZN0bj-_oQ449G9pN35tzzIN0_HXM14cIGdyOchluu4DQz3W6ZKF5m1jm6aFmwPD39ld_Zn7yGoBPPh_3qaYNFy-wl8YJBCCb34BvSRLZhtGdcVLYT4EJW8Y3R_YSnybrPqKr8eJOriLWOl-VOAJrtxT-MAvTDo0rXSubvpZF1CwQKuXHC9AkJ-NM582puVUZkZXt0AgBGJOjxlV7zJr4hLPYaXUG9JX2KMQUMvkhpXuug_tmu1ZR43UnxwLzoJey9C2Q'
-H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/33.0.1750.152 Safari/537.36' --compressed
And the response is:
<html><head><title>Error</title></head><body>Forbidden</body></html>

If I try:
curl 'http://localhost:8000/1/documents/' -H 'Accept:
application/json, text/plain, */*'
The response is:
<html><head><title>Error</title></head><body>Unauthorized</body></html>%

What am I doing wrong?

I tried to put play with annotation @RolesAllowed("user") on the
JAX-RS but it does not the difference.

--
Davide

On Mon, Apr 14, 2014 at 9:56 AM, Marek Posolda <mposolda at redhat.com> wrote:

>  On 14.4.2014 09:18, Davide Ungari wrote:
>
> Hi Marek,
> I worked on it during the weekend.
>
>  Now my problem is the header like: Authorization: Bearer
> <your_access_token> .
>
>  I'm running the frontend on Tomcat, I made an adapter for it
> https://github.com/ungarida/keycloak/, I adapted AS7.
>
>  Now I can not figure out how to retrieve the access token to include it
> in the JS that call the JAX-RS service.
>
> If your frontend is JEE application, then you can use something like this
> example is doing
> https://github.com/keycloak/keycloak/blob/master/examples/demo-template/customer-app/src/main/java/org/keycloak/example/CustomerDatabaseClient.java#L46. Note that KeycloakSecurityContext
> is added automatically to request by the adapter of your frontend
> application (In this case customer-portal application, which is just simple
> servlet JEE application). So you need to make sure that your Tomcat adapter
> is adding it as well.
>
> You can take a deeper look at existing examples and try them on AS7 for
> inspiration. I think that your Tomcat adapter should be quite similar to
> the already existing AS7 adapter as AS7 is using jboss-web, which is
> defacto Tomcat stuff :-)
>
> Marek
>
>
>
>
>  --
> Davide
>
>
> On Mon, Apr 14, 2014 at 8:44 AM, Marek Posolda <mposolda at redhat.com>wrote:
>
>>  Hi Davide,
>>
>> I think that this exactly is already addressed by our examples. You can
>> take a look especially at this example
>> https://github.com/keycloak/keycloak/tree/master/examples/demo-template/database-servicewhich is JAX-RS service service based on resteasy, which requires Bearer
>> token authentication, so all requests sent to it from "frontend"
>> applications like "customer-portal" or "product-portal" need to contain
>> header like: Authorization: Bearer <your_access_token> .
>>
>> You can try existing set of examples to see how it all works together.
>> See instructions in README files under
>> https://github.com/keycloak/keycloak/tree/master/examples/demo-template
>>
>> Marek
>>
>>
>> On 12.4.2014 10:58, Davide Ungari wrote:
>>
>>  Hi everybody,
>> I configured keycloak with mongodb,
>> then I secured frontend on Tomcat making an adapter.
>>
>>  I need to secure backend, it is an JAX-RS service based on resteasy and
>> running on undertow.
>>
>>  I do not use EJB so I need some help to figure out the best way to
>> implement security with keycloak in my scenario.
>>
>>  Suggestions?
>>
>>  --
>> Davide
>>
>>
>>  _______________________________________________
>> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140415/7b54070c/attachment-0001.html 