[keycloak-user] How to secure JAX-RS service based on reasteasy running on undertow
Bill Burke
bburke at redhat.com
Mon Apr 14 19:05:14 EDT 2014
On 4/14/2014 7:01 PM, Davide Ungari wrote:
> Thanks Marek,
> the information I need were these lines :
>
> KeycloakSecurityContext session = (KeycloakSecurityContext)
> getServletRequest().getAttribute(KeycloakSecurityContext.class.getName());
> String token = session.getIdTokenString();
>
> I use this token to add an header to every call:
>
> $httpProvider.defaults.headers.common.Authorization = 'Bearer
> '+keycloak.token;
>
>
> I see my backend is authenticating the call infact:
> 2014-04-15 00:00:52,868|INFO |adapters.RequestAuthenticator|Bearer
> AUTHENTICATED
>
>
> Now I have a different issue, that I hope you can help to figure out.
>
I don't understand what the flow is below. In your flow above you said
your server is making a call to the backend service with the token and
is authenticated correctly, right?
What I don't understand is what you are doing below. Are you saying you
have a Browser client (Javascript) making a call to your backend?
> On the browser I see two calls:
> 1- I dont expect, it is an OPTIONS call
>
> 2- I expected, it fails is a GET call
>
> I try to do the second call directly with cURL:
> curl 'http://localhost:8000/1/documents/' -H 'Accept: application/json,
> text/plain, */*' -H 'Referer: http://localhost:8080/dashboard/' -H
> 'Origin: http://localhost:8080' -H 'Authorization: Bearer
> eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiI2ZWIwYzc1Mi1kZTc2LTQ1ZjQtYTAxNi1mMTQ1OTZmMTc1OTUiLCJleHAiOjEzOTc1MTYyMTgsIm5iZiI6MCwiaWF0IjoxMzk3NTE1OTE4LCJpc3MiOiJiaWxsZHJhd2VyIiwiYXVkIjoiYmlsbGRyYXdlciIsInN1YiI6IjQyNGZlZDlkLTk3MDQtNDUwNS04NTcwLWQ4N2I5MWVjNDM1NCIsImF6cCI6IndlYnNpdGUiLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJkYXZpZGUifQ.epRcVbsN_wS44uOMOCyCQ6qkj8JAFn875-N_QYIakom4SPFYBWjU9jS9eBdXsvltwlT-NjlmCOlzbjGT32ZN0bj-_oQ449G9pN35tzzIN0_HXM14cIGdyOchluu4DQz3W6ZKF5m1jm6aFmwPD39ld_Zn7yGoBPPh_3qaYNFy-wl8YJBCCb34BvSRLZhtGdcVLYT4EJW8Y3R_YSnybrPqKr8eJOriLWOl-VOAJrtxT-MAvTDo0rXSubvpZF1CwQKuXHC9AkJ-NM582puVUZkZXt0AgBGJOjxlV7zJr4hLPYaXUG9JX2KMQUMvkhpXuug_tmu1ZR43UnxwLzoJey9C2Q'
> -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36
> (KHTML, like Gecko) Chrome/33.0.1750.152 Safari/537.36' --compressed
> And the response is:
> <html><head><title>Error</title></head><body>Forbidden</body></html>
>
> If I try:
> curl 'http://localhost:8000/1/documents/' -H 'Accept: application/json,
> text/plain, */*' The response is:
> <html><head><title>Error</title></head><body>Unauthorized</body></html>%
>
>
>
> What am I doing wrong?
>
> I tried to put play with annotation @RolesAllowed("user") on the JAX-RS
> but it does not the difference.
>
>
>
> --
> Davide
>
>
> On Mon, Apr 14, 2014 at 9:56 AM, Marek Posolda <mposolda at redhat.com
> <mailto:mposolda at redhat.com>> wrote:
>
> On 14.4.2014 09:18, Davide Ungari wrote:
>> Hi Marek,
>> I worked on it during the weekend.
>>
>> Now my problem is the header like: Authorization: Bearer
>> <your_access_token> .
>>
>> I'm running the frontend on Tomcat, I made an adapter for it
>> https://github.com/ungarida/keycloak/, I adapted AS7.
>>
>> Now I can not figure out how to retrieve the access token to
>> include it in the JS that call the JAX-RS service.
> If your frontend is JEE application, then you can use something like
> this example is doing
> https://github.com/keycloak/keycloak/blob/master/examples/demo-template/customer-app/src/main/java/org/keycloak/example/CustomerDatabaseClient.java#L46
> . Note that KeycloakSecurityContext is added automatically to
> request by the adapter of your frontend application (In this case
> customer-portal application, which is just simple servlet JEE
> application). So you need to make sure that your Tomcat adapter is
> adding it as well.
>
> You can take a deeper look at existing examples and try them on AS7
> for inspiration. I think that your Tomcat adapter should be quite
> similar to the already existing AS7 adapter as AS7 is using
> jboss-web, which is defacto Tomcat stuff:-)
>
> Marek
>>
>>
>>
>> --
>> Davide
>>
>>
>> On Mon, Apr 14, 2014 at 8:44 AM, Marek Posolda
>> <mposolda at redhat.com <mailto:mposolda at redhat.com>> wrote:
>>
>> Hi Davide,
>>
>> I think that this exactly is already addressed by our
>> examples. You can take a look especially at this example
>> https://github.com/keycloak/keycloak/tree/master/examples/demo-template/database-service
>> which is JAX-RS service service based on resteasy, which
>> requires Bearer token authentication, so all requests sent to
>> it from "frontend" applications like "customer-portal" or
>> "product-portal" need to contain header like: Authorization:
>> Bearer <your_access_token> .
>>
>> You can try existing set of examples to see how it all works
>> together. See instructions in README files under
>> https://github.com/keycloak/keycloak/tree/master/examples/demo-template
>>
>> Marek
>>
>>
>> On 12.4.2014 10:58, Davide Ungari wrote:
>>> Hi everybody,
>>> I configured keycloak with mongodb,
>>> then I secured frontend on Tomcat making an adapter.
>>>
>>> I need to secure backend, it is an JAX-RS service based on
>>> resteasy and running on undertow.
>>>
>>> I do not use EJB so I need some help to figure out the best
>>> way to implement security with keycloak in my scenario.
>>>
>>> Suggestions?
>>>
>>> --
>>> Davide
>>>
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
More information about the keycloak-user
mailing list