[keycloak-user] How to secure JAX-RS service based on reasteasy running on undertow

Bill Burke bburke at redhat.com
Tue Apr 15 10:08:55 EDT 2014 

We do support CORS, you just have to enable it at the adapter level and 
set up the allowed origins for each application in the management console.

On 4/15/2014 5:51 AM, Davide Ungari wrote:
> Hi Marek,
> I started thinking to a public REST API because I want to offer this
> service also to third parties, but I see your point.
> I must organize in a different way the authentication of my frontend and
> then the authentication of third parties.
>
> Thank for your suggestions are very welcome.
>
>
> --
> Davide
>
>
> On Tue, Apr 15, 2014 at 11:28 AM, Marek Posolda <mposolda at redhat.com
> <mailto:mposolda at redhat.com>> wrote:
>
>     Hi Davide,
>
>     I would suggest to change your flow a bit. You have frontend JEE
>     servlet application, which is authenticated with Keycloak. So I
>     think that you don't need any Keycloak accessTokens to be shared
>     with your AngularJS dashboard at all. I would suggest that your
>     AngularJS dashboard won't communicate directly with your JAX-RS
>     backend application, but instead it will communicate just with your
>     servlet JEE application, which will then re-send request to JAX-RS
>     application with the usage of KeycloakSecurityContext as shown in
>     the customer-portal example. So assuming that your frontend
>     application is on
>     "http://localhost:8080/frontend" <http://localhost:8080/frontend>
>     and your JAX-RS is at "http://localhost:8080/backend"
>     <http://localhost:8080/backend> you can do:
>
>     1- The user callhttp://.../frontend
>
>     2- Thefrontendserver redirects to the keycloak login
>
>     3- Keycloak authenticates the user and redirects to frontendserver
>
>     4- The frontend server serves the AngularJS dashboard but NOT injecting the token (So angularJS and your browser don't have direct access to token at all)
>
>     5- User clicks to something in AngularJS app, which will send request tohttp://localhost:8080/frontend/someEndpoint
>
>     6- Frontend will re-send this tohttp://localhost:8080/backend/someBackendEndpoint  similarly as shown in examples, which will ensure that frontend application will attach Bearer token to the request
>
>     7- After backend request is done and received in "frontend" app, it will resend it back to AngularJS with all the data.
>
>     So your frontend app will be defacto  proxy between AngularJS and "backend" JAX-RS application. With this design, you won't see any CORS related issues, which you currently have. And also you won't need to solve things like
>     refreshing tokens etc.  as this is done automatically by adapter of JEE frontend application. So that's my suggestion.
>
>     Marek
>
>
>
>     On 15.4.2014 01:43, Davide Ungari wrote:
>>     Hi Bill,
>>     it's a mixed approach, maybe this is confusing you.
>>     > I don't understand what the flow is below.  In your flow above you said
>>     > your server is making a call to the backend service with the token and
>>     > is authenticated correctly, right?
>>     My frontend is a WAR running on Tomcat and it is secured by keycloak.
>>     > What I don't understand is what you are doing below.  Are you saying you
>>     > have a Browser client (Javascript) making a call to your backend?
>>     The WAR serves also an AngularJS dashboard, in this dashboard I "inject" the token from the server but then I make client side calls.
>>     The flow is:
>>     1- The user callhttp://.../dashboard
>>     2- Thefrontendserver redirects to the keycloak login
>>     3- Keycloak authenticates the user and redirects to frontendserver
>>     4- The frontend server serves the AngularJS dashboard injecting the token
>>     5- The client side dashboard makes ajax calls to the backend to load data
>>     At point 5 I see my backend is logging that the call is AUTHENTICATED but on client side I see the response is failing.
>>     --
>>     Davide
>>
>>
>>     _______________________________________________
>>     keycloak-user mailing list
>>     keycloak-user at lists.jboss.org  <mailto:keycloak-user at lists.jboss.org>
>>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

More information about the keycloak-user mailing list