[keycloak-user] Migration to Keycloak

Marek Posolda mposolda at redhat.com
Mon Dec 8 08:04:28 EST 2014 

Hi,

I afraid that we don't have support for the usecase like this yet afaik, 
as adapters are driven by servlet security and if you access protected 
URL without token, you will just receive 401. Maybe optional support for 
guest authentication in rest requests is something to consider to add 
into keycloak though...

One possible alternative we have is pure jaxrs filter, which you can 
possibly add to your REST application if you're using jaxrs: 
https://github.com/keycloak/keycloak/blob/master/integration/jaxrs-oauth-client/src/main/java/org/keycloak/jaxrs/JaxrsBearerTokenFilterImpl.java 
. Problem is that you will still have to override at least method 
"bearerAuthentication" to not send error in case of missing token, but 
use your guest account instead . Also I am really not sure if jaxrs 
SecurityContext will be propagated to EJB layer, probably not.

Marek


On 8.12.2014 11:15, Jérôme Blanchard wrote:
> Hi all,
> I have a question about migrating my application to keycloak.
> My application is based on :
> - some EJB components
> - a main REST interface driving the EJB components,
> - a HTML5/Angular GUI client
> - some remote REST api acting as clients of the main REST api.
> According to the documentation, I plane to use the adapters according 
> to my components but I'm facing a problame for the main REST interface.
>
> By default, the main REST interface handles requests using a dedicated 
> GUEST account. It's a kind of default account that is propagated to 
> the EJB container using a classic login mechanism. This is handle in a 
> ServletFilter that looks for HTTP Authentication headers. If headers 
> are not found, authentication on the container is done using the 
> default login 'guest'.
> For this special account, a dedicated login-module is used in the 
> wildfly security domain (<login-module code="Identity" flag="required">)
>
> I'm trying to migrate to keycloak using the undertow adapter but I'm 
> not able to handle a default login propagated to the EJB layer.
>
> The use case is that a simpe call to the REST api without 
> authentication token header should result as a container authenticated 
> user guest whereas requests with token included should try to perform 
> the token base authentication. In that way, unauthenticated usage of 
> HTML5/JS interface should result as guest requests and login process 
> only required when main REST api throws AccessDeniedException.
>
> Is there is any way to perform this using the KEYCLOAK auth-method or 
> do I have to write a specific Filter handling a kind of dual auth 
> mechanism (guest and keycloak) ?
>
> Best regards, Jérôme.
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20141208/181acc59/attachment.html

More information about the keycloak-user mailing list