[keycloak-user] Migration to Keycloak

Marek Posolda mposolda at redhat.com
Fri Dec 12 05:18:25 EST 2014 

On 11.12.2014 11:31, Jérôme Blanchard wrote:
> Hi everybody,
>
> I'm trying to migrate an existing application to keycloak and I'm 
> facing some problems.
> My application is an ear composed of :
> - one war containing Servlet and JaxRS resources (which are not 
> session beans but only rest resources calling EJBs)
> - one jar containing EJB components secured with a dedicated 
> SecurityDomain.
> -one HTML5/Angular client application
>
> I've configured the security domain in standalone-full.xml using the 
> KeycloakLoginModule .
> I've also configured the war using jboss-web.xml to use the security 
> domain of EJBs
> Finally I've include the JAX-RS filter in order to allows BearerToken 
> authentication on the REST api in the WAR.
>
> Angular application is able to loggin and to send the bearer token in 
> the http header. The jaxRS logs shows that token is received and user 
> name is retreive.
> What happens is that authentication is not propagated to the EJB Layer 
> and the LoginModule is never called.
yes, the propagation from Jax-rs filter to EJB unfortunately doesn't 
work. You can use the adapter and servlet authentication and in this 
case it should be propagated as described in reference guide - 
http://docs.jboss.org/keycloak/docs/1.1.0.Beta2/userguide/html/ch07.html#jboss-adapter 
. But in another thread you also mention the requirement of "guest" 
authentication (like if Authorization header with bearer token is not 
present, your app will use some kind of guest account instead of sending 
back 401 error). Is it still requirement?

It seems that easiest short-term solution might be to add support for 
guest authentication to our KC adapter. It will be optional feature, 
which will be disabled by default. If it's enabled, it will use some 
predefined guest account and guest roles in case that Authorization 
header is not present. But I am not sure if it's something, which we 
want to support in KC...

Marek
>
> Anybody has an idea on how to make this propagation works ?
>
> Thanks for your help, best regards, Jérôme.
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20141212/cf173827/attachment.html

More information about the keycloak-user mailing list