[keycloak-user] Sub-resource authentication (edge case)

Marek Posolda mposolda at redhat.com
Fri Dec 12 11:33:06 EST 2014 

Hi,

if you want to use keycloak for authentication you should rather use:

<auth-method>KEYCLOAK</auth-method>

Also I don't know how are you sending request to "/api/*" . I guess it 
is javascript application or some other servlet application, which is 
sending jax-rs requests to api? In this cases, you should add manually 
"Authorization" header with either "Authorization: Bearer ..." with 
bearer token attached or "Authorization: Basic ...." with keycloak 
username/password attached (bearer token is much better, so you can 
avoid direct grant and you don't need to share credentials with your 
application)

Marek

On 12.12.2014 14:06, Eric Wittmann wrote:
> In apiman I have a bit of an edge case that currently isn't working as I
> was hoping (running in wildfly 8.2 - not tested on any other platform).
>
> The issue is that I have a WAR with two sub-contexts:
>
> /api - JAX-RS endpoints to configure the API Gateway
> /gateway - the API Gateway (reverse proxy)
>
> I wanted /api to be protected by keycloak, but for /gateway to be
> unprotected.
>
> My web.xml looks like this:
>
>     <security-constraint>
>       <web-resource-collection>
>         <web-resource-name>apiman-gateway</web-resource-name>
>         <url-pattern>/api/*</url-pattern>
>       </web-resource-collection>
>       <auth-constraint>
>         <role-name>apiadmin</role-name>
>       </auth-constraint>
>     </security-constraint>
>     <login-config>
>       <auth-method>BASIC</auth-method>
>       <realm-name>apiman</realm-name>
>     </login-config>
>     <security-role>
>       <role-name>apiadmin</role-name>
>     </security-role>
>
>
> It all works great until I send a request to /gateway/* that includes an
> "Authorization" http header.  If I do that, the adapter tries to
> authenticate with those credentials and fails with a 401 if they don't
> match (which they don't).
>
> I realize this is an odd case, but I did expect that if the web.xml
> specified that only /api/* were protected then other paths would simply
> pass through any Authorization headers.  That may be an incorrect
> expectation - not sure what the servlet spec requires in this case.
>
> Thoughts?
>
> Currently I'm probably going to work around this by splitting up the API
> and Gateway servlets into separate WARs.
>
> -Eric
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

More information about the keycloak-user mailing list