[keycloak-user] Sub-resource authentication (edge case)
Eric Wittmann
eric.wittmann at redhat.com
Fri Dec 12 13:18:51 EST 2014
Well, my understanding is that when configuring via the subsystem in
wildfly, BASIC was the way to go. That said, I don't have a particular
preference.
But is that detail perhaps beside the point?
The /api/* endpoint works exactly as you have described. In
standalone.xml I've configured it to enable both bearer token and basic
auth. So requests can be sent to /api/* with the Authorization header
set (bearer token and basic auth credentials both work fine).
The problem comes when sending a request to /gateway/*, which is just a
servlet. I can successfully send a request to /gateway/* without an
Authorization header. This works (unauthenticated access). However if
I send a request to /gateway/* with an Authorization header, then
keycloak attempts to authenticate. Even though the web.xml doesn't
indicate that /gateway/* should be protected.
I was expecting any *unprotected* resources to simply pass through any
Authorization information, not attempt to actually process it.
Again, this is perhaps an incorrect expectation on my part.
-Eric
On 12/12/2014 11:33 AM, Marek Posolda wrote:
> Hi,
>
> if you want to use keycloak for authentication you should rather use:
>
> <auth-method>KEYCLOAK</auth-method>
>
> Also I don't know how are you sending request to "/api/*" . I guess it
> is javascript application or some other servlet application, which is
> sending jax-rs requests to api? In this cases, you should add manually
> "Authorization" header with either "Authorization: Bearer ..." with
> bearer token attached or "Authorization: Basic ...." with keycloak
> username/password attached (bearer token is much better, so you can
> avoid direct grant and you don't need to share credentials with your
> application)
>
> Marek
>
> On 12.12.2014 14:06, Eric Wittmann wrote:
>> In apiman I have a bit of an edge case that currently isn't working as I
>> was hoping (running in wildfly 8.2 - not tested on any other platform).
>>
>> The issue is that I have a WAR with two sub-contexts:
>>
>> /api - JAX-RS endpoints to configure the API Gateway
>> /gateway - the API Gateway (reverse proxy)
>>
>> I wanted /api to be protected by keycloak, but for /gateway to be
>> unprotected.
>>
>> My web.xml looks like this:
>>
>> <security-constraint>
>> <web-resource-collection>
>> <web-resource-name>apiman-gateway</web-resource-name>
>> <url-pattern>/api/*</url-pattern>
>> </web-resource-collection>
>> <auth-constraint>
>> <role-name>apiadmin</role-name>
>> </auth-constraint>
>> </security-constraint>
>> <login-config>
>> <auth-method>BASIC</auth-method>
>> <realm-name>apiman</realm-name>
>> </login-config>
>> <security-role>
>> <role-name>apiadmin</role-name>
>> </security-role>
>>
>>
>> It all works great until I send a request to /gateway/* that includes an
>> "Authorization" http header. If I do that, the adapter tries to
>> authenticate with those credentials and fails with a 401 if they don't
>> match (which they don't).
>>
>> I realize this is an odd case, but I did expect that if the web.xml
>> specified that only /api/* were protected then other paths would simply
>> pass through any Authorization headers. That may be an incorrect
>> expectation - not sure what the servlet spec requires in this case.
>>
>> Thoughts?
>>
>> Currently I'm probably going to work around this by splitting up the API
>> and Gateway servlets into separate WARs.
>>
>> -Eric
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
More information about the keycloak-user
mailing list