[keycloak-user] Sub-resource authentication (edge case)

Bill Burke bburke at redhat.com
Sat Dec 13 19:49:30 EST 2014 

Its really a problem with wildfly, not keycloak.  Keycloak just 
implements the auth SPI of wildfly.

On 12/12/2014 1:18 PM, Eric Wittmann wrote:
> Well, my understanding is that when configuring via the subsystem in
> wildfly, BASIC was the way to go.  That said, I don't have a particular
> preference.
>
> But is that detail perhaps beside the point?
>
> The /api/* endpoint works exactly as you have described.  In
> standalone.xml I've configured it to enable both bearer token and basic
> auth.  So requests can be sent to /api/* with the Authorization header
> set (bearer token and basic auth credentials both work fine).
>
> The problem comes when sending a request to /gateway/*, which is just a
> servlet.  I can successfully send a request to /gateway/* without an
> Authorization header.  This works (unauthenticated access).  However if
> I send a request to /gateway/* with an Authorization header, then
> keycloak attempts to authenticate.  Even though the web.xml doesn't
> indicate that /gateway/* should be protected.
>
> I was expecting any *unprotected* resources to simply pass through any
> Authorization information, not attempt to actually process it.
>
> Again, this is perhaps an incorrect expectation on my part.
>
> -Eric
>
> On 12/12/2014 11:33 AM, Marek Posolda wrote:
>> Hi,
>>
>> if you want to use keycloak for authentication you should rather use:
>>
>> <auth-method>KEYCLOAK</auth-method>
>>
>> Also I don't know how are you sending request to "/api/*" . I guess it
>> is javascript application or some other servlet application, which is
>> sending jax-rs requests to api? In this cases, you should add manually
>> "Authorization" header with either "Authorization: Bearer ..." with
>> bearer token attached or "Authorization: Basic ...." with keycloak
>> username/password attached (bearer token is much better, so you can
>> avoid direct grant and you don't need to share credentials with your
>> application)
>>
>> Marek
>>
>> On 12.12.2014 14:06, Eric Wittmann wrote:
>>> In apiman I have a bit of an edge case that currently isn't working as I
>>> was hoping (running in wildfly 8.2 - not tested on any other platform).
>>>
>>> The issue is that I have a WAR with two sub-contexts:
>>>
>>> /api - JAX-RS endpoints to configure the API Gateway
>>> /gateway - the API Gateway (reverse proxy)
>>>
>>> I wanted /api to be protected by keycloak, but for /gateway to be
>>> unprotected.
>>>
>>> My web.xml looks like this:
>>>
>>>      <security-constraint>
>>>        <web-resource-collection>
>>>          <web-resource-name>apiman-gateway</web-resource-name>
>>>          <url-pattern>/api/*</url-pattern>
>>>        </web-resource-collection>
>>>        <auth-constraint>
>>>          <role-name>apiadmin</role-name>
>>>        </auth-constraint>
>>>      </security-constraint>
>>>      <login-config>
>>>        <auth-method>BASIC</auth-method>
>>>        <realm-name>apiman</realm-name>
>>>      </login-config>
>>>      <security-role>
>>>        <role-name>apiadmin</role-name>
>>>      </security-role>
>>>
>>>
>>> It all works great until I send a request to /gateway/* that includes an
>>> "Authorization" http header.  If I do that, the adapter tries to
>>> authenticate with those credentials and fails with a 401 if they don't
>>> match (which they don't).
>>>
>>> I realize this is an odd case, but I did expect that if the web.xml
>>> specified that only /api/* were protected then other paths would simply
>>> pass through any Authorization headers.  That may be an incorrect
>>> expectation - not sure what the servlet spec requires in this case.
>>>
>>> Thoughts?
>>>
>>> Currently I'm probably going to work around this by splitting up the API
>>> and Gateway servlets into separate WARs.
>>>
>>> -Eric
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

More information about the keycloak-user mailing list