[keycloak-user] How touser Servlet OAuth Client

Marek Posolda mposolda at redhat.com
Thu Apr 23 12:16:56 EDT 2015 

You're not wrong. With ServletOAuthClient you have control when you 
redirect user to the KC login screen. But you're completely independent 
on Wildfly container security layers, hence no propagation to EJB layer.

If ServletOAuthClient is good for you, depends on the usecase you want 
to achieve. Maybe it is better for you to add some security-constraints 
URL to your web.xml  (for example "/my-protected-url") and you will 
redirect your application to /my-protected-url (with 
httpResponse.sendRedirect) whenever you want your application to be 
logged with keycloak. Then once KC authentication is finished and your 
application will visit "/my-protected-url" as authenticated user, you 
will redirect back to the original URL before authentication.

Not sure if EJB propagation will happen once you're authenticated, but 
visit unprotected URL though... But at least you can give it a shot.

Marek

On 23.4.2015 15:35, Jérôme Blanchard wrote:
> Hi,
> I wonder that the Servlet OAuth Client won't propagate authentication 
> to wildfy EJB layer... Am I wrong ?
> Jérôme.
>
> Le mar. 21 avr. 2015 à 18:13, Marek Posolda <mposolda at redhat.com 
> <mailto:mposolda at redhat.com>> a écrit :
>
>     You can take a look at our examples for how to use
>     ServletOAuthClient. Hopefully it could help with your usecase:
>     https://github.com/keycloak/keycloak/tree/master/examples/demo-template/third-party
>     https://github.com/keycloak/keycloak/tree/master/examples/demo-template/third-party-cdi
>
>     Marek
>
>
>     On 21.4.2015 12:14, Jérôme Blanchard wrote:
>>     Hi all,
>>
>>     I'm trying to protect a servlet application which can be accessed
>>     either as anonymous user and as authenticated user. Some
>>     resources are protected and my application takes in charge the
>>     access control (not role based) so I can't use the war protection
>>     using role user constraint.
>>     In this case I've removed the role constraint in the web.xml and
>>     the keycloak wildfly (undertow) adapter let me access the
>>     application as unauthentified user (anonymous) which is perfect.
>>     What I want to handle on some AccessDeniedException is to
>>     redirect the user to the authentication server manually. In this
>>     case, user authentified an come back to the protected URL but is
>>     no more anonymous but a authentified user.
>>     Is ther is a way to handle this redirection to the authentication
>>     server manually (I don't know where to store the state variable
>>     allowing keycloak wildfly adapter to handle properly the auth
>>     redirect that include the code).
>>
>>     Best regards, Jérôme.
>>
>>
>>     _______________________________________________
>>     keycloak-user mailing list
>>     keycloak-user at lists.jboss.org  <mailto:keycloak-user at lists.jboss.org>
>>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150423/5d0f4146/attachment.html

More information about the keycloak-user mailing list