[keycloak-user] How touser Servlet OAuth Client

Jérôme Blanchard jayblanc at gmail.com
Mon May 4 03:33:05 EDT 2015 

Hi,

Marek, the tips of building a simple redirect servlet protected by a user
role constraint and let the other servlets unconstrained is working like a
charm. This simple servlet act as a redirect point to ensure keycloak
adapter handling of authentication without writing new code. A perfect
solution in fact.

Thank you very much for your support, best regards, Jérôme.

Le jeu. 23 avr. 2015 à 18:34, Bill Burke <bburke at redhat.com> a écrit :

> Please read this:
>
>
> http://docs.jboss.org/keycloak/docs/1.2.0.Beta1/userguide/html/ch08.html#jboss-adapter
>
> add a @SecurityDomain("keycloak") to your EJB and it will pick up the
> Keylcoak context.
>
> On 4/23/2015 12:16 PM, Marek Posolda wrote:
> > You're not wrong. With ServletOAuthClient you have control when you
> > redirect user to the KC login screen. But you're completely independent
> > on Wildfly container security layers, hence no propagation to EJB layer.
> >
> > If ServletOAuthClient is good for you, depends on the usecase you want
> > to achieve. Maybe it is better for you to add some security-constraints
> > URL to your web.xml  (for example "/my-protected-url") and you will
> > redirect your application to /my-protected-url (with
> > httpResponse.sendRedirect) whenever you want your application to be
> > logged with keycloak. Then once KC authentication is finished and your
> > application will visit "/my-protected-url" as authenticated user, you
> > will redirect back to the original URL before authentication.
> >
> > Not sure if EJB propagation will happen once you're authenticated, but
> > visit unprotected URL though... But at least you can give it a shot.
> >
> > Marek
> >
> > On 23.4.2015 15:35, Jérôme Blanchard wrote:
> >> Hi,
> >> I wonder that the Servlet OAuth Client won't propagate authentication
> >> to wildfy EJB layer... Am I wrong ?
> >> Jérôme.
> >>
> >> Le mar. 21 avr. 2015 à 18:13, Marek Posolda <mposolda at redhat.com
> >> <mailto:mposolda at redhat.com>> a écrit :
> >>
> >>     You can take a look at our examples for how to use
> >>     ServletOAuthClient. Hopefully it could help with your usecase:
> >>
> https://github.com/keycloak/keycloak/tree/master/examples/demo-template/third-party
> >>
> https://github.com/keycloak/keycloak/tree/master/examples/demo-template/third-party-cdi
> >>
> >>     Marek
> >>
> >>
> >>     On 21.4.2015 12:14, Jérôme Blanchard wrote:
> >>>     Hi all,
> >>>
> >>>     I'm trying to protect a servlet application which can be accessed
> >>>     either as anonymous user and as authenticated user. Some
> >>>     resources are protected and my application takes in charge the
> >>>     access control (not role based) so I can't use the war protection
> >>>     using role user constraint.
> >>>     In this case I've removed the role constraint in the web.xml and
> >>>     the keycloak wildfly (undertow) adapter let me access the
> >>>     application as unauthentified user (anonymous) which is perfect.
> >>>     What I want to handle on some AccessDeniedException is to
> >>>     redirect the user to the authentication server manually. In this
> >>>     case, user authentified an come back to the protected URL but is
> >>>     no more anonymous but a authentified user.
> >>>     Is ther is a way to handle this redirection to the authentication
> >>>     server manually (I don't know where to store the state variable
> >>>     allowing keycloak wildfly adapter to handle properly the auth
> >>>     redirect that include the code).
> >>>
> >>>     Best regards, Jérôme.
> >>>
> >>>
> >>>     _______________________________________________
> >>>     keycloak-user mailing list
> >>>     keycloak-user at lists.jboss.org  <mailto:
> keycloak-user at lists.jboss.org>
> >>>     https://lists.jboss.org/mailman/listinfo/keycloak-user
> >>
> >
> >
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150504/12ca30d4/attachment.html

More information about the keycloak-user mailing list