[keycloak-user] Programmatic access control with no <security-constraints/> in web.xml

Marek Posolda mposolda at redhat.com
Wed Sep 16 04:35:58 EDT 2015


If you're focused on security for REST endpoints, I think it is quite 
easy to do it programaticaly. You may just need to parse the 
"Authorization" header from request with bearer token and verify it with 
RSATokenVerifier.verifyToken from which you also retrieve AccessToken . 
See BearerTokenRequestAuthenticator class for the inspiration.

Marek

On 16/09/15 09:04, Orestis Tsakiridis wrote:
> Thanks Bill,
>
> I think i may tackle the issue for now through the 
> KeycloakConfigResolver. Maybe return an empty deployment if the API 
> Key is in the request.
>
>
> Regards
>
> Orestis
>
> On Wed, Sep 16, 2015 at 2:39 AM, Bill Burke <bburke at redhat.com 
> <mailto:bburke at redhat.com>> wrote:
>
>     I'll eventually implement adapter as a filter, but right now security
>     constraints are required.
>
>     On 9/15/2015 5:54 PM, Orestis Tsakiridis wrote:
>     > Hello,
>     >
>     > Is it possible to apply programmatic access control i.e. retrieve
>     > KeycloakSecurityContext, get token, roles etc, when the
>     > <security-contraint/> elements have been removed from web.xml?
>     >
>     > The reason for that is that when <security-constraints/> are
>     present the
>     > requests get dropped by the keycloak adapter before reaching the
>     REST
>     > endpoints implementation in case they are not carrying a token. I'm
>     > trying to support an alternative authorization mechanism using a
>     custom
>     > API Key parameter in case the Oauth token header is missing.
>     >
>     >
>     > Regards
>     >
>     > Orestis
>     >
>     >
>     >
>     >
>     >
>     >
>     > _______________________________________________
>     > keycloak-user mailing list
>     > keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>     > https://lists.jboss.org/mailman/listinfo/keycloak-user
>     >
>
>     --
>     Bill Burke
>     JBoss, a division of Red Hat
>     http://bill.burkecentral.com
>     _______________________________________________
>     keycloak-user mailing list
>     keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150916/cc8ecd52/attachment.html 


More information about the keycloak-user mailing list