[keycloak-user] servlet filter and roles

Marek Posolda mposolda at redhat.com
Tue Mar 22 11:43:33 EDT 2016

On 22/03/16 15:10, Bill Burke wrote:
> On 3/22/2016 4:33 AM, Simon Gordon wrote:
>> Hi
>> My client applications (some SAML, some OIDC) are all running within Tomcat
>> 7 on OpenShift. Since the Keycloak Tomcat adapter is a Valve, the jar needs
>> adding into the server classpath which of course I can't do on OpenShift.
>> (Or I've struggled to at least!)
>> Hence I'm using the generic servlet filter adapter. Looking here for SAML:
>> http://keycloak.github.io/docs/userguide/saml-client-adapter/html/ch07.html
>> and here for OIDC:
>> http://keycloak.github.io/docs/userguide/keycloak-server/html/ch08.html#d4e1046
>> I can't see how to achieve the security-constraints (roles primarily). Do I
>> need to resort to coding those in the apps, or maybe using JAAS?
> You have to code into the app.  You could write a filter that did a
> HttpServletRequest.isUserInRole()  We should probably provide something
> like that...

Servlet specs has HttpServletRequestWrapper where we can easily override 
all the methods like isUserInRole, getRemoteUser, getUserPrincipal etc 
and fill with the stuff from the token and send this request wrapper 
down to filter chain. Not sure if we should do it automatically or have 
configurable flag for it.

> Bill

More information about the keycloak-user mailing list