[keycloak-user] JAX-RS @PermitAll with invalid token fails

Georg Henkel g.henkel at cgh-solutions.de
Fri Apr 28 01:51:03 EDT 2017


Hi there,

I am trying to setup a JAX-RS webservice with keycloak authentication
and want to use the Java EE security annotations (@PermitAll,
@RolesAllowed).
My current implementation works well with one exception:

If I have set an invalid bearer token in the authorization header the
TokenVerifier throws a VerificationException stating: Token is not active.
I fully understand why it is thrown and that the token is checked before
the routing in JAX-RS starts. But if I use @PermitAll I want that
everyone reagrdless of any authorization header can access the resource.

How can I handle this use case?
P.S.: If I access the resource without a token, than I get the correct
result from the webservice.

Best regards
Georg



More information about the keycloak-user mailing list