[keycloak-user] user panel everywhere - no automatic redirect
Marek Posolda
mposolda at redhat.com
Thu Aug 17 03:30:56 EDT 2017
Hi Michal,
Nice to see Brno guy from StudentAgency using Keycloak :)
I suppose you're using servlet adapter? The servlet specs actually
enforces the security based on the URL request path declared in web.xml,
which is not ideal for some applications though. However there are ways
to solve this somehow. Few things:
- OpenID Connect has support for "prompt=none" feature and Keycloak
supports it. In shortcut, it allows the application to redirect to
Keycloak. Keycloak would never display login screen. In case that user
is not already logged, it directly redirects back to app with the error.
If he is logged, it redirects back to the app with success.
- So you can perhaps do something like at the beginning, try to visit:
http://yourhost/yourapp/secured?prompt=none . In case that user is not
logged, you will receive error from KC and hence you can redirect your
app to the http://yourhost/yourapp/unsecured and display that the user
is not yet logged. Otherwise user is logged.
- Once user clicks "login" you will just redirect to
http://yourhost/yourapp/secured, which will enforce displaying login
screen on Keycloak side.
- If the approach above is too quirky, you can perhaps achieve it some
other way if user is already logged. Maybe use iframe talking to
Keycloak? We have some support for session iframe in keycloak.js adapter
OOTB, in servlet adapter there is no support OOTB, but I think you
should be able to use it from your app. This may be a bit harder to
setup though, but likely doable.
Marek
On 15/08/17 16:59, Michal Keda wrote:
> Both
>
> Principal userPrincipal = httpServletRequest.getUserPrincipal();
> RefreshableKeycloakSecurityContext context =
> (RefreshableKeycloakSecurityContext)
> httpServletRequest.getAttribute(KeycloakSecurityContext.class.getName());
>
> are null when visiting unprotected homepage, even if user is logged
> (directly in keycloak) until I visit my protected page.
>
> Is this configuration error?
>
> Dne 15.8.2017 v 8:57 Stian Thorgersen napsal(a):
>> Wouldn't
>> http://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.html#getUserPrincipal()
>> <http://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.html#getUserPrincipal%28%29>
>> do the trick?
>>
>> On 14 August 2017 at 17:22, Michal Keda <michal.keda at studentagency.cz
>> <mailto:michal.keda at studentagency.cz>> wrote:
>>
>> Hello,
>> I want to implement simple panel showing information about user logged
>> into sso. The catch is that I need this panel even on pages that
>> should
>> not redirect to KC server when no user is logged in.
>>
>> This seems like basic behaviour for any homepage (show if user is
>> logged
>> in, but do not force immidiate redirect if isn't), but
>> RefreshableKeycloakSecurityContext starts to pop up in my
>> HttpServletRequest only after I access some protected page
>> (specified in
>> web.xml).
>>
>> So my question is (I guess..) if it is possible to get currently
>> logged
>> user, on page that is not protected by KC.
>>
>> I am using tomcat 7, java 8 (+wicket)
>>
>> Best regards,
>>
>> Michal Keda
>> --
>>
>> Bc. Michal Keda
>> programátor
>>
>> telefon: +420 539 000 711 <tel:%2B420%20539%20000%20711>
>>
>> StudentAgency logo <https://www.studentagency.cz/>
>> AUTOBUSY | <https://jizdenky.studentagency.cz/
>> <https://jizdenky.studentagency.cz/>> VLAKY |
>> <https://www.regiojet.cz/> DOVOLENÁ | <https://www.dovolena.cz/>
>> LETENKY
>> | <https://www.studentagency.cz/letenky/index.html
>> <https://www.studentagency.cz/letenky/index.html>> JAZYKOVÉ POBYTY |
>> <https://www.jazykovepobyty.cz/ <https://www.jazykovepobyty.cz/>>
>> PRACOVNÍ A AU PAIR POBYTY
>> <https://www.pracovnipobyty.cz/ <https://www.pracovnipobyty.cz/>>
>> STUDENT AGENCY k.s.
>> Dům pánů z Lipé nám. Svobody 17
>> 602 00 Brno infolinka: 800 100 300
>> fax: +420 539 000 540 <tel:%2B420%20539%20000%20540>
>> *www.studentagency.cz <http://www.studentagency.cz>*
>> <https://www.studentagency.cz>
>> STUDENT AGENCY cestování pro každého v každém věku.
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>> <https://lists.jboss.org/mailman/listinfo/keycloak-user>
>>
>>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
More information about the keycloak-user
mailing list