[keycloak-user] cxf filter
Nhut Thai Le
ntle at castortech.com
Tue Aug 28 13:34:01 EDT 2018
Hi Dmitri,
About the OIDC Servlet filter, i managed to build an osgi version of it so
i'm ok for now :D
Regarding the REST service, i think the bearer token is what I want,
however, i'm not sure how the authentication flow works in this case. As I
understand, to use bearer token, i need to create a client in keycloak
server and set access type to bearer-only then when making the rest call, I
need to provide the valid "Authorization: Bearer XXX" header.
1. Where do I get this token ?
2. If the bearer token is valid, does keycloak adapter also put the
KeycloakSecurityContext with the username on the request sothat i can
extract it latter?
3. does keycloak have an OSGI jaxrs filter for REST service or I have to
implement my own? (
https://osgi.org/specification/osgi.cmpn/7.0.0/service.jaxrs.html#service.jaxrs.extension.services
)
Hope to get some insignt
Thai
On Mon, Aug 27, 2018 at 5:59 PM, Dmitry Telegin <dt at acutus.pro> wrote:
> Hello Thai,
>
> Seems like you've been watching the OSGification PR attentively :)
> I'm sorry we didn't make it for Keycloak 4.3.0. Should get included in
> 4.4.0, hopefully.
>
> Just in case anyone else is interested:
> PR for Keycloak OIDC servlet filter adapter OSGification
> https://github.com/keycloak/keycloak/pull/5383
> PR for the docs https://github.com/keycloak/keycloak-documentation/pull/
> 453
> Built docs: https://keycloak-docs.github.io/deploy-docs-pullrequest/PR/
> 453/securing_apps/index.html#using-on-osgi
>
> As for your question, could you please elaborate? What are you trying
> to achieve? For REST services, you should normally use bearer token
> authorization. In this mode, the adapter would expect a valid token in
> "Authorization: Bearer XXX" HTTP header, otherwise it would return
> HTTP 401. Is this what you're after?
>
> Cheers,
> Dmitry Telegin
> CTO, Acutus s.r.o.
> Keycloak Consulting and Training
>
> Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
> +42 (022) 888-30-71
> E-mail: info at acutus.pro
>
> On Mon, 2018-08-27 at 14:52 -0400, Nhut Thai Le wrote:
> > Hello,
> >
> > I have a web app and a REST API running inside an OSGI environment.
> >
> > The web app has some servlets registered with the web container (jetty)
> as
> > OSGI whiteboard services. All of these servlets are configured to be
> > protected (authentication required) by keycloak servlet filter.
> >
> > Dictionary<String, String> props;
> > props = new Hashtable<>();
> > props.put("alias", "/whiteboard");
> > servletReg = context.registerService(Servlet.class, new
> > WhiteboardServlet("/test"), props);
> >
> > Dictionary<String, Object> filterProps = new Hashtable<String, Object>();
> > String[] urls = { "/*" }; //$NON-NLS-1$
> > filterProps.put(HttpWhiteboardConstants.HTTP_WHITEBOARD_FILTER_NAME,
> > "keycloakFilter");
> > filterProps.put(HttpWhiteboardConstants.HTTP_WHITEBOARD_FILTER_PATTERN,
> > urls);
> > keycloakFilter = context.registerService(Filter.class, new
> > KeycloakOIDCFilter(), filterProps);
> >
> > The REST api is hosted by aries-jax-rs-whiteboard.
> > @Component(
> > immediate = true,
> > property = JAX_RS_APPLICATION_BASE + "=/rest",
> > service = Application.class
> > )
> > @Path("/common")
> > public final class RestAPI extends Application {
> > public static final Response EMPTY_RESPONSE =
> > Response.noContent().type(MediaType.TEXT_HTML_TYPE).build();
> > @Override
> > public Set<Object> getSingletons() {
> > return Collections.singleton(this);
> > }
> >
> > @GET
> > @Path("/getObject")
> > @Produces(MediaType.APPLICATION_JSON)
> > public String getObject() {
> > return "Rest call"; //$NON-NLS-1$
> > }
> > }
> >
> > The web app has some JS code executed on user browser that make an ajax
> > call to the REST service above. Since this call happen after user has
> been
> > auithenticated with keycloak and originate from the same browser
> session, I
> > assume the ajax request also contains KeycloakSecurityContext. Thus this
> > call should be allowed to reach the REST service. What I want is to
> > register a filter (ContainerRequestFilter) to deny access to the REST
> > service if user has not been authenticated.
> > Is there an existing implementation of ContainerRequestFilter by keycloak
> > that can do this?
> >
> >
> > Thai
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
--
Castor Technologies Inc
460 rue St-Catherine St Ouest, Suite 613
Montréal, Québec H3B-1A7
(514) 360-7208 o
(514) 798-2044 f
ntle at castortech.com
www.castortech.com
CONFIDENTIALITY NOTICE: The information contained in this e-mail is
confidential and may be proprietary information intended only for the use
of the individual or entity to whom it is addressed. If the reader of this
message is not the intended recipient, you are hereby notified that any
viewing, dissemination, distribution, disclosure, copy or use of the
information contained in this e-mail message is strictly prohibited. If you
have received and/or are viewing this e-mail in error, please immediately
notify the sender by reply e-mail, and delete it from your system without
reading, forwarding, copying or saving in any manner. Thank you.
AVIS DE CONFIDENTIALITE: L’information contenue dans ce message est
confidentiel, peut être protégé par le secret professionnel et est réservé
à l'usage exclusif du destinataire. Toute autre personne est par les
présentes avisée qu'il lui est strictement interdit de diffuser, distribuer
ou reproduire ce message. Si vous avez reçu cette communication par erreur,
veuillez la détruire immédiatement et en aviser l'expéditeur. Merci.
More information about the keycloak-user
mailing list