[keycloak-user] SAML securing application via browser / REST API via ECP on wildfly
Luis Rodríguez Fernández
uo67113 at gmail.com
Fri Apr 12 03:03:58 EDT 2019
Hello Manuel,
Please, do not say sorry, you do not bother at all.
Me for the scenarios like that one I use the keycloak java servlet filter
adapter [1]. This allows me to use SAML2 for the user interface (web
profile) and basic authentication for APIs:
<filter-mapping>
<filter-name>Keycloak Filter</filter-name>
<url-pattern>/saml</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>Keycloak Filter</filter-name>
<url-pattern>/secure/ui/*</url-pattern>
</filter-mapping>
<servlet-mapping>
<servlet-name>ApiController</servlet-name>
<url-pattern>/secure/api/*</url-pattern>
</servlet-mapping>
<security-constraint>
<web-resource-collection>
<web-resource-name>API</web-resource-name>
<url-pattern>/secure/api/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
</security-constraint>
<security-role>
<description>
Wildcard allows any authenticated user to access
</description>
<role-name>*</role-name>
</security-role>
Hope it helps,
Luis
[1]
https://www.keycloak.org/docs/latest/securing_apps/index.html#java-servlet-filter-adapter
El jue., 11 abr. 2019 a las 14:31, Manuel Waltschek (<
manuel.waltschek at prisma-solutions.at>) escribió:
> Hello Luis,
>
> sorry to bother you again, but for me it is unclear if this can coexist to
> SAML authentication for the same web-app, since it needs a special
> keycloak.json as seen in
> https://github.com/keycloak/keycloak/tree/master/examples/basic-auth
>
>
>
> Regards,
>
>
>
> Manuel
>
>
>
> *Von:* Luis Rodríguez Fernández <uo67113 at gmail.com>
> *Gesendet:* Donnerstag, 11. April 2019 14:07
> *An:* Manuel Waltschek <manuel.waltschek at prisma-solutions.at>
> *Betreff:* Re: [keycloak-user] SAML securing application via browser /
> REST API via ECP on wildfly
>
>
>
> Hello Manuel,
>
>
>
> If your client can keep secrets I would go for good and old basic
> authentication or Oauth2 with the client credentials flow [1]:
> machine-to-machine authentication where a specific user’s permission to
> access data is not required.
>
>
>
> Hope it helps,
>
>
>
> Luis
>
>
>
> [1] https://tools.ietf.org/html/rfc6749#section-4.4
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> El jue., 11 abr. 2019 a las 11:14, Manuel Waltschek (<
> manuel.waltschek at prisma-solutions.at>) escribió:
>
> Hello KC Community!
>
> We are currently securing our war via browser SSO with SAML. We are
> deploying on wildfly 10 and are using keycloak as an IdP broker.
> We have the requirement to also secure a REST endpoint which is invoked by
> a thrid party. I read about ECP shortly in KC docs and some forum
> discussions, but I could not find out how to set this up. It is also
> unclear if keycloak even supports this feature. If not ECP, are there any
> other known ways to support this behaviour?
>
> Regards,
>
>
> [Logo]
>
> Manuel Waltschek BSc.
>
> +43 660 86655 47<tel:+436608665547 <+436608665547>>
> manuel.waltschek at prisma-solutions.at<mailto:
> manuel.waltschek at prisma-solutions.at>
> https://www.prisma-solutions.com
>
> PRISMA solutions EDV-Dienstleistungen GmbH
> Klostergasse 18, 2340 Mödling, Austria
> Firmenbuch: FN 239449 g, Landesgericht Wiener Neustadt
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
> --
>
> "Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better."
>
> - Samuel Beckett
>
--
"Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better."
- Samuel Beckett
More information about the keycloak-user
mailing list