Discussion:
protect endpoint with basic auth
Matthew Broadhead
2018-08-22 13:55:16 UTC
Permalink
my webapp already has a login-config set to keycloak in web.xml so AFAIK
i cannot define any other security configs there.  why doesn't tomcat
allow multiple security methods?
<login-config>
    <auth-method>KEYCLOAK</auth-method>
    <realm-name>secure</realm-name>
</login-config>

is there another way to protect a jax-rs endpoint using basic auth
without having to create another webapp?  i read something about valves...
Romain Manni-Bucau
2018-08-22 14:01:25 UTC
Permalink
Hi Matthew,

tomcat does that because the spec does (even if several people ask to break
that limitation it is not yet done at servlet spec level)
that said to secure a rest endpoint you just need a filter in your app and
implement the security login in there. you can delegate to the container
(request.login()/request.logout()) or not depending what you want to do.
MP JWT Auth uses that typically:
https://github.com/apache/geronimo-jwt-auth/blob/master/src/main/java/org/apache/geronimo/microprofile/impl/jwtauth/servlet/GeronimoJwtAuthFilter.java

Romain Manni-Bucau
@rmannibucau <https://twitter.com/rmannibucau> | Blog
<https://rmannibucau.metawerx.net/> | Old Blog
<http://rmannibucau.wordpress.com> | Github <https://github.com/rmannibucau> |
LinkedIn <https://www.linkedin.com/in/rmannibucau> | Book
<https://www.packtpub.com/application-development/java-ee-8-high-performance>


Le mer. 22 août 2018 à 15:55, Matthew Broadhead
Post by Matthew Broadhead
my webapp already has a login-config set to keycloak in web.xml so AFAIK
i cannot define any other security configs there. why doesn't tomcat
allow multiple security methods?
<login-config>
<auth-method>KEYCLOAK</auth-method>
<realm-name>secure</realm-name>
</login-config>
is there another way to protect a jax-rs endpoint using basic auth
without having to create another webapp? i read something about valves...
Matthew Broadhead
2018-08-22 14:15:03 UTC
Permalink
Hi Romain,

Thanks.  that was the conclusion was coming to.  I am glad it is a valid
solution.  I found this example also
https://gist.github.com/neolitec/8953607.

I guess i will define a filter mapping in web.xml

Matthew
Post by Romain Manni-Bucau
Hi Matthew,
tomcat does that because the spec does (even if several people ask to break
that limitation it is not yet done at servlet spec level)
that said to secure a rest endpoint you just need a filter in your app and
implement the security login in there. you can delegate to the container
(request.login()/request.logout()) or not depending what you want to do.
https://github.com/apache/geronimo-jwt-auth/blob/master/src/main/java/org/apache/geronimo/microprofile/impl/jwtauth/servlet/GeronimoJwtAuthFilter.java
Romain Manni-Bucau
@rmannibucau <https://twitter.com/rmannibucau> | Blog
<https://rmannibucau.metawerx.net/> | Old Blog
<http://rmannibucau.wordpress.com> | Github <https://github.com/rmannibucau> |
LinkedIn <https://www.linkedin.com/in/rmannibucau> | Book
<https://www.packtpub.com/application-development/java-ee-8-high-performance>
Le mer. 22 août 2018 à 15:55, Matthew Broadhead
Post by Matthew Broadhead
my webapp already has a login-config set to keycloak in web.xml so AFAIK
i cannot define any other security configs there. why doesn't tomcat
allow multiple security methods?
<login-config>
<auth-method>KEYCLOAK</auth-method>
<realm-name>secure</realm-name>
</login-config>
is there another way to protect a jax-rs endpoint using basic auth
without having to create another webapp? i read something about valves...
Romain Manni-Bucau
2018-08-22 14:26:06 UTC
Permalink
Yes works, or even @WebFilter(urlPatterns="/*",asyncSupported=true)

Romain Manni-Bucau
@rmannibucau <https://twitter.com/rmannibucau> | Blog
<https://rmannibucau.metawerx.net/> | Old Blog
<http://rmannibucau.wordpress.com> | Github <https://github.com/rmannibucau> |
LinkedIn <https://www.linkedin.com/in/rmannibucau> | Book
<https://www.packtpub.com/application-development/java-ee-8-high-performance>


Le mer. 22 août 2018 à 16:15, Matthew Broadhead
Post by Matthew Broadhead
Hi Romain,
Thanks. that was the conclusion was coming to. I am glad it is a valid
solution. I found this example also
https://gist.github.com/neolitec/8953607.
I guess i will define a filter mapping in web.xml
Matthew
Post by Romain Manni-Bucau
Hi Matthew,
tomcat does that because the spec does (even if several people ask to
break
Post by Romain Manni-Bucau
that limitation it is not yet done at servlet spec level)
that said to secure a rest endpoint you just need a filter in your app
and
Post by Romain Manni-Bucau
implement the security login in there. you can delegate to the container
(request.login()/request.logout()) or not depending what you want to do.
https://github.com/apache/geronimo-jwt-auth/blob/master/src/main/java/org/apache/geronimo/microprofile/impl/jwtauth/servlet/GeronimoJwtAuthFilter.java
Post by Romain Manni-Bucau
Romain Manni-Bucau
@rmannibucau <https://twitter.com/rmannibucau> | Blog
<https://rmannibucau.metawerx.net/> | Old Blog
<http://rmannibucau.wordpress.com> | Github <
https://github.com/rmannibucau> |
Post by Romain Manni-Bucau
LinkedIn <https://www.linkedin.com/in/rmannibucau> | Book
<
https://www.packtpub.com/application-development/java-ee-8-high-performance
Post by Romain Manni-Bucau
Le mer. 22 août 2018 à 15:55, Matthew Broadhead
Post by Matthew Broadhead
my webapp already has a login-config set to keycloak in web.xml so AFAIK
i cannot define any other security configs there. why doesn't tomcat
allow multiple security methods?
<login-config>
<auth-method>KEYCLOAK</auth-method>
<realm-name>secure</realm-name>
</login-config>
is there another way to protect a jax-rs endpoint using basic auth
without having to create another webapp? i read something about
valves...
Loading...