I'm trying to secure part of my Resteasy rest services by adding Keycloak bearer-only token verification to my webapp.
In my web.xml I added:
<security-constraint>
<web-resource-collection>
<web-resource-name>RestService</web-resource-name>
<url-pattern>/rest/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>user</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>RestService</realm-name>
</login-config>
<security-role>
<role-name>user</role-name>
</security-role>
<servlet>
<servlet-name>RestApplication</servlet-name>
<servlet-class>
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher
</servlet-class>
<init-param>
<param-name>javax.ws.rs.Application</param-name>
<param-value>com.web.rest.ResteasyApplication</param-value>
</init-param>
<init-param>
<param-name>resteasy.servlet.mapping.prefix</param-name>
<param-value>/rest</param-value>
</init-param>
</servlet>
<servlet-mapping>
<servlet-name>RestApplication</servlet-name>
<url-pattern>/rest/*</url-pattern>
</servlet-mapping>
I'm calling the url: http://localhost:8090/rest/app
This does work as far as authentication goes. Only requests with a valid token will get 'accepted' (others will result in a 401 error)
However, when I use this configuration, I always get a 404 error.
When I disable the security-constraint, the Resteasy controller hits the breakpoint and everything is fine. Do the mappings conflict with each other? How do I pass the request from the authentication phase to the Resteasy processing?
