1

I've recently configured SSO with Keycloak servlet adapter. The problem is that we have service-to-service communication, which goes with BASIC authentication.
Previously, we were using JAAS authentication, therefore the S2S communication was stateless (no sessions associated).

With the SSO/Keycloak, this is no longer the case. Moreover, each REST request, creates a new Keycloak session.

I tried to find a configuration or an alternative solution without Keycloak customization and coding, but I couldn't.

P.S. Due to backward compatibility, I can't change the REST clients to switch to BEARER or other auth methods.

Anyone having better idea?

Georgi
  • 189
  • 2
  • 12

1 Answers1

1

I read the point that you cannot change from basic to bearer. But can you switch off your basic authentication altogether from your rest services?

I am saying that because after doing that you may be able to move your authentication logic to a filter.

You can create a Filter that would intercept all requests before they would even reach your Rest Service. This filter handles authentication and based on success proceeds to rest service otherwise returns 401. Sample code:

public class RequestInterceptor implements Filter 
{
  if( (performAuth()) ) 
     chain.doFilter(request, response);
  else     
    // set status to HttpServletResponse.SC_SERVICE_UNAVAILABLE
}

// But you will have to find a way to exclude this class from authentication chain.

Try thinking along these lines, you may get some direction.

tryingToLearn
  • 10,691
  • 12
  • 80
  • 114
  • Thanks for the idea, @tryingToLearn. This could be a good work-around, but only for the multiple sessions that are flooding Keycloak. I may give a try, once I get some spare time. There might be one disadvantage - additional HTTP handshake to get the SSO token. – Georgi May 03 '19 at 16:25