0

We have a widlfy REST API jaxrs and we want to secure it with keycloak.

The problem is the integration with @SecurityDomain("keycloak") is working only with an EJB entry-point. it is ignored on class with no @Stateless annotation

The issue is the entry point become an EJB and EJB poolManaged what is not really a good thing for a stateless application. Moreover all methods in EJB are transactional and we do not want this behavior. So yes we can add an annotation transactional to specify to not use transaction in the method, but i think it is a workaround.

We want to work the most we can with CDI. and have entry point with ejb pool management with in wildlfy 20 EJB in same time can be a bottleneck in a big application.

Any idea ? or proper way to implement keycloak security with CDI ?

Subodh Joshi
  • 12,717
  • 29
  • 108
  • 202
cyril
  • 872
  • 6
  • 29

1 Answers1

0

If you mean declarative security using @RolesAllowed annotation this is not supported on all CDI beans, is only supported by EJBs and Servlets.

As JAX-RS will run on a webapp, you can use declarative security based on url-patterns and HTTP methods using security-constraints in web.xml

You can also implement programmatic security in the JAX-RS methods (or in a filter), using the SecurityContext.

@Context
SecurityContext securityContext;

@GET
public Response get() {
    if (securityContext.isUserInRole("ROLE")) {
        ....
    }
    ....
}

Although not and standard feature, Wildfly JAX-RS implementation, RestEasy, can be configured to support @RolesAllowed annotations. See: https://docs.jboss.org/resteasy/docs/4.4.2.Final/userguide/html/Securing_JAX-RS_and_RESTeasy.html

areus
  • 2,880
  • 2
  • 7
  • 17