Hello folks,
I’m trying to protect a REST API from a legacy system running on a JBoss EAP 6.4 server. The keycloak server available in my company is running in another machine. So, in Keycloak I’ve created a client (openid protocol, bearer only), I’ve installed the adapter according to the documentation and appended to my standalone the following section:
<subsystem xmlns="urn:jboss:domain:keycloak:1.2">
<secure-deployment name="cad-seg-api.war">
<realm>sec-zone-realm</realm>
<resource>cad-seg-api-client</resource>
<bearer-only>true</bearer-only>
<auth-server-url>http://localhost:8280/auth/</auth-server-url>
<ssl-required>EXTERNAL</ssl-required>
</secure-deployment>
</subsystem>
And, the the web.xml:
<security-constraint>
<web-resource-collection>
<web-resource-name>OAUTH2</web-resource-name>
<url-pattern>/oauth2</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>user</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>KEYCLOAK</auth-method>
<realm-name>sec-zone-realm</realm-name>
</login-config>
The application can be deployed normally, without errors/warns, but when I follow the link http://app.local/api/oauth2/users I can access without any credentials supplied. I think should be sent an “unauthorized” message, or something like that. Even reading the examples (mostly for wildfly) I couldn’t figure out how to acess the mentioned link and got redirected to keycloak login page.
Any ideas?
Thanks!