You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomee.apache.org by Matthew Broadhead <ma...@nbmlaw.co.uk.INVALID> on 2018/08/22 13:55:16 UTC
protect endpoint with basic auth
my webapp already has a login-config set to keycloak in web.xml so AFAIK
i cannot define any other security configs there. why doesn't tomcat
allow multiple security methods?
<login-config>
<auth-method>KEYCLOAK</auth-method>
<realm-name>secure</realm-name>
</login-config>
is there another way to protect a jax-rs endpoint using basic auth
without having to create another webapp? i read something about valves...
Re: protect endpoint with basic auth
Posted by Romain Manni-Bucau <rm...@gmail.com>.
Yes works, or even @WebFilter(urlPatterns="/*",asyncSupported=true)
Romain Manni-Bucau
@rmannibucau <https://twitter.com/rmannibucau> | Blog
<https://rmannibucau.metawerx.net/> | Old Blog
<http://rmannibucau.wordpress.com> | Github <https://github.com/rmannibucau> |
LinkedIn <https://www.linkedin.com/in/rmannibucau> | Book
<https://www.packtpub.com/application-development/java-ee-8-high-performance>
Le mer. 22 août 2018 à 16:15, Matthew Broadhead
<ma...@nbmlaw.co.uk.invalid> a écrit :
> Hi Romain,
>
> Thanks. that was the conclusion was coming to. I am glad it is a valid
> solution. I found this example also
> https://gist.github.com/neolitec/8953607.
>
> I guess i will define a filter mapping in web.xml
>
> Matthew
>
> On 22/08/18 16:01, Romain Manni-Bucau wrote:
> > Hi Matthew,
> >
> > tomcat does that because the spec does (even if several people ask to
> break
> > that limitation it is not yet done at servlet spec level)
> > that said to secure a rest endpoint you just need a filter in your app
> and
> > implement the security login in there. you can delegate to the container
> > (request.login()/request.logout()) or not depending what you want to do.
> > MP JWT Auth uses that typically:
> >
> https://github.com/apache/geronimo-jwt-auth/blob/master/src/main/java/org/apache/geronimo/microprofile/impl/jwtauth/servlet/GeronimoJwtAuthFilter.java
> >
> > Romain Manni-Bucau
> > @rmannibucau <https://twitter.com/rmannibucau> | Blog
> > <https://rmannibucau.metawerx.net/> | Old Blog
> > <http://rmannibucau.wordpress.com> | Github <
> https://github.com/rmannibucau> |
> > LinkedIn <https://www.linkedin.com/in/rmannibucau> | Book
> > <
> https://www.packtpub.com/application-development/java-ee-8-high-performance
> >
> >
> >
> > Le mer. 22 août 2018 à 15:55, Matthew Broadhead
> > <ma...@nbmlaw.co.uk.invalid> a écrit :
> >
> >> my webapp already has a login-config set to keycloak in web.xml so AFAIK
> >> i cannot define any other security configs there. why doesn't tomcat
> >> allow multiple security methods?
> >> <login-config>
> >> <auth-method>KEYCLOAK</auth-method>
> >> <realm-name>secure</realm-name>
> >> </login-config>
> >>
> >> is there another way to protect a jax-rs endpoint using basic auth
> >> without having to create another webapp? i read something about
> valves...
> >>
> >>
>
>
Re: protect endpoint with basic auth
Posted by Matthew Broadhead <ma...@nbmlaw.co.uk.INVALID>.
Hi Romain,
Thanks. that was the conclusion was coming to. I am glad it is a valid
solution. I found this example also
https://gist.github.com/neolitec/8953607.
I guess i will define a filter mapping in web.xml
Matthew
On 22/08/18 16:01, Romain Manni-Bucau wrote:
> Hi Matthew,
>
> tomcat does that because the spec does (even if several people ask to break
> that limitation it is not yet done at servlet spec level)
> that said to secure a rest endpoint you just need a filter in your app and
> implement the security login in there. you can delegate to the container
> (request.login()/request.logout()) or not depending what you want to do.
> MP JWT Auth uses that typically:
> https://github.com/apache/geronimo-jwt-auth/blob/master/src/main/java/org/apache/geronimo/microprofile/impl/jwtauth/servlet/GeronimoJwtAuthFilter.java
>
> Romain Manni-Bucau
> @rmannibucau <https://twitter.com/rmannibucau> | Blog
> <https://rmannibucau.metawerx.net/> | Old Blog
> <http://rmannibucau.wordpress.com> | Github <https://github.com/rmannibucau> |
> LinkedIn <https://www.linkedin.com/in/rmannibucau> | Book
> <https://www.packtpub.com/application-development/java-ee-8-high-performance>
>
>
> Le mer. 22 août 2018 à 15:55, Matthew Broadhead
> <ma...@nbmlaw.co.uk.invalid> a écrit :
>
>> my webapp already has a login-config set to keycloak in web.xml so AFAIK
>> i cannot define any other security configs there. why doesn't tomcat
>> allow multiple security methods?
>> <login-config>
>> <auth-method>KEYCLOAK</auth-method>
>> <realm-name>secure</realm-name>
>> </login-config>
>>
>> is there another way to protect a jax-rs endpoint using basic auth
>> without having to create another webapp? i read something about valves...
>>
>>
Re: protect endpoint with basic auth
Posted by Romain Manni-Bucau <rm...@gmail.com>.
Hi Matthew,
tomcat does that because the spec does (even if several people ask to break
that limitation it is not yet done at servlet spec level)
that said to secure a rest endpoint you just need a filter in your app and
implement the security login in there. you can delegate to the container
(request.login()/request.logout()) or not depending what you want to do.
MP JWT Auth uses that typically:
https://github.com/apache/geronimo-jwt-auth/blob/master/src/main/java/org/apache/geronimo/microprofile/impl/jwtauth/servlet/GeronimoJwtAuthFilter.java
Romain Manni-Bucau
@rmannibucau <https://twitter.com/rmannibucau> | Blog
<https://rmannibucau.metawerx.net/> | Old Blog
<http://rmannibucau.wordpress.com> | Github <https://github.com/rmannibucau> |
LinkedIn <https://www.linkedin.com/in/rmannibucau> | Book
<https://www.packtpub.com/application-development/java-ee-8-high-performance>
Le mer. 22 août 2018 à 15:55, Matthew Broadhead
<ma...@nbmlaw.co.uk.invalid> a écrit :
> my webapp already has a login-config set to keycloak in web.xml so AFAIK
> i cannot define any other security configs there. why doesn't tomcat
> allow multiple security methods?
> <login-config>
> <auth-method>KEYCLOAK</auth-method>
> <realm-name>secure</realm-name>
> </login-config>
>
> is there another way to protect a jax-rs endpoint using basic auth
> without having to create another webapp? i read something about valves...
>
>