Securing a REST service with Keycloak Print

How Can We Secure a Microservice?

In a traditional web application, a server side web tier is used to authenticate the user.  An HTTP session is then created containing the authentication and user details. The security context is propagated between the tiers within the application server so there’s no need to re-authenticate the user.  With microservices, the server side web tier is replaced by html and javascript on the client side. Since it’s stateless, there is no HTTP session and no single layer to deal with authentication.  This is where Keycloak comes to the rescue.



What is Keycloak?

Keycloak is an SSO solution for web apps, mobile and RESTful web services. It is an authentication server where users can centrally login, logout, register, and manage their user accounts. The Keycloak admin UI can manage roles and role mappings for any application secured by Keycloak. The Keycloak Server can also be used to perform social logins via the user’s favorite social media site i.e. Google, Facebook, Twitter etc.

Using the Keycloak adapter, an unauthenticated user is redirected to the login screen on the Keycloak server. The user then supplies credentials for authentications to  the Keycloak server. Since the authentication is done by the Keycloak server and not your application, it’s easy to add support for multi-factor authentication or social logins without having to change anything in your application.

Once the user is authenticated, Keycloak returns a token to the application. The token contains details about the user as well as permissions the user has. A token is basically just a signed JSON document and can be verified by the called services or by invoking the Keycloak server.

Installing the Servers

Follow the steps from the post Using Vagrant and Ansible To Build A Keycloak/Wildfly Development Server to setup both Keycloak and Wildfly servers.

What is Ansible doing?

After downloading and installing wildfly , keycloak-wildfly-adapter-distis then downloaded and unzipped adding additional keycloak  modules needed to communicate with the authentication server.

At that point a command line script is executed adding the keycloak subsystem to the Wildfly standalone.xml  configuration file


Checking out the Serenity REST Services

The services being deployed consist of:

  • Services
    • JaxRsActivator – This is used to bootstrap the application. It uses the @ApplicationPath annotation to set the application context path
    • CargoServices – Service endpoint that allows us to find, update and add cargo
    • JobServices – Service endpoint that finds existing jobs
    • LocationServices – Service endpoint that finds existing accessible locations
  • EJB
    • CargoAccess – Stateless session bean used to demonstrate programmatic authentication and authorization

Securing the Services

The services can be secured by updating the web.xml as follows:

The CargoAccess stateless session bean demonstrates how to programmatically use the keycloak system.

  • The Jboss specific @SecurityDomain  annotation is used to set Keycloak as the security domain
  • The @PermitAll  and @RolesAllowed  annotations are used to supply access to the operations

Configure the keycloak.json adapter config file.  This file specifies the configuration used to communicate with the Keycloak server.  Our sample looks like:

  • realm : The Keycloak realm representing the serenity application and users
  • resource : Name of the application client to connect to when attempting authentication
  • bearer-only : Tells the adapter to only accept bearer tokens through the Authorization header

Further documentation can found at Keycloak adapter config

Building The Services

The following should have already been done:

Gradle is used to create the deployment artifact

This will build the war file and copy it out to the vm’s shared  directory. Then:

That’s it. The services are now deployed at:

In the next post, we will review the cortex Angularjs application where we use the deployed services.