tomee-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Romain Manni-Bucau <rmannibu...@gmail.com>
Subject Re: protect endpoint with basic auth
Date Wed, 22 Aug 2018 14:01:25 GMT
Hi Matthew,

tomcat does that because the spec does (even if several people ask to break
that limitation it is not yet done at servlet spec level)
that said to secure a rest endpoint you just need a filter in your app and
implement the security login in there. you can delegate to the container
(request.login()/request.logout())  or not depending what you want to do.
MP JWT Auth uses that typically:
https://github.com/apache/geronimo-jwt-auth/blob/master/src/main/java/org/apache/geronimo/microprofile/impl/jwtauth/servlet/GeronimoJwtAuthFilter.java

Romain Manni-Bucau
@rmannibucau <https://twitter.com/rmannibucau> |  Blog
<https://rmannibucau.metawerx.net/> | Old Blog
<http://rmannibucau.wordpress.com> | Github <https://github.com/rmannibucau> |
LinkedIn <https://www.linkedin.com/in/rmannibucau> | Book
<https://www.packtpub.com/application-development/java-ee-8-high-performance>


Le mer. 22 août 2018 à 15:55, Matthew Broadhead
<matthew.broadhead@nbmlaw.co.uk.invalid> a écrit :

> my webapp already has a login-config set to keycloak in web.xml so AFAIK
> i cannot define any other security configs there.  why doesn't tomcat
> allow multiple security methods?
> <login-config>
>      <auth-method>KEYCLOAK</auth-method>
>      <realm-name>secure</realm-name>
> </login-config>
>
> is there another way to protect a jax-rs endpoint using basic auth
> without having to create another webapp?  i read something about valves...
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message