Skip to content

Security Options

Jump to bottom
John Ament edited this page Jul 17, 2017 · 2 revisions

Security Options

Hammock provides a few useful security hacks.

Security SPI

This provides some useful interceptor based checking to ensure that a user is in a role or is logged in to the system.

    <dependency>
        <artifactId>security-spi</artifactId>
        <groupId>ws.ament.hammock</groupId>
        <version>${hammock.version}</version>
    </dependency>

JWT Processing

You can add JWT processing in to your Hammock runtime, as a preview of Microprofile JWT RBAC. It's built on nimbus-jose-jwt. Any request that includes JWT in the Authorization header or an access_token query parameter will be processed.

Configuration Options:

  • jwt.filter.uris: The URIs to apply JWT processing to. You may want it off in some areas of your application, but by default it's bound to /*
  • jwt.header.enabled: Default to true, whether Authorization header processing should be enabled
  • jwt.query.param.enabled: Defaults to true whether query parameter process should be enabled
  • jwt.query.param.name: What the name of the query parameter to read from should be. The default is to match the OIDC spec, and use access_token
  • jwt.processor: The full class name to use as your JWT processor. The default is a SimpleJWTProcessor that just reads the JWT without doing any validation on it. This should not be used in production. There is a second built in to Hammock, ws.ament.hammock.jwt.processor.DefaultValidatingJWTProcessor, which uses the next set of properties. Otherwise you can provide your own implementation of ws.ament.hammock.jwt.processor.JWTProcessor

Options specific to DefaultValidatingJWTProcessor:

  • jwt.algorithm: The signing algorithm to use. Defaults to HS256. The valid values come from here
  • jwt.jwk.source.url: The URL to download the JWK(s) from when looking at the signed values.
  • jwt.jwk.source.file: The file to look at for the JWK(s).

Note: One of source url/file must be specified.

To add to your application use

    <dependency>
        <artifactId>security-jose</artifactId>
        <groupId>ws.ament.hammock</groupId>
        <version>${hammock.version}</version>
    </dependency>

Keycloak Integration

You can integrate a Hammock application with Keycloak. It assumes that your backend is using JAX-RS (only tested so far with RestEasy). Any request that includes an Authorization header with Bearer will be treated as a JWT and authenticated against Keycloak.

Single Realm

If you're using a single realm, you can provide all configuration options that would go into AdapterConfig as properties. They would be prefixed with keycloak, as an example:

keycloak.auth-server-url=http://localhost:8080/auth/
keycloak.realm=master
keycloak.resource=test-client
keycloak.public-client=true
keycloak.ssl-required=external

You can also set keycloak.config.file to point to a keycloak.json file with your configuration.

Multiple Realms

KeycloakConfiguration implements KeycloakConfigResolver so if you need to use multiple realms on a per request basis, using Keycloak's native functionality, you can do that by creating an alternative implementation of KeycloakConfigResolver.

Clone this wiki locally