| == Camel Example Undertow Spring Security with Keycloak |
| |
| This example shows the undertow component with spring security using one of the supported authentication providers: *Keycloak* |
| |
| The example starts up a spring-boot application that is authenticated via bearer token with keycloak server. |
| |
| === Setting up a Keycloak server |
| |
| Running configured keycloak server is required for this demo. |
| |
| To prepare Keycloak server, use _docker-compose_ according the following |
| https://github.com/keycloak/keycloak-containers/tree/master/docker-compose-examples[examples]. |
| |
| After logging into the Administration Console of the keycloak server: |
| |
| * Create a realm using import (exported file _realm-export.json_ is prepared in the root of this example). |
| It will create realm "example-app", with client _example-service_ and roles _role01_ and _role02_. |
| * Create a user for each roles (_user01_ with role _role01_ and _user02_ with role _role02_). |
| |
| When the Keycloak server is configured and running, retrieve access tokens for both users. |
| |
| You can use following commands (use correct secrets and names) to retrieve both tokens: |
| |
| curl -d "client_id=example-service" -d "client_secret=<client-secret>" -d "username=<user01-name>" -d "password=<user01-password>" -d "grant_type=password" http://localhost:8080/auth/realms/<realm-name>/protocol/openid-connect/token | jq -r '.access_token' |
| |
| and |
| |
| curl -d "client_id=example-service" -d "client_secret=<client-secret>" -d "username=<user02-name>" -d "password=<user02-password>" -d "grant_type=password" http://localhost:8080/auth/realms/<realm-name>/protocol/openid-connect/token | jq -r '.access_token' |
| |
| Keep both generated tokens for later use. |
| |
| === Running the example |
| |
| Now that everything is set up, you can run the example using |
| |
| ---- |
| mvn spring-boot:run |
| ---- |
| |
| _Notice that route contains allowedRoles parameter with value `role02`._ |
| |
| You can verify that the endpoint (_http://localhost:8082/hi_) is secured with the Keycloak server |
| by executing following requests: |
| |
| * Request without authentication token returns _401 Unauthorized_ |
| |
| curl -I -X GET http://localhost:8082/hi |
| |
| * Request with the token for _user01_ (with _role01_) returns _403 Forbidden_ |
| |
| curl -I -X GET -H "Authorization: Bearer <user01-token>" http://localhost:8082/hi |
| |
| * Request with the token for _user02_ (with _role02_) returns _200 OK_ and you can see a message |
| in application console log: "_Hello <user01-name>!_" |
| |
| curl -I -X GET -H "Authorization: Bearer <user02-token>" http://localhost:8082/hi |
| |
| |
| === Help and contributions |
| |
| If you hit any problem using Camel or have some feedback, then please |
| https://camel.apache.org/support.html[let us know]. |
| |
| We also love contributors, so |
| https://camel.apache.org/contributing.html[get involved] :-) |
| |
| The Camel riders! |