Author: Vijay Chintalapati Level: Intermediate Technologies: Infinispan, CDI, JAX-RS Summary: Learn how cache-level authentication and authorization works for Red Hat Data Grid in Library mode. Target Product: Red Hat Data Grid Product Versions: Red Hat Data Grid 7.3 or later, Red Hat JBoss Enterprise Application Platform 7.1 or later, Red Hat Single Sign-On Server 7.2 or later Source: https://github.com/jboss-developer/jboss-jdg-quickstarts
The secure-embedded-cache quickstart provides a demo application (webapp) that lets you read and write entries in an embedded cache with different user credentials.
- Java 8.0 (Java SDK 1.8) or later.
- Maven 3.0 or later. You must also configure Maven.
To run the demo application, you must install:
- Red Hat JBoss Enterprise Application Platform (EAP) 7.1 or later.
- Red Hat Single Sign-On (RH-SSO) Server 7.2.x.
- RH-SSO Client Adapter for JBoss EAP 7.
Download EAP and RH-SSO from the Red Hat Customer Portal.
To deploy the demo application, do the following:
- Open a command prompt and navigate to the root directory of this repository.
- Build and package the demo application.
$ mvn clean package -DskipTests- Set up your EAP server.
a. Start your local EAP server in Standalone mode.
- Linux: `${JBOSS_HOME}/bin/standalone.sh`
- Windows: `%JBOSS_HOME%\bin\standalone.bat`
b. Configure the keycloak subsystem in EAP:
$ mvn wildfly:execute-commandsc. Extract the Client Adapter archive into the root directory of your EAP installation and then run the following command:
$ ${JBOSS_HOME}/jboss-cli.sh --file=adapter-install-offline.cli- Set up your RH-SSO server.
a. Start the RH-SSO server with a port offset:
$ ${KEYCLOAK_HOME}/bin/standalone.sh -Djboss.socket.binding.port-offset=100b. Navigate to the RH-SSO Admin console at http://localhost:8180.
c. Create an admin user account with the following credentials:
- Username: __johndoe__
- Password: __password__
d. Install the realm, clients, roles, and users for the RH-SSO server.
$ export PATH=${KEYCLOAK_HOME}/bin:$PATH
$ ./keycloak-setup/install-demo-realm.she. Enter the password for johndoe when prompted.
- Deploy the demo application in your local EAP server.
$ mvn wildfly:deployYou should now be able to access the demo application at the following URL:
http://localhost:8080/jboss-secure-embedded-cache-quickstart/
The demo application lets you access cache content in a web browser. The cache entries are created with the Java API for RESTful Web Services (JAX-RS).
The demo application includes two users, reader and admin. To access the embedded cache in the demo application, you must authenticate as either of these users.
To demonstrate authorization, reader has only read permissions to the embedded cache while admin has both read and write permissions.
Note: The following steps are tested with Mozilla Firefox. If you are using a different browser, you might encounter issues logging in and out of the demo application with different users. To resolve issues with login, you can start a new browser session (Internet Explorer 6 or later) or restart your browser between logins.
To test authentication and authorization, do the following:
- Navigate to the demo application.
- Log in as reader with this password: Password_.
The demo application presents a form in your browser where you can perform cache operations.
- Attempt to add a string key/value pair to the cache.
You can see that the demo application displays messages that indicate that reader is not authorized for write operations.
- Log out and then refresh your browser to return to the demo application.
- Log in as admin with this password: Strong_password.
- Add five new string key/value pairs to the cache.
You can see that the demo application allows admin to perform write operations to the cache.
- Delete two of the entries that you created in the cache.
- Log out, refresh your browser, and then log in as reader.
- Verify that you can see the three cache entries you created as admin.
- Attempt to delete cache entries as reader.
Again, you can see that reader is not authorized to delete entries from the cache.
- Log out from the demo application.
This quickstart includes prepared unit tests that you can run as follows:
- Start your local EAP server in Standalone mode.
- Configure the keycloak subsystem.
$ mvn wildfly:execute-commands- Stop your local EAP server.
- Build and package the demo application.
$ mvn clean package -DskipTests- Start the RH-SSO server with a port offset.
$ ${KEYCLOAK_HOME}/standalone.sh -Djboss.socket.binding.port-offset=100- Run the unit tests.
$ mvn test -DeapHome=/path/to/server -Plibrary-tests