3 Replies Latest reply on Dec 4, 2019 4:47 AM by axeleast

    How to use keycloak authentication for ejb remote client with wildfly elytron security?


      I've some web application which authenticates on Keycloak and call EJBs. The security in Wildfly is configured with Elytron and the security context is propagated correctly between web and EJB.


      Now I've to write a java client (desktop application) which have to call the same EJBs on the server using Wildfly http+remoting. I suppose I need to configure SASL authentication against Keycloak on Wildfly, probably using oauth bearer token obtained by java client logging in with Keycloak.


      I can't find any information about how to configure SASL with Keycloak on Wildfly. Does someone have some hit about that?

        • 1. Re: How to use keycloak authentication for ejb remote client with wildfly elytron security?

          I was researching a similar use case today. The information available online about this is pretty sparse but perhaps the following will be helpful:


          As you already mentioned, the remote EJB calls use the remoting subsystem. The remoting connectors use /server/management/security-realms for authentication and authorization instead of the security-realms in the Elytron subsystem. The authenticators included in the Keycloak adapters, however, seem to be geared towards the Elytron security system, so no configuration I tried worked out of the box.


          Fortunately you can just write a small custom authenticator that delegates everything to the existing Keycloak adapters. You can find a pretty comprehensive guide on writing an authentication/ authorization plugin here: https://docs.wildfly.org/14/Admin_Guide.html#Security_Realms_Plugins  and some documentation on Keycloak Login Modules this works with here: https://www.keycloak.org/docs/3.2/securing_apps/topics/oidc/java/jaas.html


          Here is a small spaghetti-coded proof of concept. You will have to install the two below classes as a module on Wildfly. (as described in the first link)

          The keycloak.json file referenced in the standalone.xml is generated by Keycloak (Client > Installation in the web interface)

          import java.io.IOException;
          import java.security.Principal;
          import java.util.Map;
          import javax.security.auth.Subject;
          import javax.security.auth.callback.Callback;
          import javax.security.auth.callback.CallbackHandler;
          import javax.security.auth.callback.NameCallback;
          import javax.security.auth.callback.PasswordCallback;
          import javax.security.auth.callback.TextOutputCallback;
          import javax.security.auth.callback.UnsupportedCallbackException;
          import javax.security.auth.login.LoginException;
          import org.jboss.as.domain.management.plugin.AbstractPlugIn;
          import org.jboss.as.domain.management.plugin.AuthorizationPlugIn;
          import org.jboss.as.domain.management.plugin.Credential;
          import org.jboss.as.domain.management.plugin.Identity;
          import org.jboss.as.domain.management.plugin.ValidatePasswordCredential;
          import org.keycloak.adapters.jaas.DirectAccessGrantsLoginModule;
          public class KeycloakManagementAuthenticator extends AbstractPlugIn {
              private DirectAccessGrantsLoginModule keycloakDelegate = new DirectAccessGrantsLoginModule();
              private Map<String, String> configuration;
              public void init(Map<String, String> configuration, Map<String, Object> sharedState) throws IOException {
                  this.configuration = configuration;
                  // This will allow an AuthorizationPlugIn to delegate back to this instance.
                  sharedState.put(AuthorizationPlugIn.class.getName(), this);
              public Identity loadIdentity(final String userName, String realm) throws IOException {
                  System.out.println("loadIdentity for " + userName + "@" + realm);
                  return new SampleIdentity(userName, realm);
              public String[] loadRoles(String userName, String realm) throws IOException {
                  return new String[0];
              private class SampleIdentity implements Identity {
                  private final String userName;
                  private final Credential credential;
                  private SampleIdentity(final String userName, final String password) {
                      System.out.println("creating new SampleIdentity");
                      this.userName = userName;
                      this.credential = new ValidatePasswordCredential() {
                          public boolean validatePassword(final char[] password) {
                              System.out.println("SampleIdentity: validating password: " + String.valueOf(password));
                              try {
                                  Subject subject = new Subject();
                                  subject.getPrincipals().add(new Principal() {
                                      private final String name = userName;
                                      public String getName() {
                                          return name;
                                  System.out.println("assembeled subject");
                                  CallbackHandler callbackHandler = new CallbackHandler() {
                                      public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException {
                                          for (int i = 0; i < callbacks.length; i++) {
                                              if (callbacks[i] instanceof TextOutputCallback) {
                                                  // display the message according to the specified type
                                                  TextOutputCallback toc = (TextOutputCallback) callbacks[i];
                                                  switch (toc.getMessageType()) {
                                                      case TextOutputCallback.INFORMATION:
                                                      case TextOutputCallback.ERROR:
                                                          System.out.println("ERROR: " + toc.getMessage());
                                                      case TextOutputCallback.WARNING:
                                                          System.out.println("WARNING: " + toc.getMessage());
                                                          throw new IOException("Unsupported message type: "
                                                                  + toc.getMessageType());
                                              } else if (callbacks[i] instanceof NameCallback) {
                                                  // prompt the user for a username
                                                  NameCallback nc = (NameCallback) callbacks[i];
                                                  // ignore the provided defaultName
                                              } else if (callbacks[i] instanceof PasswordCallback) {
                                                  // prompt the user for sensitive information
                                                  PasswordCallback pc = (PasswordCallback) callbacks[i];
                                              } else {
                                                  throw new UnsupportedCallbackException(callbacks[i], "Unrecognized Callback");
                                  System.out.println("before init keycloak delegate");
                                  keycloakDelegate.initialize(subject, callbackHandler, sharedState, configuration);
                                  System.out.println("before login");
                                  boolean result = keycloakDelegate.login();
                                  System.out.println("after login: " + result);
                                  return result;
                              } catch (LoginException ex) {
                                  System.out.println("Login Exception");
                                  return false;
                  public String getUserName() {
                      return userName;
                  public Credential getCredential() {
                      return credential;
          import org.jboss.as.domain.management.plugin.AuthenticationPlugIn;
          import org.jboss.as.domain.management.plugin.AuthorizationPlugIn;
          import org.jboss.as.domain.management.plugin.Credential;
          import org.jboss.as.domain.management.plugin.PlugInProvider;
          public class KeycloakManagementPluginProvider implements PlugInProvider{
              public AuthenticationPlugIn<Credential> loadAuthenticationPlugIn(String name) {
                  if ("Keycloak".equals(name)) {
                      return new KeycloakManagementAuthenticator();
                  return null;
              public AuthorizationPlugIn loadAuthorizationPlugIn(String name) {
                  if ("Keycloak".equals(name)) {
                      return new KeycloakManagementAuthenticator();
                  return null;



          <?xml version="1.0" encoding="UTF-8"?>
          <module xmlns="urn:jboss:module:1.1" name="my.keycloak.auth.module">
                  <resource-root path="KeycloakManagementAuthenticator-1.0.0.jar"/>
                  <module name="org.jboss.as.domain-management" />
                  <module name="org.keycloak.keycloak-adapter-core" />



                    <security-realm name="KeycloakRealm">
                          <plug-in module="my.keycloak.auth.module">          
                              <plug-in name="Keycloak" mechanism="PLAIN">
                              <property name="keycloak-config-file" value="/path/to/keycloak.json"></property>
                  <subsystem xmlns="urn:jboss:domain:remoting:4.0">
                      <http-connector name="http-remoting-connector" connector-ref="default" security-realm="KeycloakRealm"/>



          This approach certainly needs some adjustments since, among other atrocities, it currently sends the plain credentials via http but it was the first proof of concept that worked for me.


          Currently this works with user/pass but you should be able to switch to bearer tokens by simply delegating to org.keycloak.adapters.jaas.BearerTokenLoginModule instead of org.keycloak.adapters.jaas.DirectAccessGrantsLoginModule.


          Would appreciate any hints if you come up with a better solution.

          • 2. Re: How to use keycloak authentication for ejb remote client with wildfly elytron security?

            Hi Stephan,

            thanks for your answer, but in my Wildfly configuration I completely disabled legacy security, so your approach which use JAAS is not suitable for me.

            After a lot of deep dive into elytron code and searches in forum, I was able to configure ejb client and server to authenticate using JWT bearer token.

            The most useful blog articles that put me in the right direction are:

            • 3. Re: How to use keycloak authentication for ejb remote client with wildfly elytron security?

              Hi Marco,

              did you manage to secure the JNDI lookup of EJBs with the BEARER_TOKEN mechnism?

              With the links you provided i managed to secure HTTP connection, but am at a loss when it comes to lookup of EJBs. Any pointers to the right direction would be appreciated!