0 Replies Latest reply on Mar 25, 2019 5:00 AM by tihomir.mescic

    How to secure JAX-WS SOAP services with Keycloak

    tihomir.mescic
    tihomir.mescic Mar 25, 2019 5:00 AM

      Hi all,

       

      this question is more related to Keycloak (and it's integration with WildFly), than WildFly itself, but it's related to WildFly so I'm posting the question here also, if someone had the issue before....

       

      I have some SOAP services running on WildFly 13. These services are implemented by using the @javax.jws.WebService annotation, and are deployed as JAR file containing the services and the EJBs with the backing implementation. The services are currently unsecured (public). I also have Keycloak 5.0 running on a different server.

       

      What I want to achieve:

      - add Keycloak integration to my SOAP layer, so that every SOAP request is validated - i.e. JWT token that is sent in the Authorization header is validated

      - the validation is done offline (i.e. Keycloak REST endpoint for token validation is not called every time)

       

      I tried using the WildFly Keycloak adapter:

      https://www.keycloak.org/docs/5.0/securing_apps/index.html#jboss-eap-wildfly-adapter

       

      However, it looks like this adapter can only work with WAR deployments (I have a JAR file and don't have the web.xml file at all).

       

      I'm also aware that I could use a SOAP Interceptor and validate the token online (by calling the REST endpoint on Keycloak), however, I'd like to avoid this for performance reasons.

       

      My question is:

      1. Is it possible to achieve what I need using the WildFly keycloak adapter?

      2. If not, what would be the preferred way to do ti?

       

      Thanks in advance,

      Tihomir