Add example for custom JAXRS filter

keycloak/extensions/src/main/java/com/github/thomasdarimont/keycloak/custom/authz/filter/AcmeAccessFilter.java

@@ -0,0 +1,78 @@
+package com.github.thomasdarimont.keycloak.custom.authz.filter;
+
+import jakarta.ws.rs.NotAuthorizedException;
+import jakarta.ws.rs.container.ContainerRequestContext;
+import jakarta.ws.rs.container.ContainerRequestFilter;
+import jakarta.ws.rs.core.HttpHeaders;
+import jakarta.ws.rs.core.UriInfo;
+import lombok.extern.jbosslog.JBossLog;
+import org.keycloak.common.util.Encode;
+import org.keycloak.jose.jws.JWSInput;
+import org.keycloak.jose.jws.JWSInputException;
+import org.keycloak.models.KeycloakSession;
+import org.keycloak.models.RealmModel;
+import org.keycloak.representations.AccessToken;
+import org.keycloak.services.managers.AppAuthManager;
+import org.keycloak.services.managers.AuthenticationManager;
+import org.keycloak.services.managers.RealmManager;
+import org.keycloak.services.resources.admin.AdminAuth;
+import org.keycloak.services.resources.admin.AdminRoot;
+
+import java.io.IOException;
+import java.net.URI;
+
+@JBossLog
+//@Provider // uncomment this to activate the filter
+public class AcmeAccessFilter implements ContainerRequestFilter {
+
+
+    @Override
+    public void filter(ContainerRequestContext requestContext) throws IOException {
+
+        UriInfo uriInfo = requestContext.getUriInfo();
+
+        URI requestUri = uriInfo.getRequestUri();
+        String path = requestContext.getUriInfo().getPath();
+
+        // TODO add custom filter logic here
+    }
+
+    /**
+     * Taken from {@link AdminRoot#authenticateRealmAdminRequest(HttpHeaders)}
+     *
+     * @param session
+     * @param headers
+     * @return
+     */
+    private AdminAuth authenticateRealmAdminRequest(KeycloakSession session, HttpHeaders headers) {
+        String tokenString = AppAuthManager.extractAuthorizationHeaderToken(headers);
+        if (tokenString == null) throw new NotAuthorizedException("Bearer");
+        AccessToken token;
+        try {
+            JWSInput input = new JWSInput(tokenString);
+            token = input.readJsonContent(AccessToken.class);
+        } catch (JWSInputException e) {
+            throw new NotAuthorizedException("Bearer token format error");
+        }
+        String realmName = Encode.decodePath(token.getIssuer().substring(token.getIssuer().lastIndexOf('/') + 1));
+        RealmManager realmManager = new RealmManager(session);
+        RealmModel realm = realmManager.getRealmByName(realmName);
+        if (realm == null) {
+            throw new NotAuthorizedException("Unknown realm in token");
+        }
+        session.getContext().setRealm(realm);
+
+        AuthenticationManager.AuthResult authResult = new AppAuthManager.BearerTokenAuthenticator(session)
+                .setRealm(realm)
+                .setConnection(session.getContext().getConnection())
+                .setHeaders(headers)
+                .authenticate();
+
+        if (authResult == null) {
+            log.debug("Token not valid");
+            throw new NotAuthorizedException("Bearer");
+        }
+
+        return new AdminAuth(realm, authResult.getToken(), authResult.getUser(), authResult.getClient());
+    }
+}