[keycloak-dev] resource excludes in web.xml not working in latest master build

Bill Burke bburke at redhat.com
Mon Dec 22 15:31:39 EST 2014 

You fix one problem but introduce another. 
ServletRequest.authenticate() will fail with your fix because of the way 
Undertow works.  It expects that all auth mechanisms are attempted and 
any challenges queued up just in case ServletRequest.authenticate() is 
invoked.

Your problem is that posts are eaten on unsecured requests?  What I need 
to do is to do the request saving in the challenge callback.

On 12/20/2014 8:34 AM, Michael Gerber wrote:
> I created a small demo app to show you what I meant:
> https://github.com/gerbermichi/keycloak/tree/master/examples/demo-template/rest-resources
>
> As you can see, keycloak consumes the post data during the
> authentication step, which is wrong, because the resource should be
> public (without any authentication)
>
> curl -X POST -H „Content-Type: text/plain"
> http://localhost:8080/rest-resources/public -d 'hello world'
> You said:
>
> My previous bug fix for this problem was wrong, but I think my latests
> changes in the RequestAuthenticator class would solve this problem.
> You can find all my changes here:
> https://github.com/gerbermichi/keycloak/commit/512a68c5fa405567fe56968b5fdd9bb51eeb3316
>
> curl -X POST -H „Content-Type: text/plain"
> http://localhost:8080/rest-resources/public -d 'hello world'
> You said: hello world
>
> The only question is, how to implement the
> protected abstract boolean isAuthenticationRequired();
> method correctly in the JettyRequestAuthenticator
> and CatalinaRequestAuthenticator class.
>
>
>
>> Am 19.12.2014 um 17:03 schrieb Michael Gerber <gerbermichi at me.com
>> <mailto:gerbermichi at me.com>>:
>>
>> Hi all,
>>
>> I created today a build from the latest master branch and struggled
>> with the following problem.
>> I've got some REST services which are excluded from keycloak, so I can
>> access them without a logged in user. (see detail from web.xml)
>> The request body in these post rest services were always empty. I
>> found out that my wildfly tried to authenticate all requests.
>> The tokenStore.saveRequest() method in the OAuthRequestAuthenticator
>> class read the inputStream and so it was empty later on.
>>
>> I dont understand why all my requests are authenticated, even when
>> they are excluded through the web.xml file.
>> So, I added the following lines in the ServletKeycloakAuthMech class
>> in the authenticate method: (see
>> https://github.com/gerbermichi/keycloak/commit/1eaafcd3d9ad4082429ab500a4512c87d47ed75c)
>> if (!deployment.isConfigured() ||
>> !securityContext.isAuthenticationRequired()) {
>>             return AuthenticationMechanismOutcome.NOT_ATTEMPTED;
>> }
>>
>> This hack solved all my problems. Is this a bug and should i create a
>> pull request? Or are there some problems in my project configuration?
>>
>> Detail from my web.xml file:
>>   <security-constraint>
>>         <web-resource-collection>
>>             <web-resource-name>Client WS</web-resource-name>
>>             <url-pattern>/clientws/*</url-pattern>
>>         </web-resource-collection>
>>         <web-resource-collection>
>>             <web-resource-name>Client Exchange WS</web-resource-name>
>>             <url-pattern>/services/exchange/*</url-pattern>
>>         </web-resource-collection>
>>         <user-data-constraint>
>>             <transport-guarantee>CONFIDENTIAL</transport-guarantee>
>>         </user-data-constraint>
>>     </security-constraint>
>>
>>     <security-constraint>
>>         <web-resource-collection>
>>             <web-resource-name>All</web-resource-name>
>>             <url-pattern>/*</url-pattern>
>>         </web-resource-collection>
>>         <auth-constraint>
>>             <role-name>myRole</role-name>
>>         </auth-constraint>
>>         <user-data-constraint>
>>             <transport-guarantee>CONFIDENTIAL</transport-guarantee>
>>         </user-data-constraint>
>>     </security-constraint>
>>
>>     <login-config>
>>         <auth-method>KEYCLOAK</auth-method>
>>         <realm-name>myRealm</realm-name>
>>     </login-config>
>>
>>     <security-role>
>>         <role-name>myRole</role-name>
>>     </security-role>
>>
>>
>>
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org <mailto:keycloak-dev at lists.jboss.org>
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
>
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

More information about the keycloak-dev mailing list