[keycloak-user] Noob question -- 'forbidden' on demo after redirect
Walter Rice
walterrrice at gmail.com
Sat Feb 14 04:40:42 EST 2015
Hi Bill,
Full scope allowed: ON
I changed this to off then add user and admin roles... same result
I realise it's probably silly mistake on my part! but I just can't see it...
If i click *customer admin interface* i get the following:
Customer Admin InterfaceUser *96cfdfd1-ba0d-480a-9a80-18ec830391fe *made
this request.
Admin REST To Get Role List of RealmThere was a failure processing request.
You either didn't configure Keycloak properly Status from database service
invocation was: 404
/Brian
On Sat, Feb 14, 2015 at 1:09 AM, Bill Burke <bburke at redhat.com> wrote:
> Got to the admin console. Go to your application definition. Go to the
> scope tab. What does it say?
>
>
> On 2/13/2015 8:04 PM, Walter Rice wrote:
>
>> Hi Bill,
>>
>> Thanks for the reply. I dunno! I followed the video to the letter....
>> below is my web.xml for customer-portal. Apologies for noob qn but how
>> do i check application scope?...
>>
>> <?xml version="1.0" encoding="UTF-8"?>
>> <web-app xmlns="http://java.sun.com/xml/ns/javaee"
>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>> xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
>> http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
>> version="3.0">
>>
>> <module-name>customer-portal</module-name>
>>
>> <security-constraint>
>> <web-resource-collection>
>> <web-resource-name>Admins</web-resource-name>
>> <url-pattern>/admin/*</url-pattern>
>> </web-resource-collection>
>> <auth-constraint>
>> <role-name>admin</role-name>
>> </auth-constraint>
>> </security-constraint>
>> <security-constraint>
>> <web-resource-collection>
>> <web-resource-name>Customers</web-resource-name>
>> <url-pattern>/customers/*</url-pattern>
>> </web-resource-collection>
>> <auth-constraint>
>> <role-name>user</role-name>
>> </auth-constraint>
>> </security-constraint>
>>
>> <!--
>> <security-constraint>
>> <web-resource-collection>
>> <url-pattern>/*</url-pattern>
>> </web-resource-collection>
>> <user-data-constraint>
>> <transport-guarantee>CONFIDENTIAL</transport-guarantee>
>> </user-data-constraint>
>> </security-constraint> -->
>>
>> <login-config>
>> <auth-method>KEYCLOAK</auth-method>
>> <realm-name>cryo198</realm-name>
>> </login-config>
>>
>> <security-role>
>> <role-name>admin</role-name>
>> </security-role>
>> <security-role>
>> <role-name>user</role-name>
>> </security-role>
>> </web-app>
>>
>>
>> On Sat, Feb 14, 2015 at 12:27 AM, Bill Burke <bburke at redhat.com
>> <mailto:bburke at redhat.com>> wrote:
>>
>> You don't have constriants set up correctly in web.xml? You don't
>> have
>> the appropriate scope for the application set up?
>>
>> On 2/13/2015 4:47 PM, Walter Rice wrote:
>> > Hi,
>> >
>> > I am trying to set up the demo as per the youtube videos (#1 and
>> #2). I
>> > am using keycloak 1.0.5. I have set up per the video (i think),
>> however
>> > things aren't working as expected.
>> >
>> > I browse tohttp://localhost:8080/customer-portal/ and all is fine.
>> I
>>
>> > click Customer Listing and I am redirected to login page as
>> expected. I
>> > enter my name/pw , this is successful and then I am redirected back
>> to
>> >http://localhost:8080/customer-portal/customers/view.jsp but the
>> page is
>> > 'Forbidden' (redirect uri appears ok here?)
>> >
>> > I am using the 'full' version with bundled wildfly server.
>> >
>> >
>> >
>> > *customer app:*
>> > keycloak file
>> >
>> > {
>> > "realm": "cryo198",
>> > "realm-public-key":
>> > "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCFnsEHg1o9UMBpMoHqLxYe
>> sXgDsTHnv1vF0AgrznxAcLfmYUdjvBNdIXZNfB7I7tG9OMHvX21h9arHdcdg
>> 2qqk9adLjHuImg/LhYHVOrosJ/sybohrR/Im+k1fTsw/5p/nwZKOF1DLL4/
>> 4SZAY2h19FGCi0ZgIvE80psq98UvCNQIDAQAB",
>> > "auth-server-url": "http://localhost:8080/auth",
>> > "ssl-required": "external",
>> > "resource": "customer-portal",
>> > "credentials": {
>> > "secret": "a0872aa0-113d-435c-a9d6-56cd9b270e22"
>> > }
>> > }
>> >
>> > *web.xml*
>> > <login-config>
>> > <auth-method>KEYCLOAK</auth-method>
>> > <realm-name>cryo198</realm-name>
>> > </login-config>
>> >
>> > *redirect URI:*
>> > /customer-portal/*
>> >
>> > *database app:*
>> > {
>> > "realm": "cryo198",
>> > "realm-public-key":
>> > "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCFnsEHg1o9UMBpMoHqLxYe
>> sXgDsTHnv1vF0AgrznxAcLfmYUdjvBNdIXZNfB7I7tG9OMHvX21h9arHdcdg
>> 2qqk9adLjHuImg/LhYHVOrosJ/sybohrR/Im+k1fTsw/5p/nwZKOF1DLL4/
>> 4SZAY2h19FGCi0ZgIvE80psq98UvCNQIDAQAB",
>> > "auth-server-url": "http://localhost:8080/auth",
>> > "ssl-required": "NONE",
>> > "resource": "database",
>> > "bearer-only": "true"
>> > }
>> >
>> >
>> >
>> > *web.xml*
>> > <login-config>
>> > <auth-method>KEYCLOAK</auth-method>
>> > <realm-name>cryo198</realm-name>
>> > </login-config>
>> >
>> > *redirect URI:*
>> > n./a ..set as bearer only
>> >
>> > *deployed apps:*
>> > $
>> > /c/tools/keycloak-appliance-dist-all-1.0.5.Final/keycloak-
>> appliance-dist-all-1.0.5.Final/keycloak/bin/jboss-cli.sh
>> > -c --command="deploy -l"
>> > NAME RUNTIME-NAME ENABLED STATUS
>> > admin-access.war admin-access.war true OK
>> > angular-product.war angular-product.war true OK
>> > auth-server.war auth-server.war true OK
>> > customer-portal-js.war customer-portal-js.war true OK
>> > customer-portal.war customer-portal.war true OK
>> > database.war database.war true OK
>> > product-portal.war product-portal.war true OK
>> >
>> >
>> >
>> >
>> >
>> >
>> > *Log:*
>> > 2015-02-13 21:22:29,665 DEBUG
>> > [org.keycloak.adapters.PreAuthActionsHandler] (default task-41)
>> > adminRequest http://localhost:8080/customer-portal/custo
>> > mers/view.jsp
>> > 2015-02-13 21:22:29,667 TRACE
>> > [org.keycloak.adapters.RequestAuthenticator] (default task-41) -->
>> > authenticate()
>> > 2015-02-13 21:22:29,668 TRACE
>> > [org.keycloak.adapters.RequestAuthenticator] (default task-41)
>> try bearer
>> > 2015-02-13 21:22:29,669 TRACE
>> > [org.keycloak.adapters.RequestAuthenticator] (default task-41)
>> try oauth
>> > 2015-02-13 21:22:29,669 DEBUG
>> > [org.keycloak.adapters.RequestAuthenticator] (default task-41)
>> session
>> > was null, returning null
>> > 2015-02-13 21:22:29,670 DEBUG
>> > [org.keycloak.adapters.OAuthRequestAuthenticator] (default
>> task-41)
>> > there was no code
>> > 2015-02-13 21:22:29,670 DEBUG
>> > [org.keycloak.adapters.OAuthRequestAuthenticator] (default
>> task-41)
>> > redirecting to auth server
>> > 2015-02-13 21:22:29,671 DEBUG
>> > [org.keycloak.adapters.OAuthRequestAuthenticator] (default
>> task-41)
>> > callback uri: http://localhost:8080/customer-portal/
>> > customers/view.jsp
>> > 2015-02-13 21:22:29,672 DEBUG
>> > [org.keycloak.adapters.OAuthRequestAuthenticator] (default
>> task-41)
>> > Sending redirect to login page: http://localhost:808
>> >
>> 0/auth/realms/cryo198/tokens/login?client_id=customer-
>> portal&redirect_uri=http%3A%2F%2Flocalhost%3A8080%
>> 2Fcustomer-portal%2Fcustomers%2Fview.jsp&state
>> > =2%2F8185a8ea-5a38-4a91-b990-1b32ccabb2e8&login=true
>> > 2015-02-13 21:22:29,701 DEBUG
>> > [org.keycloak.services.resources.TokenService] (default task-42)
>> > replacing relative valid redirect with: http://localhos
>> > t:8080/customer-portal/*
>> > 2015-02-13 21:22:29,702 DEBUG
>> > [org.keycloak.services.managers.AuthenticationManager] (default
>> task-42)
>> > Could not find cookie: KEYCLOAK_IDENTITY
>> > 2015-02-13 21:22:46,300 DEBUG
>> > [org.keycloak.services.resources.TokenService] (default task-43)
>> > replacing relative valid redirect with: http://localhos
>> > t:8080/customer-portal/*
>> > 2015-02-13 21:22:46,301 DEBUG
>> > [org.keycloak.services.managers.AuthenticationManager] (default
>> task-43)
>> > validating password for user: walt
>> > 2015-02-13 21:22:46,306 DEBUG
>> > [org.keycloak.services.managers.AuthenticationManager] (default
>> task-43)
>> > Expiring remember me cookie
>> > 2015-02-13 21:22:46,307 DEBUG
>> > [org.keycloak.services.managers.AuthenticationManager] (default
>> task-43)
>> > Expiring cookie: KEYCLOAK_REMEMBER_ME path: /au
>> > th/realms/cryo198
>> > 2015-02-13 21:22:46,308 DEBUG
>> > [org.keycloak.services.resources.flows.OAuthFlows] (default
>> task-43)
>> > processAccessCode: isResource: true
>> > 2015-02-13 21:22:46,308 DEBUG
>> > [org.keycloak.services.resources.flows.OAuthFlows] (default
>> task-43)
>> > processAccessCode: go to oauth page?: false
>> > 2015-02-13 21:22:46,329 DEBUG
>> > [org.keycloak.services.resources.flows.OAuthFlows] (default
>> task-43)
>> > redirectAccessCode: state: 2/8185a8ea-5a38-4a91-b99
>> > 0-1b32ccabb2e8
>> > 2015-02-13 21:22:46,340 DEBUG
>> > [org.keycloak.services.managers.AuthenticationManager] (default
>> task-43)
>> > Create login cookie - name: KEYCLOAK_IDENTITY,
>> > path: /auth/realms/cryo198, max-age: -1
>> > 2015-02-13 21:22:46,387 DEBUG
>> > [org.keycloak.adapters.PreAuthActionsHandler] (default task-44)
>> > adminRequest http://localhost:8080/customer-portal/custo
>> >
>> mers/view.jsp?code=zf9VUvG6-QkAWtF8xDFcJfnBnrY.
>> OTY1YjllMzMtZDdlNS00YWQwLWEwMzgtZjIzMTJhODZjMTIx&state=2%
>> 2F8185a8ea-5a38-4a91-b990-1b32ccabb2e8
>> > 2015-02-13 21:22:46,388 TRACE
>> > [org.keycloak.adapters.RequestAuthenticator] (default task-44) -->
>> > authenticate()
>> > 2015-02-13 21:22:46,389 TRACE
>> > [org.keycloak.adapters.RequestAuthenticator] (default task-44)
>> try bearer
>> > 2015-02-13 21:22:46,389 TRACE
>> > [org.keycloak.adapters.RequestAuthenticator] (default task-44)
>> try oauth
>> > 2015-02-13 21:22:46,389 DEBUG
>> > [org.keycloak.adapters.RequestAuthenticator] (default task-44)
>> session
>> > was null, returning null
>> > 2015-02-13 21:22:46,390 DEBUG
>> > [org.keycloak.adapters.OAuthRequestAuthenticator] (default
>> task-44)
>> > there was a code, resolving
>> > 2015-02-13 21:22:46,390 DEBUG
>> > [org.keycloak.adapters.OAuthRequestAuthenticator] (default
>> task-44)
>> > checking state cookie for after code
>> > 2015-02-13 21:22:46,390 DEBUG
>> > [org.keycloak.adapters.OAuthRequestAuthenticator] (default
>> task-44) **
>> > reseting application state cookie
>> > 2015-02-13 21:22:46,477 DEBUG
>> > [org.keycloak.adapters.OAuthRequestAuthenticator] (default
>> task-44)
>> > Token Verification succeeded!
>> > 2015-02-13 21:22:46,478 DEBUG
>> > [org.keycloak.adapters.OAuthRequestAuthenticator] (default
>> task-44)
>> > successful authenticated
>> > 2015-02-13 21:22:46,478 TRACE
>> > [org.keycloak.adapters.RefreshableKeycloakSecurityContext]
>> (default
>> > task-44) checking whether to refresh.
>> > 2015-02-13 21:22:46,478 TRACE
>> > [org.keycloak.adapters.undertow.KeycloakUndertowAccount] (default
>> > task-44) use realm role mappings
>> > 2015-02-13 21:22:46,479 DEBUG
>> > [org.keycloak.adapters.wildfly.WildflyRequestAuthenticator]
>> (default
>> > task-44) propagate security context to wildfly
>> > 2015-02-13 21:22:46,481 TRACE
>> > [org.keycloak.adapters.RefreshableKeycloakSecurityContext]
>> (default
>> > task-44) checking whether to refresh.
>> > 2015-02-13 21:22:46,484 DEBUG
>> > [org.keycloak.adapters.RequestAuthenticator] (default task-44)
>> AUTHENTICATED
>> > 2015-02-13 21:22:46,502 DEBUG
>> > [org.keycloak.adapters.PreAuthActionsHandler] (default task-46)
>> > adminRequest http://localhost:8080/customer-portal/custo
>> > mers/view.jsp
>> > 2015-02-13 21:22:46,505 TRACE
>> > [org.keycloak.adapters.RequestAuthenticator] (default task-46) -->
>> > authenticate()
>> > 2015-02-13 21:22:46,506 TRACE
>> > [org.keycloak.adapters.RequestAuthenticator] (default task-46)
>> try bearer
>> > 2015-02-13 21:22:46,506 TRACE
>> > [org.keycloak.adapters.RequestAuthenticator] (default task-46)
>> try oauth
>> > 2015-02-13 21:22:46,507 DEBUG
>> > [org.keycloak.adapters.undertow.KeycloakUndertowAccount] (default
>> > task-46) session is active
>> > 2015-02-13 21:22:46,508 DEBUG
>> > [org.keycloak.adapters.RequestAuthenticator] (default task-46)
>> Cached
>> > account found
>> > 2015-02-13 21:22:46,508 DEBUG
>> > [org.keycloak.adapters.wildfly.WildflyRequestAuthenticator]
>> (default
>> > task-46) propagate security context to wildfly
>> > 2015-02-13 21:22:46,509 DEBUG
>> > [org.keycloak.adapters.RequestAuthenticator] (default task-46)
>> > AUTHENTICATED: was cached
>> > 2015-02-13 21:22:46,510 DEBUG
>> > [org.keycloak.adapters.AuthenticatedActionsHandler] (default
>> task-46)
>> > AuthenticatedActionsValve.invoke http://localhost:
>> > 8080/customer-portal/customers/view.jsp
>> >
>> >
>> > Many thanks
>> > W
>> >
>> >
>> >
>> >
>> > _______________________________________________
>> > keycloak-user mailing list
>> > keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.
>> jboss.org>
>> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>> >
>>
>> --
>> Bill Burke
>> JBoss, a division of Red Hat
>> http://bill.burkecentral.com
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150214/fba49a7a/attachment-0001.html
More information about the keycloak-user
mailing list