[keycloak-user] Noob question -- 'forbidden' on demo after redirect
Walter Rice
walterrrice at gmail.com
Sat Feb 14 09:05:52 EST 2015
I used everything in 1.0.5 .....
On Sat, Feb 14, 2015 at 2:03 PM, Bill Burke <bburke at redhat.com> wrote:
> Which demo did you build off of?
>
> On 2/14/2015 4:40 AM, Walter Rice wrote:
>
>> Hi Bill,
>>
>> Full scope allowed: ON
>>
>> I changed this to off then add user and admin roles... same result
>>
>> I realise it's probably silly mistake on my part! but I just can't see
>> it...
>>
>> If i click *customer admin interface* i get the following:
>>
>>
>> Customer Admin Interface
>>
>> User *96cfdfd1-ba0d-480a-9a80-18ec830391fe *made this request.
>>
>>
>> Admin REST To Get Role List of Realm
>>
>> There was a failure processing request. You either didn't configure
>> Keycloak properly Status from database service invocation was: 404
>>
>>
>> /Brian
>>
>>
>>
>> On Sat, Feb 14, 2015 at 1:09 AM, Bill Burke <bburke at redhat.com
>> <mailto:bburke at redhat.com>> wrote:
>>
>> Got to the admin console. Go to your application definition. Go to
>> the scope tab. What does it say?
>>
>>
>> On 2/13/2015 8:04 PM, Walter Rice wrote:
>>
>> Hi Bill,
>>
>> Thanks for the reply. I dunno! I followed the video to the
>> letter....
>> below is my web.xml for customer-portal. Apologies for noob qn
>> but how
>> do i check application scope?...
>>
>> <?xml version="1.0" encoding="UTF-8"?>
>> <web-app xmlns="http://java.sun.com/__xml/ns/javaee
>> <http://java.sun.com/xml/ns/javaee>"
>> xmlns:xsi="http://www.w3.org/__2001/XMLSchema-instance
>> <http://www.w3.org/2001/XMLSchema-instance>"
>> xsi:schemaLocation="http://__java.sun.com/xml/ns/javaee
>> <http://java.sun.com/xml/ns/javaee>
>> http://java.sun.com/xml/ns/__javaee/web-app_3_0.xsd
>> <http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd>"
>> version="3.0">
>>
>> <module-name>customer-portal</__module-name>
>>
>> <security-constraint>
>> <web-resource-collection>
>> <web-resource-name>Admins</__web-resource-name>
>> <url-pattern>/admin/*</url-__pattern>
>> </web-resource-collection>
>> <auth-constraint>
>> <role-name>admin</role-name>
>> </auth-constraint>
>> </security-constraint>
>> <security-constraint>
>> <web-resource-collection>
>> <web-resource-name>Customers</__web-resource-name>
>> <url-pattern>/customers/*</__url-pattern>
>> </web-resource-collection>
>> <auth-constraint>
>> <role-name>user</role-name>
>> </auth-constraint>
>> </security-constraint>
>>
>> <!--
>> <security-constraint>
>> <web-resource-collection>
>> <url-pattern>/*</url-pattern>
>> </web-resource-collection>
>> <user-data-constraint>
>>
>> <transport-guarantee>__CONFIDENTIAL</transport-__guarantee>
>> </user-data-constraint>
>> </security-constraint> -->
>>
>> <login-config>
>> <auth-method>KEYCLOAK</auth-__method>
>> <realm-name>cryo198</realm-__name>
>> </login-config>
>>
>> <security-role>
>> <role-name>admin</role-name>
>> </security-role>
>> <security-role>
>> <role-name>user</role-name>
>> </security-role>
>> </web-app>
>>
>>
>> On Sat, Feb 14, 2015 at 12:27 AM, Bill Burke <bburke at redhat.com
>> <mailto:bburke at redhat.com>
>> <mailto:bburke at redhat.com <mailto:bburke at redhat.com>>> wrote:
>>
>> You don't have constriants set up correctly in web.xml?
>> You don't have
>> the appropriate scope for the application set up?
>>
>> On 2/13/2015 4:47 PM, Walter Rice wrote:
>> > Hi,
>> >
>> > I am trying to set up the demo as per the youtube videos
>> (#1 and #2). I
>> > am using keycloak 1.0.5. I have set up per the video (i
>> think), however
>> > things aren't working as expected.
>> >
>> > I browse tohttp://localhost:8080/__customer-portal/ and
>> all is fine. I
>>
>> > click Customer Listing and I am redirected to login page
>> as expected. I
>> > enter my name/pw , this is successful and then I am
>> redirected back to
>>
>> >http://localhost:8080/__customer-portal/customers/__view.jsp
>> <http://localhost:8080/customer-portal/customers/view.jsp> but
>> the page is
>> > 'Forbidden' (redirect uri appears ok here?)
>> >
>> > I am using the 'full' version with bundled wildfly server.
>> >
>> >
>> >
>> > *customer app:*
>> > keycloak file
>> >
>> > {
>> > "realm": "cryo198",
>> > "realm-public-key":
>> >
>> "__MIGfMA0GCSqGSIb3DQEBAQUAA4GNAD__CBiQKBgQCFnsEHg1o9UMBpMoHqLxYe
>> __sXgDsTHnv1vF0AgrznxAcLfmYUdjvB__NdIXZNfB7I7tG9OMHvX21h9arHdcdg
>> __2qqk9adLjHuImg/LhYHVOrosJ/__sybohrR/Im+k1fTsw/5p/__nwZKOF1DLL4/__
>> 4SZAY2h19FGCi0ZgIvE80psq98UvCN__QIDAQAB",
>> > "auth-server-url": "http://localhost:8080/auth",
>> > "ssl-required": "external",
>> > "resource": "customer-portal",
>> > "credentials": {
>> > "secret": "a0872aa0-113d-435c-a9d6-__56cd9b270e22"
>> > }
>> > }
>> >
>> > *web.xml*
>> > <login-config>
>> > <auth-method>KEYCLOAK</auth-__method>
>> > <realm-name>cryo198</realm-__name>
>> > </login-config>
>> >
>> > *redirect URI:*
>> > /customer-portal/*
>> >
>> > *database app:*
>> > {
>> > "realm": "cryo198",
>> > "realm-public-key":
>> >
>> "__MIGfMA0GCSqGSIb3DQEBAQUAA4GNAD__CBiQKBgQCFnsEHg1o9UMBpMoHqLxYe
>> __sXgDsTHnv1vF0AgrznxAcLfmYUdjvB__NdIXZNfB7I7tG9OMHvX21h9arHdcdg
>> __2qqk9adLjHuImg/LhYHVOrosJ/__sybohrR/Im+k1fTsw/5p/__nwZKOF1DLL4/__
>> 4SZAY2h19FGCi0ZgIvE80psq98UvCN__QIDAQAB",
>> > "auth-server-url": "http://localhost:8080/auth",
>> > "ssl-required": "NONE",
>> > "resource": "database",
>> > "bearer-only": "true"
>> > }
>> >
>> >
>> >
>> > *web.xml*
>> > <login-config>
>> > <auth-method>KEYCLOAK</auth-__method>
>> > <realm-name>cryo198</realm-__name>
>> > </login-config>
>> >
>> > *redirect URI:*
>> > n./a ..set as bearer only
>> >
>> > *deployed apps:*
>> > $
>> >
>> /c/tools/keycloak-appliance-__dist-all-1.0.5.Final/keycloak-
>> __appliance-dist-all-1.0.5.__Final/keycloak/bin/jboss-cli.__sh
>> > -c --command="deploy -l"
>> > NAME RUNTIME-NAME ENABLED
>> STATUS
>> > admin-access.war admin-access.war true OK
>> > angular-product.war angular-product.war true OK
>> > auth-server.war auth-server.war true OK
>> > customer-portal-js.war customer-portal-js.war true OK
>> > customer-portal.war customer-portal.war true OK
>> > database.war database.war true OK
>> > product-portal.war product-portal.war true OK
>> >
>> >
>> >
>> >
>> >
>> >
>> > *Log:*
>> > 2015-02-13 21:22:29,665 DEBUG
>> > [org.keycloak.adapters.__PreAuthActionsHandler] (default
>> task-41)
>> > adminRequest
>> http://localhost:8080/__customer-portal/custo
>> <http://localhost:8080/customer-portal/custo>
>> > mers/view.jsp
>> > 2015-02-13 21:22:29,667 TRACE
>> > [org.keycloak.adapters.__RequestAuthenticator] (default
>> task-41) -->
>> > authenticate()
>> > 2015-02-13 21:22:29,668 TRACE
>> > [org.keycloak.adapters.__RequestAuthenticator] (default
>> task-41)
>> try bearer
>> > 2015-02-13 21:22:29,669 TRACE
>> > [org.keycloak.adapters.__RequestAuthenticator] (default
>> task-41)
>> try oauth
>> > 2015-02-13 21:22:29,669 DEBUG
>> > [org.keycloak.adapters.__RequestAuthenticator] (default
>> task-41)
>> session
>> > was null, returning null
>> > 2015-02-13 21:22:29,670 DEBUG
>> > [org.keycloak.adapters.__OAuthRequestAuthenticator]
>> (default task-41)
>> > there was no code
>> > 2015-02-13 21:22:29,670 DEBUG
>> > [org.keycloak.adapters.__OAuthRequestAuthenticator]
>> (default task-41)
>> > redirecting to auth server
>> > 2015-02-13 21:22:29,671 DEBUG
>> > [org.keycloak.adapters.__OAuthRequestAuthenticator]
>> (default task-41)
>> > callback uri: http://localhost:8080/__customer-portal/
>> <http://localhost:8080/customer-portal/>
>> > customers/view.jsp
>> > 2015-02-13 21:22:29,672 DEBUG
>> > [org.keycloak.adapters.__OAuthRequestAuthenticator]
>> (default task-41)
>> > Sending redirect to login page: http://localhost:808
>> >
>>
>> 0/auth/realms/cryo198/tokens/__login?client_id=customer-__
>> portal&redirect_uri=http%3A%__2F%2Flocalhost%3A8080%__
>> 2Fcustomer-portal%2Fcustomers%__2Fview.jsp&state
>> > =2%2F8185a8ea-5a38-4a91-b990-__1b32ccabb2e8&login=true
>> > 2015-02-13 21:22:29,701 DEBUG
>> > [org.keycloak.services.__resources.TokenService]
>> (default task-42)
>> > replacing relative valid redirect with: http://localhos
>> > t:8080/customer-portal/*
>> > 2015-02-13 21:22:29,702 DEBUG
>> >
>> [org.keycloak.services.__managers.__AuthenticationManager]
>> (default
>> task-42)
>> > Could not find cookie: KEYCLOAK_IDENTITY
>> > 2015-02-13 21:22:46,300 DEBUG
>> > [org.keycloak.services.__resources.TokenService]
>> (default task-43)
>> > replacing relative valid redirect with: http://localhos
>> > t:8080/customer-portal/*
>> > 2015-02-13 21:22:46,301 DEBUG
>> >
>> [org.keycloak.services.__managers.__AuthenticationManager]
>> (default
>> task-43)
>> > validating password for user: walt
>> > 2015-02-13 21:22:46,306 DEBUG
>> >
>> [org.keycloak.services.__managers.__AuthenticationManager]
>> (default
>> task-43)
>> > Expiring remember me cookie
>> > 2015-02-13 21:22:46,307 DEBUG
>> >
>> [org.keycloak.services.__managers.__AuthenticationManager]
>> (default
>> task-43)
>> > Expiring cookie: KEYCLOAK_REMEMBER_ME path: /au
>> > th/realms/cryo198
>> > 2015-02-13 21:22:46,308 DEBUG
>> > [org.keycloak.services.__resources.flows.OAuthFlows]
>> (default task-43)
>> > processAccessCode: isResource: true
>> > 2015-02-13 21:22:46,308 DEBUG
>> > [org.keycloak.services.__resources.flows.OAuthFlows]
>> (default task-43)
>> > processAccessCode: go to oauth page?: false
>> > 2015-02-13 21:22:46,329 DEBUG
>> > [org.keycloak.services.__resources.flows.OAuthFlows]
>> (default task-43)
>> > redirectAccessCode: state: 2/8185a8ea-5a38-4a91-b99
>> > 0-1b32ccabb2e8
>> > 2015-02-13 21:22:46,340 DEBUG
>> >
>> [org.keycloak.services.__managers.__AuthenticationManager]
>> (default
>> task-43)
>> > Create login cookie - name: KEYCLOAK_IDENTITY,
>> > path: /auth/realms/cryo198, max-age: -1
>> > 2015-02-13 21:22:46,387 DEBUG
>> > [org.keycloak.adapters.__PreAuthActionsHandler] (default
>> task-44)
>> > adminRequest
>> http://localhost:8080/__customer-portal/custo
>> <http://localhost:8080/customer-portal/custo>
>> >
>>
>> mers/view.jsp?code=zf9VUvG6-__QkAWtF8xDFcJfnBnrY.__
>> OTY1YjllMzMtZDdlNS00YWQwLWEwMz__gtZjIzMTJhODZjMTIx&state=2%_
>> _2F8185a8ea-5a38-4a91-b990-__1b32ccabb2e8
>> > 2015-02-13 21:22:46,388 TRACE
>> > [org.keycloak.adapters.__RequestAuthenticator] (default
>> task-44) -->
>> > authenticate()
>> > 2015-02-13 21:22:46,389 TRACE
>> > [org.keycloak.adapters.__RequestAuthenticator] (default
>> task-44)
>> try bearer
>> > 2015-02-13 21:22:46,389 TRACE
>> > [org.keycloak.adapters.__RequestAuthenticator] (default
>> task-44)
>> try oauth
>> > 2015-02-13 21:22:46,389 DEBUG
>> > [org.keycloak.adapters.__RequestAuthenticator] (default
>> task-44)
>> session
>> > was null, returning null
>> > 2015-02-13 21:22:46,390 DEBUG
>> > [org.keycloak.adapters.__OAuthRequestAuthenticator]
>> (default task-44)
>> > there was a code, resolving
>> > 2015-02-13 21:22:46,390 DEBUG
>> > [org.keycloak.adapters.__OAuthRequestAuthenticator]
>> (default task-44)
>> > checking state cookie for after code
>> > 2015-02-13 21:22:46,390 DEBUG
>> > [org.keycloak.adapters.__OAuthRequestAuthenticator]
>> (default
>> task-44) **
>> > reseting application state cookie
>> > 2015-02-13 21:22:46,477 DEBUG
>> > [org.keycloak.adapters.__OAuthRequestAuthenticator]
>> (default task-44)
>> > Token Verification succeeded!
>> > 2015-02-13 21:22:46,478 DEBUG
>> > [org.keycloak.adapters.__OAuthRequestAuthenticator]
>> (default task-44)
>> > successful authenticated
>> > 2015-02-13 21:22:46,478 TRACE
>> >
>> [org.keycloak.adapters.__RefreshableKeycloakSecurityCon__text]
>> (default
>> > task-44) checking whether to refresh.
>> > 2015-02-13 21:22:46,478 TRACE
>> >
>> [org.keycloak.adapters.__undertow.__KeycloakUndertowAccount]
>> (default
>> > task-44) use realm role mappings
>> > 2015-02-13 21:22:46,479 DEBUG
>> >
>> [org.keycloak.adapters.__wildfly.__WildflyRequestAuthenticator]
>> (default
>> > task-44) propagate security context to wildfly
>> > 2015-02-13 21:22:46,481 TRACE
>> >
>> [org.keycloak.adapters.__RefreshableKeycloakSecurityCon__text]
>> (default
>> > task-44) checking whether to refresh.
>> > 2015-02-13 21:22:46,484 DEBUG
>> > [org.keycloak.adapters.__RequestAuthenticator] (default
>> task-44)
>> AUTHENTICATED
>> > 2015-02-13 21:22:46,502 DEBUG
>> > [org.keycloak.adapters.__PreAuthActionsHandler] (default
>> task-46)
>> > adminRequest
>> http://localhost:8080/__customer-portal/custo
>> <http://localhost:8080/customer-portal/custo>
>> > mers/view.jsp
>> > 2015-02-13 21:22:46,505 TRACE
>> > [org.keycloak.adapters.__RequestAuthenticator] (default
>> task-46) -->
>> > authenticate()
>> > 2015-02-13 21:22:46,506 TRACE
>> > [org.keycloak.adapters.__RequestAuthenticator] (default
>> task-46)
>> try bearer
>> > 2015-02-13 21:22:46,506 TRACE
>> > [org.keycloak.adapters.__RequestAuthenticator] (default
>> task-46)
>> try oauth
>> > 2015-02-13 21:22:46,507 DEBUG
>> >
>> [org.keycloak.adapters.__undertow.__KeycloakUndertowAccount]
>> (default
>> > task-46) session is active
>> > 2015-02-13 21:22:46,508 DEBUG
>> > [org.keycloak.adapters.__RequestAuthenticator] (default
>> task-46) Cached
>> > account found
>> > 2015-02-13 21:22:46,508 DEBUG
>> >
>> [org.keycloak.adapters.__wildfly.__WildflyRequestAuthenticator]
>> (default
>> > task-46) propagate security context to wildfly
>> > 2015-02-13 21:22:46,509 DEBUG
>> > [org.keycloak.adapters.__RequestAuthenticator] (default
>> task-46)
>> > AUTHENTICATED: was cached
>> > 2015-02-13 21:22:46,510 DEBUG
>> > [org.keycloak.adapters.__AuthenticatedActionsHandler]
>> (default task-46)
>> > AuthenticatedActionsValve.__invoke http://localhost:
>> > 8080/customer-portal/__customers/view.jsp
>> >
>> >
>> > Many thanks
>> > W
>> >
>> >
>> >
>> >
>> > _________________________________________________
>> > keycloak-user mailing list
>> > keycloak-user at lists.jboss.org
>> <mailto:keycloak-user at lists.jboss.org>
>> <mailto:keycloak-user at lists.__jboss.org
>> <mailto:keycloak-user at lists.jboss.org>>
>> > https://lists.jboss.org/__mailman/listinfo/keycloak-user
>> <https://lists.jboss.org/mailman/listinfo/keycloak-user>
>> >
>>
>> --
>> Bill Burke
>> JBoss, a division of Red Hat
>> http://bill.burkecentral.com
>> _________________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> <mailto:keycloak-user at lists.jboss.org>
>> <mailto:keycloak-user at lists.__jboss.org
>> <mailto:keycloak-user at lists.jboss.org>>
>> https://lists.jboss.org/__mailman/listinfo/keycloak-user
>> <https://lists.jboss.org/mailman/listinfo/keycloak-user>
>>
>>
>>
>> --
>> Bill Burke
>> JBoss, a division of Red Hat
>> http://bill.burkecentral.com
>>
>>
>>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150214/23c95dc2/attachment-0001.html
More information about the keycloak-user
mailing list