[keycloak-user] User rights after logout

Christoph Machnik christoph.machnik at traveltainment.de
Wed Jan 28 04:38:32 EST 2015


Hi all,

I have a web-application with keycloak. When a user have to log in this user becomes the rights to see the following pages or not. When this user loggs out an a other user loggs in with other rights to see the following pages or not, he becomes the same rights as the first user that logged in.
In the example i log in with support and just can see the support page in the application, when i logg out an log in with admin i just can see the support page and not the admin page, even though i have the admin role. When i restart the server and first log in as admin i can see the admin- and the support page. When i log out and now log in with support i have the support rule, but nevertheless i can see the admin- and support page.

Is there any mistake in int web.xml file ? (following):

<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://java.sun.com/xml/ns/javaee"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xml"
         version="3.0">

    <module-name>TestWebApp</module-name>

    <security-constraint>
        <web-resource-collection>
            <web-resource-name>Admins</web-resource-name>
            <url-pattern>/views/admin/*</url-pattern>
        </web-resource-collection>
        <auth-constraint>
            <role-name>admin</role-name>
        </auth-constraint>
    </security-constraint>
    <security-constraint>
        <web-resource-collection>
            <web-resource-name>Support</web-resource-name>
            <url-pattern>/views/support/*</url-pattern>
        </web-resource-collection>
        <auth-constraint>
            <role-name>admin</role-name>
            <role-name>support</role-name>
        </auth-constraint>
    </security-constraint>

    <login-config>
        <auth-method>KEYCLOAK</auth-method>
        <realm-name>test</realm-name>
    </login-config>

    <security-role>
        <role-name>admin</role-name>
    </security-role>
    <security-role>
        <role-name>support</role-name>
    </security-role>

</web-app>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150128/064d57ff/attachment.html 


More information about the keycloak-user mailing list