[keycloak-user] Spring checks Bearer token for permitted requests

Hylton Peimer hylton.peimer at datos-health.com
Fri May 26 02:48:52 EDT 2017 

Unfortunately that didn't work.

I've implemented a hack which is something like overriding the
KeycloakAuthenticationProcessingFilter and returning an
AnonymousAuthenticationToken if the particular path is requested.

Maybe there's a more elegant way.

protected KeycloakAuthenticationProcessingFilter
keycloakAuthenticationProcessingFilter() throws Exception {
    KeycloakAuthenticationProcessingFilter filter = new
KeycloakAuthenticationProcessingFilter(this.authenticationManagerBean()) {
        @Override
        public Authentication attemptAuthentication(HttpServletRequest
request, HttpServletResponse response) throws AuthenticationException,
IOException, ServletException {
            if (request.getServletPath().equals("/mobile/api/refresh")) {
                logger.error("Mobile device sent expired bearer token for
/mobile/api/refresh request");
                return new AnonymousAuthenticationToken("blah", "blah",
Collections.singleton(new SimpleGrantedAuthority("blah")));
            }
            return super.attemptAuthentication(request, response);
        }
    };

filter.setSessionAuthenticationStrategy(this.sessionAuthenticationStrategy());
    return filter;
}

On Fri, May 26, 2017 at 9:15 AM, Sebastien Blanc <sblanc at redhat.com> wrote:

> I haven't tried it but you could try to override the configure(WebSecurity
> web) method as well :
>
>  @Override
>     public void configure(WebSecurity web) throws Exception {
>         web
>             .ignoring()
>                 .antMatchers("/mobile/api/login",
>
> "/mobile/api/refresh");
>     }
>
>
> On Thu, May 25, 2017 at 9:50 PM, Hylton Peimer <
> hylton.peimer at datos-health.com> wrote:
>
>> I have an instance of KeycloakWebSecurityConfigurerAdapter that contains
>> the following configuration:
>>
>>     protected void configure(HttpSecurity httpSecurity) throws Exception {
>>         super.configure(httpSecurity);
>>
>>         httpSecurity
>>                 .antMatcher("/mobile/**")
>>                 .authorizeRequests()
>>                 .antMatchers("/mobile/api/login",
>> "/mobile/api/refresh").permitAll()
>>                 .antMatchers("/mobile/api/**").authenticated()
>>
>>             ..........
>>
>> The Client is setup for bearer-only.
>>
>> It works fine, except when the access token expires.
>>
>> Some mobile clients send the expired token as a header in the call to
>> "/mobile/api/refresh".
>>
>> The problem is that even though "/mobile/api/refresh" is marked as
>> permitAll, the request is blocked.
>>
>> Its not possible to fix all the mobile clients. How could I configure
>> Spring to ignore the bearer token for the "permitAll" calls, or remove the
>> header?
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>

More information about the keycloak-user mailing list