[keycloak-user] Spring checks Bearer token for permitted requests

Sebastien Blanc sblanc at redhat.com
Fri May 26 06:02:12 EDT 2017 

Hum interesting indeed I did the test , the ignoring stuff works as long no
token is added ... I wonder if this is working as designed or if it is
actually a bug.



On Fri, May 26, 2017 at 8:48 AM, Hylton Peimer <
hylton.peimer at datos-health.com> wrote:

> Unfortunately that didn't work.
>
> I've implemented a hack which is something like overriding the
> KeycloakAuthenticationProcessingFilter and returning an
> AnonymousAuthenticationToken if the particular path is requested.
>
> Maybe there's a more elegant way.
>
> protected KeycloakAuthenticationProcessingFilter
> keycloakAuthenticationProcessingFilter() throws Exception {
>     KeycloakAuthenticationProcessingFilter filter = new
> KeycloakAuthenticationProcessingFilter(this.authenticationManagerBean()) {
>         @Override
>         public Authentication attemptAuthentication(HttpServletRequest
> request, HttpServletResponse response) throws AuthenticationException,
> IOException, ServletException {
>             if (request.getServletPath().equals("/mobile/api/refresh")) {
>                 logger.error("Mobile device sent expired bearer token for
> /mobile/api/refresh request");
>                 return new AnonymousAuthenticationToken("blah", "blah",
> Collections.singleton(new SimpleGrantedAuthority("blah")));
>             }
>             return super.attemptAuthentication(request, response);
>         }
>     };
>     filter.setSessionAuthenticationStrategy(this.
> sessionAuthenticationStrategy());
>     return filter;
> }
>
> On Fri, May 26, 2017 at 9:15 AM, Sebastien Blanc <sblanc at redhat.com>
> wrote:
>
>> I haven't tried it but you could try to override the
>> configure(WebSecurity web) method as well :
>>
>>  @Override
>>     public void configure(WebSecurity web) throws Exception {
>>         web
>>             .ignoring()
>>                 .antMatchers("/mobile/api/login",
>>
>> "/mobile/api/refresh");
>>     }
>>
>>
>> On Thu, May 25, 2017 at 9:50 PM, Hylton Peimer <
>> hylton.peimer at datos-health.com> wrote:
>>
>>> I have an instance of KeycloakWebSecurityConfigurerAdapter that contains
>>> the following configuration:
>>>
>>>     protected void configure(HttpSecurity httpSecurity) throws Exception
>>> {
>>>         super.configure(httpSecurity);
>>>
>>>         httpSecurity
>>>                 .antMatcher("/mobile/**")
>>>                 .authorizeRequests()
>>>                 .antMatchers("/mobile/api/login",
>>> "/mobile/api/refresh").permitAll()
>>>                 .antMatchers("/mobile/api/**").authenticated()
>>>
>>>             ..........
>>>
>>> The Client is setup for bearer-only.
>>>
>>> It works fine, except when the access token expires.
>>>
>>> Some mobile clients send the expired token as a header in the call to
>>> "/mobile/api/refresh".
>>>
>>> The problem is that even though "/mobile/api/refresh" is marked as
>>> permitAll, the request is blocked.
>>>
>>> Its not possible to fix all the mobile clients. How could I configure
>>> Spring to ignore the bearer token for the "permitAll" calls, or remove
>>> the
>>> header?
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
>

More information about the keycloak-user mailing list