[keycloak-user] Wildfly Container Managed Security Constraint Redirect localhost

Ryan Slominski ryans at jlab.org
Thu Aug 9 09:22:56 EDT 2018


Hi Dmitry,
  I think what I am seeing now can be explained by this bug:

https://issues.jboss.org/browse/KEYCLOAK-2784

Historically my application would allow non-authenticated users to browse most pages, but if you login you see more content.  Before converting to Keycloak I was using the Java Servlet container managed security programmatic login.  Now I have an anchor (link) to Keycloak.  It seems I might need to setup some tricks as it appears the Wildfly client adapter doesn't support this use-case of tracking authenticated users on programmatically-protected (non-container protected) pages.

Also, for completeness, I forgot to add in the last email that to get around the localhost proxy issue I actually had to add an Apache rule 'RequestHeader set X-Forwarded-Proto "https"' and also update Wildfly with the following commands on the CLI:

/subsystem=undertow/server=default-server/http-listener=default:write-attribute(name=proxy-address-forwarding,value=true) 
/socket-binding-group=standard-sockets/socket-binding=proxy-https:add(port=443)
/subsystem=undertow/server=default-server/http-listener=default:write-attribute(name=redirect-socket,value=proxy-https)

I also had to configure a trust store in Wildfly (cacerts file) with my Keycloak server PKI certificate.

If I navigate to one of the few fully container protected pages the username (principal) does become recognized - although it is an unfriendly format: "f:<user storage ID>:<username>"

Ryan

----- Original Message -----
From: "Ryan Slominski" <ryans at jlab.org>
To: "Dmitry Telegin" <dt at acutus.pro>
Cc: "keycloak-user" <keycloak-user at lists.jboss.org>
Sent: Thursday, August 9, 2018 8:06:08 AM
Subject: Re: [keycloak-user] Wildfly Container Managed Security Constraint Redirect localhost

Hi Dmitry,
  Yes, that seems to be it.  I am using Apache reverse proxy to get my Wildfly application on port 8080 accessible over port 443.  My proxy rule was using localhost instead of myserver.example.com and after replacing localhost with actual hostname now it seems to be working.   I say seems to be working because I now get past the localhost redirect issue, but it doesn't seem like the servlet container acknowledges I'm logged in.  I am redirected back to the application with a parameter session_state=<long string of characters and numbers>.  However, the EL expression on the return page: "${pageContext.request.userPrincipal eq null}" is showing true - suggesting that the Wildfly servlet container doesn't know I'm logged in.  Does the Wildfly client adapter not integrate with container managed security?

Thanks,

Ryan
 
----- Original Message -----
From: "Dmitry Telegin" <dt at acutus.pro>
To: "Ryan Slominski" <ryans at jlab.org>, "keycloak-user" <keycloak-user at lists.jboss.org>
Sent: Wednesday, August 8, 2018 7:23:54 PM
Subject: Re: [keycloak-user] Wildfly Container Managed Security Constraint Redirect localhost

Hi Ryan,

Is your Wildfly (not Keycloak) behind a reverse proxy?

Cheers,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training

Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info at acutus.pro

On Wed, 2018-08-08 at 16:34 -0400, Ryan Slominski wrote:
> Hi Keycloak Users,
>    I'm attempting to setup a Wildfly application as a client to Keycloak and an issue I'm seeing is that if I navigate my web browser to a protected resource I am redirected to Keycloak as expected, but the return URL (redirect_uri parameter) is to localhost, not back to my actual hostname, say "myserver.example.com".  This breaks the process with the Keycloak error "Invalid parameter: redirect_uri".  How do I configure the Wildfly client adapter to generate a redirect_uri to my actual hostname instead of to localhost?  When I browse my Wildfly application on unprotected pages I'm using the actual hostname already.  In Wildfly standalone.xml I've set inet-address for public to 0.0.0.0 to replace 127.0.0.1.  I've also updated the host element default-host alias to match myserver.example.com to replace "localhost".  Neither of those changes made a difference.
> 
> Thanks,
> 
> Ryan
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mailman_listinfo_keycloak-2Duser&d=DwIDaQ&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=dy3zK_QykozR2oKV0NPiTYV0jPbZPr3oec2q3J-4sv8&s=5Oidky1NOrNuaeKqfLmmti9wN1UU1-XUGq3S605jLmU&e=

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mailman_listinfo_keycloak-2Duser&d=DwIGaQ&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=5Qs7sCLKGN-bprt33UWpGSH3Rzuw0seVkMLl-7nbDk0&s=Jeyy03seiml3RrkcXpjYeENfdZW4IwRXoSRIG-SAO7U&e=



More information about the keycloak-user mailing list