<html>
<head>
<style><!--
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
font-size: 12pt;
font-family:Calibri
}
--></style></head>
<body class='hmmessage'><div dir='ltr'>Hello All,<div><br><div> First off I'm a NOOB with SSO, so please educate me kindly on any ignorance within my questions. </div><div><span style="font-size: 12pt;"><br></span></div><div><span style="font-size: 12pt;">From my research thus far and previous mailing posts sent to this user list: </span></div><div><br></div><div>Keycloak is very tuned to using a Servlet Container security approach with keycloak adapters utilizing the .json/.xml configuration file. I've been able to get a basic authentication working using a completely front end approach. To be clear it's an Angular JS front end and it was extremely straight forward just porting over the example. The problem is that I'm trying to tie the authentication to the server application layer (Spring Security). I am pretty married to Spring Security at this point and would like to authenticate via an application managed approach. There are multiple libraries within Spring Security that support industry standards that are in compatible with Keycloak (SAML, OpenID, OAuth etc). </div><div><br></div><div>To be fair I have't ruled out a Servlet Security approach but I've spent a weekend (again SSO Noob here) trying to migrate my existing spring security (Application Managed Security) application to a Container using the tomcat adapter and it's been painful to say the least. I am still using Spring Boot and Java Config. In an attempt to decouple all the existing security controls that are application managed I've been able to basically accomplish removing the existing security : You can see the existing code and output below for my entire current setup for a KeyCloakServerConfiguration Servlet and if you see anything obvious let me know. I'm not sure how the forms login handoff is suppose to occur at this point. Should it just be an iframe sourcing in the SSO login form? </div><div><br></div><div>OK so what would be much much more convenient at this point is a few examples of integrating manually with Keycloak rather then using the adapters. Does anyone have an example or documentation on how to us SAML or OpenID at an application managed level (Spring Security SAML or OpenID example would be amazing)? Specifically without using a keycloak adapter. </div><div>Thanks in advance for any support/information you can provide.</div><div><br></div><div>Best, Andrew</div><div><br></div><div>
<p class="p1">@Configuration</p>
<p class="p2"><span class="s1">public</span> <span class="s1">class</span> KeyCloakServerConfiguration {</p>
<p class="p3"><br></p>
<p class="p3"><span class="Apple-tab-span"> </span></p>
<p class="p1"><span class="s2"> </span>@Bean</p>
<p class="p2"><span class="Apple-tab-span"> </span><span class="s1">public</span> EmbeddedServletContainerCustomizer getKeycloakContainerCustomizer() {</p>
<p class="p2"><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span><span class="s1">return</span> <span class="s1">new</span> EmbeddedServletContainerCustomizer() {</p>
<p class="p1"><span class="s2"><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span></span>@Override</p>
<p class="p2"><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span><span class="s1">public</span> <span class="s1">void</span> customize(</p>
<p class="p2"><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span>ConfigurableEmbeddedServletContainer <span class="s3">configurableEmbeddedServletContainer</span>) {</p>
<p class="p2"><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span><span class="s1">if</span> (<span class="s3">configurableEmbeddedServletContainer</span> <span class="s1">instanceof</span> TomcatEmbeddedServletContainerFactory) {</p>
<p class="p2"><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span>TomcatEmbeddedServletContainerFactory <span class="s3">container</span> = (TomcatEmbeddedServletContainerFactory) <span class="s3">configurableEmbeddedServletContainer</span>;</p>
<p class="p3"><br></p>
<p class="p2"><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span>KeycloakAuthenticatorValve <span class="s3">authenticatorValve</span> = <span class="s1">new</span> KeycloakAuthenticatorValve();</p>
<p class="p3"><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span></p>
<p class="p4"><span class="s2"><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span></span>container<span class="s2">.addContextValves(</span>authenticatorValve<span class="s2">);</span></p>
<p class="p3"><br></p>
<p class="p2"><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span><span class="s3">container</span>.addContextCustomizers(getKeycloakContextCustomizer());</p>
<p class="p2"><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span>}</p>
<p class="p2"><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span>}</p>
<p class="p3"><br></p>
<p class="p2"><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span>};</p>
<p class="p2"><span class="Apple-tab-span"> </span>}</p>
<p class="p3"><br></p>
<p class="p1"><span class="s2"> </span>@Bean</p>
<p class="p2"><span class="Apple-tab-span"> </span><span class="s1">public</span> TomcatContextCustomizer getKeycloakContextCustomizer() {</p>
<p class="p2"><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span><span class="s1">return</span> <span class="s1">new</span> TomcatContextCustomizer() {</p>
<p class="p1"><span class="s2"><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span></span>@Override</p>
<p class="p2"><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span><span class="s1">public</span> <span class="s1">void</span> customize(Context <span class="s3">context</span>) {</p>
<p class="p3"><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span></p>
<p class="p3"><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span></p>
<p class="p2"><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span>SecurityConstraint <span class="s3">secConstraints</span> = <span class="s1">new</span> SecurityConstraint();</p>
<p class="p3"><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span></p>
<p class="p2"><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span><span class="s3">secConstraints</span>.setAuthConstraint(<span class="s1">true</span>);</p>
<p class="p3"><br></p>
<p class="p2"><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span><span class="s3">secConstraints</span>.addAuthRole(<span class="s4">"ROLE_USER"</span>);</p>
<p class="p3"><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span></p>
<p class="p5"><span class="s2"><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span></span>//The only time the application Should Allow Puts is when and administrator</p>
<p class="p5"><span class="s2"><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span></span>//is authenticated with the site.</p>
<p class="p2"><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span>SecurityCollection <span class="s3">putCollection</span> = <span class="s1">new</span> SecurityCollection();</p>
<p class="p2"><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span><span class="s3">putCollection</span>.addPattern(<span class="s4">"/**"</span>);</p>
<p class="p2"><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span><span class="s3">putCollection</span>.addMethod(<span class="s4">"POST"</span>);</p>
<p class="p3"><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span></p>
<p class="p2"><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span>SecurityCollection <span class="s3">getAuthenticatedMaterialsCollection</span> = <span class="s1">new</span> SecurityCollection();</p>
<p class="p4"><span class="s2"><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span></span>getAuthenticatedMaterialsCollection<span class="s2">.addPattern(</span><span class="s4">"/**"</span><span class="s2">);</span></p>
<p class="p4"><span class="s2"><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span></span>getAuthenticatedMaterialsCollection<span class="s2">.addPattern(</span><span class="s4">"/*"</span><span class="s2">);</span></p>
<p class="p3"><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span></p>
<p class="p3"><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span></p>
<p class="p4"><span class="s2"><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span></span>secConstraints<span class="s2">.addCollection(</span>putCollection<span class="s2">);</span></p>
<p class="p4"><span class="s2"><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span></span>secConstraints<span class="s2">.addCollection(</span>getAuthenticatedMaterialsCollection<span class="s2">);</span></p>
<p class="p3"><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span></p>
<p class="p2"><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span><span class="s3">context</span>.addConstraint(<span class="s3">secConstraints</span>);</p>
<p class="p3"><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span></p>
<p class="p2"><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span>LoginConfig <span class="s3">loginConfig</span> = <span class="s1">new</span> LoginConfig();</p>
<p class="p2"><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span><span class="s3">loginConfig</span>.setAuthMethod(<span class="s4">"KEYCLOAK"</span>);<span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span></p>
<p class="p3"><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span></p>
<p class="p2"><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span><span class="s3">context</span>.setLoginConfig(<span class="s3">loginConfig</span>);</p>
<p class="p3"><br></p>
<p class="p6"><span class="s2"><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span></span><span class="s3">context</span><span class="s2">.addParameter(</span>"keycloak.config.resolver"<span class="s2">,</span></p>
<p class="p2"><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span>SpringBootKeycloakConfigResolver.<span class="s1">class</span>.getName());</p>
<p class="p2"><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span>}</p>
<p class="p3"><br></p>
<p class="p2"><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span>};</p>
<p class="p2"><span class="Apple-tab-span"> </span>}</p>
<p class="p3"><br></p>
<p class="p2"><span class="Apple-tab-span"> </span><span class="s1">public</span> <span class="s1">static</span> <span class="s1">class</span> SpringBootKeycloakConfigResolver <span class="s1">implements</span></p>
<p class="p2"><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span>KeycloakConfigResolver {</p>
<p class="p3"><br></p>
<p class="p2"><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span><span class="s1">private</span> KeycloakDeployment <span class="s5">keycloakDeployment</span>;</p>
<p class="p3"><br></p>
<p class="p1"><span class="s2"><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span></span>@Override</p>
<p class="p2"><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span><span class="s1">public</span> KeycloakDeployment resolve(HttpFacade.Request <span class="s3">request</span>) {</p>
<p class="p3"><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span></p>
<p class="p7"><span class="s2"><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span></span><span class="s1">if</span><span class="s2"> (</span>keycloakDeployment<span class="s2"> != </span><span class="s1">null</span><span class="s2">) {</span></p>
<p class="p7"><span class="s2"><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span></span><span class="s1">return</span><span class="s2"> </span>keycloakDeployment<span class="s2">;</span></p>
<p class="p2"><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span>}</p>
<p class="p3"><br></p>
<p class="p2"><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span>InputStream <span class="s3">configInputStream</span> = getClass().getResourceAsStream(</p>
<p class="p6"><span class="s2"><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span></span>"/keycloak.json"<span class="s2">);</span></p>
<p class="p3"><br></p>
<p class="p4"><span class="s2"><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span></span><span class="s1">if</span><span class="s2"> (</span>configInputStream<span class="s2"> == </span><span class="s1">null</span><span class="s2">) {</span></p>
<p class="p2"><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span><span class="s5">keycloakDeployment</span> = <span class="s1">new</span> KeycloakDeployment();</p>
<p class="p2"><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span>} <span class="s1">else</span> {</p>
<p class="p2"><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span><span class="s5">keycloakDeployment</span> = KeycloakDeploymentBuilder</p>
<p class="p4"><span class="s2"><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span>.build(</span>configInputStream<span class="s2">);</span></p>
<p class="p2"><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span>}</p>
<p class="p3"><br></p>
<p class="p7"><span class="s2"><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span></span><span class="s1">return</span><span class="s2"> </span>keycloakDeployment<span class="s2">;</span></p>
<p class="p2"><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span>}</p>
<p class="p2"><span class="Apple-tab-span"> </span>}</p></div><div><br></div><div>Here is the console output. So what I gather is that it appears to be at least intercepting the requests appropriately and it is successfully loading the .json resource file. </div><div><br></div><div>
<p class="p1">[DEBUG] org.keycloak.adapters.PreAuthActionsHandler - adminRequest http://localhost:8080/</p>
<p class="p1">[DEBUG] org.keycloak.adapters.KeycloakDeployment - resolveBrowserUrls</p>
<p class="p1">[DEBUG] org.keycloak.adapters.KeycloakDeployment - resolveNonBrowserUrls</p>
<p class="p1">[DEBUG] org.keycloak.adapters.KeycloakDeploymentBuilder - Use authServerUrl: http://192.168.53.252:8080/auth, codeUrl: http://192.168.53.252:8080/auth/realms/Spring-Development/protocol/openid-connect/access/codes, relativeUrls: NEVER</p>
<p class="p1"><br></p></div></div> </div></body>
</html>