<div dir="ltr">Hi Bill,<div><br></div><div>Full scope allowed: ON</div><div><br></div><div>I changed this to off then add user and admin roles... same result</div><div><br></div><div>I realise it's probably silly mistake on my part! but I just can't see it...</div><div><br></div><div>If i click <b>customer admin interface</b> i get the following:</div><div><br></div><div><h1 style="color:rgb(0,0,0);font-family:'Times New Roman'">Customer Admin Interface</h1><span style="color:rgb(0,0,0);font-family:'Times New Roman';font-size:medium;background-color:rgb(227,246,206)">User </span><b style="color:rgb(0,0,0);font-family:'Times New Roman';font-size:medium">96cfdfd1-ba0d-480a-9a80-18ec830391fe </b><span style="color:rgb(0,0,0);font-family:'Times New Roman';font-size:medium;background-color:rgb(227,246,206)">made this request.</span><p style="color:rgb(0,0,0);font-family:'Times New Roman';font-size:medium"></p><h2 style="color:rgb(0,0,0);font-family:'Times New Roman'">Admin REST To Get Role List of Realm</h2><span style="color:rgb(0,0,0);font-family:'Times New Roman';font-size:medium;background-color:rgb(227,246,206)">There was a failure processing request. You either didn't configure Keycloak properly Status from database service invocation was: 404</span><br></div><div><span style="color:rgb(0,0,0);font-family:'Times New Roman';font-size:medium;background-color:rgb(227,246,206)"><br></span></div><div><span style="color:rgb(0,0,0);font-family:'Times New Roman';font-size:medium;background-color:rgb(227,246,206)"><br></span></div><div><span style="color:rgb(0,0,0);font-family:'Times New Roman';font-size:medium;background-color:rgb(227,246,206)">/Brian</span></div><div><br></div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Sat, Feb 14, 2015 at 1:09 AM, Bill Burke <span dir="ltr"><<a href="mailto:bburke@redhat.com" target="_blank">bburke@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Got to the admin console. Go to your application definition. Go to the scope tab. What does it say?<div><div class="h5"><br>
<br>
On 2/13/2015 8:04 PM, Walter Rice wrote:<br>
</div></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div class="h5">
Hi Bill,<br>
<br>
Thanks for the reply. I dunno! I followed the video to the letter....<br>
below is my web.xml for customer-portal. Apologies for noob qn but how<br>
do i check application scope?...<br>
<br>
<?xml version="1.0" encoding="UTF-8"?><br>
<web-app xmlns="<a href="http://java.sun.com/xml/ns/javaee" target="_blank">http://java.sun.com/<u></u>xml/ns/javaee</a>"<br>
xmlns:xsi="<a href="http://www.w3.org/2001/XMLSchema-instance" target="_blank">http://www.w3.org/<u></u>2001/XMLSchema-instance</a>"<br>
xsi:schemaLocation="<a href="http://java.sun.com/xml/ns/javaee" target="_blank">http://<u></u>java.sun.com/xml/ns/javaee</a><br>
<a href="http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" target="_blank">http://java.sun.com/xml/ns/<u></u>javaee/web-app_3_0.xsd</a>"<br>
version="3.0"><br>
<br>
<module-name>customer-portal</<u></u>module-name><br>
<br>
<security-constraint><br>
<web-resource-collection><br>
<web-resource-name>Admins</<u></u>web-resource-name><br>
<url-pattern>/admin/*</url-<u></u>pattern><br>
</web-resource-collection><br>
<auth-constraint><br>
<role-name>admin</role-name><br>
</auth-constraint><br>
</security-constraint><br>
<security-constraint><br>
<web-resource-collection><br>
<web-resource-name>Customers</<u></u>web-resource-name><br>
<url-pattern>/customers/*</<u></u>url-pattern><br>
</web-resource-collection><br>
<auth-constraint><br>
<role-name>user</role-name><br>
</auth-constraint><br>
</security-constraint><br>
<br>
<!--<br>
<security-constraint><br>
<web-resource-collection><br>
<url-pattern>/*</url-pattern><br>
</web-resource-collection><br>
<user-data-constraint><br>
<transport-guarantee><u></u>CONFIDENTIAL</transport-<u></u>guarantee><br>
</user-data-constraint><br>
</security-constraint> --><br>
<br>
<login-config><br>
<auth-method>KEYCLOAK</auth-<u></u>method><br>
<realm-name>cryo198</realm-<u></u>name><br>
</login-config><br>
<br>
<security-role><br>
<role-name>admin</role-name><br>
</security-role><br>
<security-role><br>
<role-name>user</role-name><br>
</security-role><br>
</web-app><br>
<br>
<br>
On Sat, Feb 14, 2015 at 12:27 AM, Bill Burke <<a href="mailto:bburke@redhat.com" target="_blank">bburke@redhat.com</a><br></div></div><span class="">
<mailto:<a href="mailto:bburke@redhat.com" target="_blank">bburke@redhat.com</a>>> wrote:<br>
<br>
You don't have constriants set up correctly in web.xml? You don't have<br>
the appropriate scope for the application set up?<br>
<br>
On 2/13/2015 4:47 PM, Walter Rice wrote:<br>
> Hi,<br>
><br>
> I am trying to set up the demo as per the youtube videos (#1 and #2). I<br>
> am using keycloak 1.0.5. I have set up per the video (i think), however<br>
> things aren't working as expected.<br>
><br></span>
> I browse tohttp://localhost:8080/<u></u>customer-portal/ and all is fine. I<div><div class="h5"><br>
> click Customer Listing and I am redirected to login page as expected. I<br>
> enter my name/pw , this is successful and then I am redirected back to<br>
><a href="http://localhost:8080/customer-portal/customers/view.jsp" target="_blank">http://localhost:8080/<u></u>customer-portal/customers/<u></u>view.jsp</a> but the page is<br>
> 'Forbidden' (redirect uri appears ok here?)<br>
><br>
> I am using the 'full' version with bundled wildfly server.<br>
><br>
><br>
><br>
> *customer app:*<br>
> keycloak file<br>
><br>
> {<br>
> "realm": "cryo198",<br>
> "realm-public-key":<br>
> "<u></u>MIGfMA0GCSqGSIb3DQEBAQUAA4GNAD<u></u>CBiQKBgQCFnsEHg1o9UMBpMoHqLxYe<u></u>sXgDsTHnv1vF0AgrznxAcLfmYUdjvB<u></u>NdIXZNfB7I7tG9OMHvX21h9arHdcdg<u></u>2qqk9adLjHuImg/LhYHVOrosJ/<u></u>sybohrR/Im+k1fTsw/5p/<u></u>nwZKOF1DLL4/<u></u>4SZAY2h19FGCi0ZgIvE80psq98UvCN<u></u>QIDAQAB",<br>
> "auth-server-url": "<a href="http://localhost:8080/auth" target="_blank">http://localhost:8080/auth</a>",<br>
> "ssl-required": "external",<br>
> "resource": "customer-portal",<br>
> "credentials": {<br>
> "secret": "a0872aa0-113d-435c-a9d6-<u></u>56cd9b270e22"<br>
> }<br>
> }<br>
><br>
> *web.xml*<br>
> <login-config><br>
> <auth-method>KEYCLOAK</auth-<u></u>method><br>
> <realm-name>cryo198</realm-<u></u>name><br>
> </login-config><br>
><br>
> *redirect URI:*<br>
> /customer-portal/*<br>
><br>
> *database app:*<br>
> {<br>
> "realm": "cryo198",<br>
> "realm-public-key":<br>
> "<u></u>MIGfMA0GCSqGSIb3DQEBAQUAA4GNAD<u></u>CBiQKBgQCFnsEHg1o9UMBpMoHqLxYe<u></u>sXgDsTHnv1vF0AgrznxAcLfmYUdjvB<u></u>NdIXZNfB7I7tG9OMHvX21h9arHdcdg<u></u>2qqk9adLjHuImg/LhYHVOrosJ/<u></u>sybohrR/Im+k1fTsw/5p/<u></u>nwZKOF1DLL4/<u></u>4SZAY2h19FGCi0ZgIvE80psq98UvCN<u></u>QIDAQAB",<br>
> "auth-server-url": "<a href="http://localhost:8080/auth" target="_blank">http://localhost:8080/auth</a>",<br>
> "ssl-required": "NONE",<br>
> "resource": "database",<br>
> "bearer-only": "true"<br>
> }<br>
><br>
><br>
><br>
> *web.xml*<br>
> <login-config><br>
> <auth-method>KEYCLOAK</auth-<u></u>method><br>
> <realm-name>cryo198</realm-<u></u>name><br>
> </login-config><br>
><br>
> *redirect URI:*<br>
> n./a ..set as bearer only<br>
><br>
> *deployed apps:*<br>
> $<br>
> /c/tools/keycloak-appliance-<u></u>dist-all-1.0.5.Final/keycloak-<u></u>appliance-dist-all-1.0.5.<u></u>Final/keycloak/bin/jboss-cli.<u></u>sh<br>
> -c --command="deploy -l"<br>
> NAME RUNTIME-NAME ENABLED STATUS<br>
> admin-access.war admin-access.war true OK<br>
> angular-product.war angular-product.war true OK<br>
> auth-server.war auth-server.war true OK<br>
> customer-portal-js.war customer-portal-js.war true OK<br>
> customer-portal.war customer-portal.war true OK<br>
> database.war database.war true OK<br>
> product-portal.war product-portal.war true OK<br>
><br>
><br>
><br>
><br>
><br>
><br>
> *Log:*<br>
> 2015-02-13 21:22:29,665 DEBUG<br>
> [org.keycloak.adapters.<u></u>PreAuthActionsHandler] (default task-41)<br>
> adminRequest <a href="http://localhost:8080/customer-portal/custo" target="_blank">http://localhost:8080/<u></u>customer-portal/custo</a><br>
> mers/view.jsp<br>
> 2015-02-13 21:22:29,667 TRACE<br>
> [org.keycloak.adapters.<u></u>RequestAuthenticator] (default task-41) --><br>
> authenticate()<br>
> 2015-02-13 21:22:29,668 TRACE<br>
> [org.keycloak.adapters.<u></u>RequestAuthenticator] (default task-41)<br>
try bearer<br>
> 2015-02-13 21:22:29,669 TRACE<br>
> [org.keycloak.adapters.<u></u>RequestAuthenticator] (default task-41)<br>
try oauth<br>
> 2015-02-13 21:22:29,669 DEBUG<br>
> [org.keycloak.adapters.<u></u>RequestAuthenticator] (default task-41)<br>
session<br>
> was null, returning null<br>
> 2015-02-13 21:22:29,670 DEBUG<br>
> [org.keycloak.adapters.<u></u>OAuthRequestAuthenticator] (default task-41)<br>
> there was no code<br>
> 2015-02-13 21:22:29,670 DEBUG<br>
> [org.keycloak.adapters.<u></u>OAuthRequestAuthenticator] (default task-41)<br>
> redirecting to auth server<br>
> 2015-02-13 21:22:29,671 DEBUG<br>
> [org.keycloak.adapters.<u></u>OAuthRequestAuthenticator] (default task-41)<br>
> callback uri: <a href="http://localhost:8080/customer-portal/" target="_blank">http://localhost:8080/<u></u>customer-portal/</a><br>
> customers/view.jsp<br>
> 2015-02-13 21:22:29,672 DEBUG<br>
> [org.keycloak.adapters.<u></u>OAuthRequestAuthenticator] (default task-41)<br>
> Sending redirect to login page: <a href="http://localhost:808" target="_blank">http://localhost:808</a><br>
><br>
0/auth/realms/cryo198/tokens/<u></u>login?client_id=customer-<u></u>portal&redirect_uri=http%3A%<u></u>2F%2Flocalhost%3A8080%<u></u>2Fcustomer-portal%2Fcustomers%<u></u>2Fview.jsp&state<br>
> =2%2F8185a8ea-5a38-4a91-b990-<u></u>1b32ccabb2e8&login=true<br>
> 2015-02-13 21:22:29,701 DEBUG<br>
> [org.keycloak.services.<u></u>resources.TokenService] (default task-42)<br>
> replacing relative valid redirect with: <a href="http://localhos" target="_blank">http://localhos</a><br>
> t:8080/customer-portal/*<br>
> 2015-02-13 21:22:29,702 DEBUG<br>
> [org.keycloak.services.<u></u>managers.<u></u>AuthenticationManager] (default<br>
task-42)<br>
> Could not find cookie: KEYCLOAK_IDENTITY<br>
> 2015-02-13 21:22:46,300 DEBUG<br>
> [org.keycloak.services.<u></u>resources.TokenService] (default task-43)<br>
> replacing relative valid redirect with: <a href="http://localhos" target="_blank">http://localhos</a><br>
> t:8080/customer-portal/*<br>
> 2015-02-13 21:22:46,301 DEBUG<br>
> [org.keycloak.services.<u></u>managers.<u></u>AuthenticationManager] (default<br>
task-43)<br>
> validating password for user: walt<br>
> 2015-02-13 21:22:46,306 DEBUG<br>
> [org.keycloak.services.<u></u>managers.<u></u>AuthenticationManager] (default<br>
task-43)<br>
> Expiring remember me cookie<br>
> 2015-02-13 21:22:46,307 DEBUG<br>
> [org.keycloak.services.<u></u>managers.<u></u>AuthenticationManager] (default<br>
task-43)<br>
> Expiring cookie: KEYCLOAK_REMEMBER_ME path: /au<br>
> th/realms/cryo198<br>
> 2015-02-13 21:22:46,308 DEBUG<br>
> [org.keycloak.services.<u></u>resources.flows.OAuthFlows] (default task-43)<br>
> processAccessCode: isResource: true<br>
> 2015-02-13 21:22:46,308 DEBUG<br>
> [org.keycloak.services.<u></u>resources.flows.OAuthFlows] (default task-43)<br>
> processAccessCode: go to oauth page?: false<br>
> 2015-02-13 21:22:46,329 DEBUG<br>
> [org.keycloak.services.<u></u>resources.flows.OAuthFlows] (default task-43)<br>
> redirectAccessCode: state: 2/8185a8ea-5a38-4a91-b99<br>
> 0-1b32ccabb2e8<br>
> 2015-02-13 21:22:46,340 DEBUG<br>
> [org.keycloak.services.<u></u>managers.<u></u>AuthenticationManager] (default<br>
task-43)<br>
> Create login cookie - name: KEYCLOAK_IDENTITY,<br>
> path: /auth/realms/cryo198, max-age: -1<br>
> 2015-02-13 21:22:46,387 DEBUG<br>
> [org.keycloak.adapters.<u></u>PreAuthActionsHandler] (default task-44)<br>
> adminRequest <a href="http://localhost:8080/customer-portal/custo" target="_blank">http://localhost:8080/<u></u>customer-portal/custo</a><br>
><br>
mers/view.jsp?code=zf9VUvG6-<u></u>QkAWtF8xDFcJfnBnrY.<u></u>OTY1YjllMzMtZDdlNS00YWQwLWEwMz<u></u>gtZjIzMTJhODZjMTIx&state=2%<u></u>2F8185a8ea-5a38-4a91-b990-<u></u>1b32ccabb2e8<br>
> 2015-02-13 21:22:46,388 TRACE<br>
> [org.keycloak.adapters.<u></u>RequestAuthenticator] (default task-44) --><br>
> authenticate()<br>
> 2015-02-13 21:22:46,389 TRACE<br>
> [org.keycloak.adapters.<u></u>RequestAuthenticator] (default task-44)<br>
try bearer<br>
> 2015-02-13 21:22:46,389 TRACE<br>
> [org.keycloak.adapters.<u></u>RequestAuthenticator] (default task-44)<br>
try oauth<br>
> 2015-02-13 21:22:46,389 DEBUG<br>
> [org.keycloak.adapters.<u></u>RequestAuthenticator] (default task-44)<br>
session<br>
> was null, returning null<br>
> 2015-02-13 21:22:46,390 DEBUG<br>
> [org.keycloak.adapters.<u></u>OAuthRequestAuthenticator] (default task-44)<br>
> there was a code, resolving<br>
> 2015-02-13 21:22:46,390 DEBUG<br>
> [org.keycloak.adapters.<u></u>OAuthRequestAuthenticator] (default task-44)<br>
> checking state cookie for after code<br>
> 2015-02-13 21:22:46,390 DEBUG<br>
> [org.keycloak.adapters.<u></u>OAuthRequestAuthenticator] (default<br>
task-44) **<br>
> reseting application state cookie<br>
> 2015-02-13 21:22:46,477 DEBUG<br>
> [org.keycloak.adapters.<u></u>OAuthRequestAuthenticator] (default task-44)<br>
> Token Verification succeeded!<br>
> 2015-02-13 21:22:46,478 DEBUG<br>
> [org.keycloak.adapters.<u></u>OAuthRequestAuthenticator] (default task-44)<br>
> successful authenticated<br>
> 2015-02-13 21:22:46,478 TRACE<br>
> [org.keycloak.adapters.<u></u>RefreshableKeycloakSecurityCon<u></u>text] (default<br>
> task-44) checking whether to refresh.<br>
> 2015-02-13 21:22:46,478 TRACE<br>
> [org.keycloak.adapters.<u></u>undertow.<u></u>KeycloakUndertowAccount] (default<br>
> task-44) use realm role mappings<br>
> 2015-02-13 21:22:46,479 DEBUG<br>
> [org.keycloak.adapters.<u></u>wildfly.<u></u>WildflyRequestAuthenticator] (default<br>
> task-44) propagate security context to wildfly<br>
> 2015-02-13 21:22:46,481 TRACE<br>
> [org.keycloak.adapters.<u></u>RefreshableKeycloakSecurityCon<u></u>text] (default<br>
> task-44) checking whether to refresh.<br>
> 2015-02-13 21:22:46,484 DEBUG<br>
> [org.keycloak.adapters.<u></u>RequestAuthenticator] (default task-44)<br>
AUTHENTICATED<br>
> 2015-02-13 21:22:46,502 DEBUG<br>
> [org.keycloak.adapters.<u></u>PreAuthActionsHandler] (default task-46)<br>
> adminRequest <a href="http://localhost:8080/customer-portal/custo" target="_blank">http://localhost:8080/<u></u>customer-portal/custo</a><br>
> mers/view.jsp<br>
> 2015-02-13 21:22:46,505 TRACE<br>
> [org.keycloak.adapters.<u></u>RequestAuthenticator] (default task-46) --><br>
> authenticate()<br>
> 2015-02-13 21:22:46,506 TRACE<br>
> [org.keycloak.adapters.<u></u>RequestAuthenticator] (default task-46)<br>
try bearer<br>
> 2015-02-13 21:22:46,506 TRACE<br>
> [org.keycloak.adapters.<u></u>RequestAuthenticator] (default task-46)<br>
try oauth<br>
> 2015-02-13 21:22:46,507 DEBUG<br>
> [org.keycloak.adapters.<u></u>undertow.<u></u>KeycloakUndertowAccount] (default<br>
> task-46) session is active<br>
> 2015-02-13 21:22:46,508 DEBUG<br>
> [org.keycloak.adapters.<u></u>RequestAuthenticator] (default task-46) Cached<br>
> account found<br>
> 2015-02-13 21:22:46,508 DEBUG<br>
> [org.keycloak.adapters.<u></u>wildfly.<u></u>WildflyRequestAuthenticator] (default<br>
> task-46) propagate security context to wildfly<br>
> 2015-02-13 21:22:46,509 DEBUG<br>
> [org.keycloak.adapters.<u></u>RequestAuthenticator] (default task-46)<br>
> AUTHENTICATED: was cached<br>
> 2015-02-13 21:22:46,510 DEBUG<br>
> [org.keycloak.adapters.<u></u>AuthenticatedActionsHandler] (default task-46)<br>
> AuthenticatedActionsValve.<u></u>invoke <a href="http://localhost" target="_blank">http://localhost</a>:<br>
> 8080/customer-portal/<u></u>customers/view.jsp<br>
><br>
><br>
> Many thanks<br>
> W<br>
><br>
><br>
><br>
><br>
> ______________________________<u></u>_________________<br>
> keycloak-user mailing list<br></div></div>
> <a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a> <mailto:<a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.<u></u>jboss.org</a>><span class=""><br>
> <a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" target="_blank">https://lists.jboss.org/<u></u>mailman/listinfo/keycloak-user</a><br>
><br>
<br>
--<br>
Bill Burke<br>
JBoss, a division of Red Hat<br>
<a href="http://bill.burkecentral.com" target="_blank">http://bill.burkecentral.com</a><br>
______________________________<u></u>_________________<br>
keycloak-user mailing list<br></span>
<a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a> <mailto:<a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.<u></u>jboss.org</a>><br>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" target="_blank">https://lists.jboss.org/<u></u>mailman/listinfo/keycloak-user</a><br>
<br>
<br>
</blockquote><div class="HOEnZb"><div class="h5">
<br>
-- <br>
Bill Burke<br>
JBoss, a division of Red Hat<br>
<a href="http://bill.burkecentral.com" target="_blank">http://bill.burkecentral.com</a><br>
</div></div></blockquote></div><br></div>