<div dir="ltr">So it&#39;s working now?<div><br></div><div>No auth-constraint = no need to authenticate ;)</div></div><div class="gmail_extra"><br><div class="gmail_quote">On 6 November 2015 at 14:06, Tero Ahonen <span dir="ltr">&lt;<a href="mailto:Tero.Ahonen@cybercom.com" target="_blank">Tero.Ahonen@cybercom.com</a>&gt;</span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">

<div style="word-wrap:break-word">

At first I had

<div><br>

</div>

<div>&lt;security-constraint&gt;<br>

<span style="white-space:pre-wrap"></span>&lt;web-resource-collection&gt;<br>

<span style="white-space:pre-wrap"></span>&lt;web-resource-name&gt;foobar&lt;/web-resource-name&gt;<br>

<span style="white-space:pre-wrap"></span>&lt;url-pattern&gt;/*&lt;/url-pattern&gt;<br>

<span style="white-space:pre-wrap"></span>&lt;http-method&gt;GET&lt;/http-method&gt;<br>

           <span style="white-space:pre-wrap"> </span> &lt;http-method&gt;POST&lt;/http-method&gt;<br>

<span style="white-space:pre-wrap"></span>&lt;/web-resource-collection&gt;<br>

<span style="white-space:pre-wrap"></span>&lt;user-data-constraint&gt;<br>

<span style="white-space:pre-wrap"></span>&lt;transport-guarantee&gt;CONFIDENTIAL&lt;/transport-guarantee&gt;<br>

<span style="white-space:pre-wrap"></span>&lt;/user-data-constraint&gt;<br>

<span style="white-space:pre-wrap"></span>&lt;/security-constraint&gt;</div>

<div><br>

</div>

<div>Then added </div>

<div><br>

</div>

<div>&lt;auth-constraint&gt;<br>

<span style="white-space:pre-wrap"></span>&lt;role-name&gt;*&lt;/role-name&gt;<br>

<span style="white-space:pre-wrap"></span>&lt;/auth-constraint&gt;<br>

<span style="white-space:pre-wrap"></span></div>

<div><br>

</div>

<div>And it started working.</div>

<div><br>

</div>

<div>So without auth-constraint all request are ok even token is not present or valid.</div>

<div><br>

</div>

<div>Br,</div>

<div>Tero</div><div><div class="h5">

<div><br>

</div>

<div><br>

<div><br>

</div>

<div><br>

</div>

<div>

<div>

<blockquote type="cite">

<div>On 06 Nov 2015, at 14:59 PM, Stian Thorgersen &lt;<a href="mailto:sthorger@redhat.com" target="_blank">sthorger@redhat.com</a>&gt; wrote:</div>

<br>

<div>

<div dir="ltr">Did you put any security constraints on the endpoints?</div>

<div class="gmail_extra"><br>

<div class="gmail_quote">On 6 November 2015 at 12:36, Tero Ahonen <span dir="ltr">

&lt;<a href="mailto:Tero.Ahonen@cybercom.com" target="_blank">Tero.Ahonen@cybercom.com</a>&gt;</span> wrote:<br>

<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">

<div style="word-wrap:break-word">Hi,

<div><br>

</div>

<div>I have a rest endpoint running on wildfly 9.</div>

<div><br>

</div>

<div>Wildfly and application is setup to use Keycloak and request to endpoints are intercepted with keycloak adapter. But is seems to be that it is not working. If auth header is not present keycloak just skips authentication and lets all request thru.

 It doesn’t matter do I use curl or browser.</div>

<div><br>

</div>

<div>Wilfly logs says (last line comes from servlet filter)</div>

<div><br>

</div>

<div>

<div style="margin:0px;font-size:11px;line-height:normal;font-family:Menlo">

2015-11-06 13:10:23,962 DEBUG [org.keycloak.adapters.PreAuthActionsHandler] (default task-17) adminRequest

<a href="https://localhost:8443/foobar/endpoint" target="_blank">https://localhost:8443/foobar/endpoint</a></div>

<div style="margin:0px;font-size:11px;line-height:normal;font-family:Menlo">

2015-11-06 13:10:23,969 TRACE [org.keycloak.adapters.RequestAuthenticator] (default task-17) --&gt; authenticate()</div>

<div style="margin:0px;font-size:11px;line-height:normal;font-family:Menlo">

2015-11-06 13:10:23,969 TRACE [org.keycloak.adapters.RequestAuthenticator] (default task-17) try bearer</div>

<div style="margin:0px;font-size:11px;line-height:normal;font-family:Menlo">

2015-11-06 13:10:23,969 DEBUG [org.keycloak.adapters.RequestAuthenticator] (default task-17) NOT_ATTEMPTED: bearer only</div>

<div style="margin:0px;font-size:11px;line-height:normal;font-family:Menlo">

2015-11-06 13:10:23,970 DEBUG [org.keycloak.adapters.AuthenticatedActionsHandler] (default task-17) AuthenticatedActionsValve.invoke

<a href="https://localhost:8443/foobar/endpoint" target="_blank">https://localhost:8443/foobar/endpoint</a></div>

<div style="margin:0px;font-size:11px;line-height:normal;font-family:Menlo">

2015-11-06 13:10:23,970 INFO  [stdout] (default task-17) GET:/foobar/endpoint</div>

</div>

<div style="margin:0px;font-size:11px;line-height:normal;font-family:Menlo">

<br>

</div>

<div style="margin:0px;font-size:11px;line-height:normal;font-family:Menlo">

<br>

</div>

<div>If I add Authorization headar like this </div>

<div><br>

</div>

<div>

<div style="margin:0px;font-size:11px;line-height:normal;font-family:Menlo">

Authorization: Bearer 123</div>

</div>

<div style="margin:0px;font-size:11px;line-height:normal;font-family:Menlo">

<br>

</div>

<div style="margin:0px;font-size:11px;line-height:normal;font-family:Menlo">

I get HTTP/1.1 401 Unauthorized</div>

<div style="margin:0px;font-size:11px;line-height:normal;font-family:Menlo">

<br>

</div>

<div style="margin:0px;font-size:11px;line-height:normal;font-family:Menlo">

<div style="margin:0px;line-height:normal">WWW-Authenticate: Bearer realm=&quot;saas-pilot&quot;, error=&quot;invalid_token&quot;, error_description=&quot;Couldn&#39;t parse token”</div>

<div style="margin:0px;line-height:normal"><br>

</div>

<div style="margin:0px;line-height:normal"><br>

</div>

<div style="margin:0px;line-height:normal">Is there something that I dont understand?</div>

<div style="margin:0px;line-height:normal"><br>

</div>

<div style="margin:0px;line-height:normal">I have tried with web.xml/keycloak.json and keycloak subsystem configuration methods, same outcome.</div>

<div style="margin:0px;line-height:normal"><br>

</div>

<div style="margin:0px;line-height:normal">Br,</div>

<div style="margin:0px;line-height:normal">Tero</div>

<div style="margin:0px;line-height:normal"><br>

</div>

<div style="margin:0px;line-height:normal"><br>

</div>

<div style="margin:0px;line-height:normal"><br>

</div>

</div>

</div>

<br>

_______________________________________________<br>

keycloak-user mailing list<br>

<a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a><br>

<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br>

</blockquote>

</div>

<br>

</div>

</div>

</blockquote>

</div>

<br>

</div>

</div>

</div></div></div>

</blockquote></div><br></div>