<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<p>I've done all the traceability from the proxy server till the
login page is displayed:</p>
<p>First step, /organization/organizations is requested, so the
proxy server knows it has to be forwarded to the 8083 port (the
one for the organization service). That's the first request
received by my application's Tomcat:</p>
<p><font face="Courier New" size="-2">2016-05-30 13:01:18.888 INFO
18096 --- [nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-9
START TIME =30-may-2016 13:01:18<br>
2016-05-30 13:01:18.888 INFO 18096 --- [nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-9 requestURI=/organizations<br>
2016-05-30 13:01:18.888 INFO 18096 --- [nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-9 authType=null<br>
2016-05-30 13:01:18.888 INFO 18096 --- [nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-9
characterEncoding=UTF-8<br>
2016-05-30 13:01:18.888 INFO 18096 --- [nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-9 contentLength=-1<br>
2016-05-30 13:01:18.888 INFO 18096 --- [nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-9 contentType=null<br>
2016-05-30 13:01:18.888 INFO 18096 --- [nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-9 contextPath=<br>
2016-05-30 13:01:18.888 INFO 18096 --- [nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-9
header=accept-language=es-ES,es;q=0.8<br>
2016-05-30 13:01:18.888 INFO 18096 --- [nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-9
header=x-forwarded-host=mies-057:8765<br>
2016-05-30 13:01:18.888 INFO 18096 --- [nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-9
header=x-forwarded-prefix=/organization<br>
2016-05-30 13:01:18.888 INFO 18096 --- [nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-9
header=upgrade-insecure-requests=1<br>
2016-05-30 13:01:18.888 INFO 18096 --- [nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-9 header=accept-encoding=gzip<br>
2016-05-30 13:01:18.888 INFO 18096 --- [nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-9
header=accept=text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8<br>
2016-05-30 13:01:18.889 INFO 18096 --- [nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-9 header=user-agent=Mozilla/5.0
(Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/50.0.2661.102 Safari/537.36<br>
2016-05-30 13:01:18.889 INFO 18096 --- [nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-9
header=netflix.nfhttpclient.version=1.0<br>
2016-05-30 13:01:18.889 INFO 18096 --- [nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-9
header=x-netflix-httpclientname=organization<br>
2016-05-30 13:01:18.889 INFO 18096 --- [nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-9 header=host=mies-057:8083<br>
2016-05-30 13:01:18.889 INFO 18096 --- [nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-9 header=connection=Keep-Alive<br>
2016-05-30 13:01:18.889 INFO 18096 --- [nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-9 locale=es_ES<br>
2016-05-30 13:01:18.889 INFO 18096 --- [nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-9 method=GET<br>
2016-05-30 13:01:18.889 INFO 18096 --- [nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-9 pathInfo=null<br>
2016-05-30 13:01:18.889 INFO 18096 --- [nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-9 protocol=HTTP/1.1<br>
2016-05-30 13:01:18.889 INFO 18096 --- [nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-9 queryString=null<br>
2016-05-30 13:01:18.889 INFO 18096 --- [nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-9 remoteAddr=192.168.56.1<br>
2016-05-30 13:01:18.889 INFO 18096 --- [nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-9 remoteHost=192.168.56.1<br>
2016-05-30 13:01:18.889 INFO 18096 --- [nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-9 remoteUser=null<br>
2016-05-30 13:01:18.890 INFO 18096 --- [nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-9
requestedSessionId=null<br>
2016-05-30 13:01:18.890 INFO 18096 --- [nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-9 scheme=http<br>
2016-05-30 13:01:18.890 INFO 18096 --- [nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-9 serverName=mies-057<br>
2016-05-30 13:01:18.890 INFO 18096 --- [nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-9 serverPort=8083<br>
2016-05-30 13:01:18.890 INFO 18096 --- [nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-9 servletPath=/organizations<br>
2016-05-30 13:01:18.891 INFO 18096 --- [nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-9 isSecure=false<br>
2016-05-30 13:01:18.891 INFO 18096 --- [nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-9
------------------=--------------------------------------------</font></p>
<p>Here x-forwarded-host is mies-057:8765 (the proxy server) and
x-forwarded-prefix is /organization. So the original request is
kept in the headers. Well, now my service (8083) tries to check
for authorization via the /sso/login endpoint from the keycloak
spring security adapter:<br>
</p>
<p><font face="Courier New" size="-2">2016-05-30 13:01:18.892 DEBUG
18096 --- [nio-8083-exec-9]
o.k.a.s.management.HttpSessionManager : Session created:
CDCA7AD4439DE94BD0B3B5803DAA0752<br>
2016-05-30 13:01:18.892 DEBUG 18096 --- [nio-8083-exec-9]
k.a.s.a.KeycloakAuthenticationEntryPoint : Redirecting to login
URI /sso/login<br>
2016-05-30 13:01:18.892 INFO 18096 --- [nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-9
------------------=--------------------------------------------<br>
2016-05-30 13:01:18.892 INFO 18096 --- [nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-9 authType=null<br>
2016-05-30 13:01:18.892 INFO 18096 --- [nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-9 contentType=null<br>
2016-05-30 13:01:18.892 INFO 18096 --- [nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-9
header=X-Content-Type-Options=nosniff<br>
2016-05-30 13:01:18.892 INFO 18096 --- [nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-9 header=X-XSS-Protection=1;
mode=block<br>
2016-05-30 13:01:18.892 INFO 18096 --- [nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-9 header=Cache-Control=no-cache,
no-store, max-age=0, must-revalidate<br>
2016-05-30 13:01:18.892 INFO 18096 --- [nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-9 header=Pragma=no-cache<br>
2016-05-30 13:01:18.892 INFO 18096 --- [nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-9 header=Expires=0<br>
2016-05-30 13:01:18.893 INFO 18096 --- [nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-9 header=X-Frame-Options=DENY<br>
2016-05-30 13:01:18.893 INFO 18096 --- [nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-9
header=Set-Cookie=JSESSIONID=CDCA7AD4439DE94BD0B3B5803DAA0752;
Path=/; HttpOnly<br>
2016-05-30 13:01:18.893 INFO 18096 --- [nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-9
header=Location=<a class="moz-txt-link-freetext" href="http://mies-057:8083/sso/login">http://mies-057:8083/sso/login</a><br>
2016-05-30 13:01:18.893 INFO 18096 --- [nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-9 remoteUser=null<br>
2016-05-30 13:01:18.893 INFO 18096 --- [nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-9 status=302<br>
2016-05-30 13:01:18.893 INFO 18096 --- [nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-9
END TIME =30-may-2016 13:01:18<br>
2016-05-30 13:01:18.893 INFO 18096 --- [nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-9
===============================================================<br>
2016-05-30 13:01:18.902 INFO 18096 --- [io-8083-exec-10]
o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-10
START TIME =30-may-2016 13:01:18<br>
2016-05-30 13:01:18.902 INFO 18096 --- [io-8083-exec-10]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-10 requestURI=/sso/login<br>
2016-05-30 13:01:18.902 INFO 18096 --- [io-8083-exec-10]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-10 authType=null<br>
2016-05-30 13:01:18.902 INFO 18096 --- [io-8083-exec-10]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-10 characterEncoding=UTF-8<br>
2016-05-30 13:01:18.902 INFO 18096 --- [io-8083-exec-10]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-10 contentLength=-1<br>
2016-05-30 13:01:18.902 INFO 18096 --- [io-8083-exec-10]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-10 contentType=null<br>
2016-05-30 13:01:18.902 INFO 18096 --- [io-8083-exec-10]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-10 contextPath=<br>
2016-05-30 13:01:18.902 INFO 18096 --- [io-8083-exec-10]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-10
cookie=JSESSIONID=CDCA7AD4439DE94BD0B3B5803DAA0752<br>
2016-05-30 13:01:18.902 INFO 18096 --- [io-8083-exec-10]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-10 header=host=mies-057:8083<br>
2016-05-30 13:01:18.903 INFO 18096 --- [io-8083-exec-10]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-10 header=connection=keep-alive<br>
2016-05-30 13:01:18.903 INFO 18096 --- [io-8083-exec-10]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-10
header=accept=text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8<br>
2016-05-30 13:01:18.903 INFO 18096 --- [io-8083-exec-10]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-10
header=upgrade-insecure-requests=1<br>
2016-05-30 13:01:18.903 INFO 18096 --- [io-8083-exec-10]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-10 header=user-agent=Mozilla/5.0
(Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/50.0.2661.102 Safari/537.36<br>
2016-05-30 13:01:18.903 INFO 18096 --- [io-8083-exec-10]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-10 header=accept-encoding=gzip,
deflate, sdch<br>
2016-05-30 13:01:18.903 INFO 18096 --- [io-8083-exec-10]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-10
header=accept-language=es-ES,es;q=0.8<br>
2016-05-30 13:01:18.903 INFO 18096 --- [io-8083-exec-10]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-10
header=cookie=JSESSIONID=CDCA7AD4439DE94BD0B3B5803DAA0752<br>
2016-05-30 13:01:18.903 INFO 18096 --- [io-8083-exec-10]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-10 locale=es_ES<br>
2016-05-30 13:01:18.903 INFO 18096 --- [io-8083-exec-10]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-10 method=GET<br>
2016-05-30 13:01:18.903 INFO 18096 --- [io-8083-exec-10]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-10 pathInfo=null<br>
2016-05-30 13:01:18.903 INFO 18096 --- [io-8083-exec-10]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-10 protocol=HTTP/1.1<br>
2016-05-30 13:01:18.904 INFO 18096 --- [io-8083-exec-10]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-10 queryString=null<br>
2016-05-30 13:01:18.904 INFO 18096 --- [io-8083-exec-10]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-10 remoteAddr=192.168.56.1<br>
2016-05-30 13:01:18.904 INFO 18096 --- [io-8083-exec-10]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-10 remoteHost=192.168.56.1<br>
2016-05-30 13:01:18.904 INFO 18096 --- [io-8083-exec-10]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-10 remoteUser=null<br>
2016-05-30 13:01:18.904 INFO 18096 --- [io-8083-exec-10]
o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-10
requestedSessionId=CDCA7AD4439DE94BD0B3B5803DAA0752<br>
2016-05-30 13:01:18.904 INFO 18096 --- [io-8083-exec-10]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-10 scheme=http<br>
2016-05-30 13:01:18.904 INFO 18096 --- [io-8083-exec-10]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-10 serverName=mies-057<br>
2016-05-30 13:01:18.904 INFO 18096 --- [io-8083-exec-10]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-10 serverPort=8083<br>
2016-05-30 13:01:18.904 INFO 18096 --- [io-8083-exec-10]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-10 servletPath=/sso/login<br>
2016-05-30 13:01:18.904 INFO 18096 --- [io-8083-exec-10]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-10 isSecure=false<br>
2016-05-30 13:01:18.904 INFO 18096 --- [io-8083-exec-10]
o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-10
------------------=--------------------------------------------<br>
2016-05-30 13:01:18.904 DEBUG 18096 --- [io-8083-exec-10]
o.k.adapters.PreAuthActionsHandler : adminRequest
<a class="moz-txt-link-freetext" href="http://mies-057:8083/sso/login">http://mies-057:8083/sso/login</a><br>
2016-05-30 13:01:18.904 DEBUG 18096 --- [io-8083-exec-10]
f.KeycloakAuthenticationProcessingFilter : Request is to process
authentication<br>
2016-05-30 13:01:18.904 DEBUG 18096 --- [io-8083-exec-10]
f.KeycloakAuthenticationProcessingFilter : Attempting Keycloak
authentication<br>
2016-05-30 13:01:18.904 TRACE 18096 --- [io-8083-exec-10]
o.k.adapters.RequestAuthenticator : --> authenticate()<br>
2016-05-30 13:01:18.904 TRACE 18096 --- [io-8083-exec-10]
o.k.adapters.RequestAuthenticator : try bearer<br>
2016-05-30 13:01:18.904 TRACE 18096 --- [io-8083-exec-10]
o.k.adapters.RequestAuthenticator : try oauth<br>
2016-05-30 13:01:18.905 DEBUG 18096 --- [io-8083-exec-10]
o.k.a.s.token.SpringSecurityTokenStore : Checking if
org.keycloak.adapters.springsecurity.authentication.SpringSecurityRequestAuthenticator@d328c2d
is cached<br>
2016-05-30 13:01:18.905 DEBUG 18096 --- [io-8083-exec-10]
o.k.adapters.OAuthRequestAuthenticator : there was no code<br>
2016-05-30 13:01:18.905 DEBUG 18096 --- [io-8083-exec-10]
o.k.adapters.OAuthRequestAuthenticator : redirecting to auth
server<br>
2016-05-30 13:01:18.905 DEBUG 18096 --- [io-8083-exec-10]
o.k.adapters.OAuthRequestAuthenticator : callback uri:
<a class="moz-txt-link-freetext" href="http://mies-057:8083/sso/login">http://mies-057:8083/sso/login</a><br>
2016-05-30 13:01:18.905 DEBUG 18096 --- [io-8083-exec-10]
f.KeycloakAuthenticationProcessingFilter : Auth outcome:
NOT_ATTEMPTED<br>
2016-05-30 13:01:18.905 DEBUG 18096 --- [io-8083-exec-10]
o.k.adapters.OAuthRequestAuthenticator : Sending redirect to
login page:
<a class="moz-txt-link-freetext" href="http://mies-057.tesicnor.com:8080/auth/realms/master/protocol/openid-connect/auth?response_type=code&client_id=organization&redirect_uri=http%3A%2F%2Fmies-057%3A8083%2Fsso%2Flogin&state=1%2F21d709ec-1e69-41c5-ac6d-c705f8ce3907&login=true">http://mies-057.tesicnor.com:8080/auth/realms/master/protocol/openid-connect/auth?response_type=code&client_id=organization&redirect_uri=http%3A%2F%2Fmies-057%3A8083%2Fsso%2Flogin&state=1%2F21d709ec-1e69-41c5-ac6d-c705f8ce3907&login=true</a></font></p>
<p>As it's shown in the logs, the X-forwarded logs are not kept by
the keycloak adapter (look at the lines below <font face="Courier
New" size="-2">k.a.s.a.KeycloakAuthenticationEntryPoint :
Redirecting to login URI /sso/login</font>). So could it be the
proxy server itself being properly configured but the keycloak
adapter losing the original headers while performing the
redirection?</p>
<p>I've also set up the request dumper in the undertow server as
Niels suggested, but obviously, X-forwarded headers are not
reaching the keycloak server..</p>
<p>Thanks for your time, again ;-)<br>
</p>
<p><br>
</p>
<br>
<div class="moz-cite-prefix">25/05/2016 7:22(e)an, Stian Thorgersen
igorleak idatzi zuen:<br>
</div>
<blockquote
cite="mid:CAJgngAeUJxOkFVspZc096Eu+bTedwcpPpv6UnWDQzX6ptChwMQ@mail.gmail.com"
type="cite">
<div dir="ltr">You need the Host and X-Forwarded-For headers to be
included and there's also some config to be done on the Keycloak
server (see <a moz-do-not-send="true"
href="http://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html#proxy-address-forwarding">http://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html#proxy-address-forwarding</a>)</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On 24 May 2016 at 08:46, Aritz Maeztu <span
dir="ltr"><<a moz-do-not-send="true"
href="mailto:amaeztu@tesicnor.com" target="_blank">amaeztu@tesicnor.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<p>Hi Niels and Scott. First of all, thank you very much
for your help. I'm currently using Zuul (Spring Cloud)
as the reverse proxy. All the services are registered in
a discovery service called Eureka and then Zuul looks
for the service id there and performs de redirection. I
read about <font face="monospace, monospace">X-Forwarded
headers, but I thought it might result in a security
issue if not included, not that it could affect the
redirection process. <br>
</font></p>
<p><font face="monospace, monospace">As Scott says, I
suppose the Host and the X-Real-Ip headers are the
relevant ones here, so I guess I should instruct Zuul
to send them when the service is addressed (however I
wonder why they are not already being sent, as Zuul is
a proxy service, all in all).</font></p>
Here I include a preview of the first redirection made to
the keycloak login page, which shows the request headers
sent to the service /login endpoint (at port 8081 in
localhost):<br>
<br>
<a moz-do-not-send="true"
href="https://www.dropbox.com/s/iof9yefytzay6j2/screenshot.PNG?dl=0"
target="_blank">https://www.dropbox.com/s/iof9yefytzay6j2/screenshot.PNG?dl=0</a><br>
<br>
<div>24/05/2016 2:08(e)an, Niels Bertram igorleak idatzi
zuen:<br>
</div>
<div>
<div class="h5">
<blockquote type="cite">
<div dir="ltr">Hi Artitz,
<div><br>
</div>
<div>a great way to figure out what is sent from
the reverse proxy to your keycloak server is to
use the undertow request dumper.
<div><br>
</div>
<div>From the jboss-cli just add the request
dumper filter to your undertow configuration
like this:</div>
<div><br>
</div>
<div>
<div><font face="monospace, monospace">$KC_HOME/bin/jbpss-cli.sh
-c</font></div>
<div><font face="monospace, monospace"><br>
</font></div>
<div><font face="monospace, monospace">/subsystem=undertow/configuration=filter/custom-filter=request-dumper:add(class-name=io.undertow.server.handlers.RequestDumpingHandler,
module=io.undertow.core)</font></div>
<div><font face="monospace, monospace"><br>
</font></div>
<div><font face="monospace, monospace">/subsystem=undertow/server=default-server/host=default-host/filter-ref=request-dumper:add</font></div>
<div><font face="monospace, monospace"><br>
</font></div>
<div><font face="monospace, monospace">/:reload</font></div>
<div><font face="monospace, monospace"><br>
</font></div>
<div><font face="arial, helvetica, sans-serif">given
your apache config looks something like
this:</font></div>
<div><font face="monospace, monospace"><br>
</font></div>
<div><font face="monospace, monospace">
ProxyRequests Off</font></div>
<div><font face="monospace, monospace">
ProxyPreserveHost On</font></div>
<div><font face="monospace, monospace">
ProxyVia On</font></div>
<div><br>
</div>
<div><font face="monospace, monospace">
ProxyPass /auth ajp://<a
moz-do-not-send="true"
href="http://127.0.0.1:8009/auth"
target="_blank">127.0.0.1:8009/auth</a></font></div>
<div><font face="monospace, monospace">
ProxyPassReverse /auth ajp://<a
moz-do-not-send="true"
href="http://127.0.0.1:8009/auth"
target="_blank">127.0.0.1:8009/auth</a></font></div>
<div><font face="monospace, monospace"><br>
</font></div>
<div><font face="monospace, monospace"><br>
</font></div>
<div><font face="arial, helvetica, sans-serif">you
should see something like that (forwared
info is somewhat rubbish in this example
as I am running the hosts on Virtualbox -
but you can see this request was put
through 2 proxies from local pc
192.168.33.1 to haproxy on 192.168.33.80
and then apache reverse proxy on
192.168.33.81 ):</font></div>
<div><font face="arial, helvetica, sans-serif"><br>
</font></div>
<div><font face="monospace, monospace">==============================================================</font></div>
<div><font face="monospace, monospace">23:47:20,563
INFO [io.undertow.request.dump] (default
task-14)</font></div>
<div><font face="monospace, monospace">----------------------------REQUEST---------------------------</font></div>
<div><font face="monospace, monospace">
URI=/auth/welcome-content/favicon.ico</font></div>
<div><font face="monospace, monospace"> characterEncoding=null</font></div>
<div><font face="monospace, monospace">
contentLength=-1</font></div>
<div><font face="monospace, monospace">
contentType=null</font></div>
<div><font face="monospace, monospace">
header=Accept=*/*</font></div>
<div><font face="monospace, monospace">
header=Accept-Language=en-US,en;q=0.8,de;q=0.6</font></div>
<div><font face="monospace, monospace">
header=Cache-Control=no-cache</font></div>
<div><font face="monospace, monospace">
header=Accept-Encoding=gzip, deflate,
sdch</font></div>
<div><font face="monospace, monospace">
header=DNT=1</font></div>
<div><font face="monospace, monospace">
header=Pragma=no-cache</font></div>
<div><font face="monospace, monospace">
header=X-Original-To=192.168.33.80</font></div>
<div><font face="monospace, monospace">
header=User-Agent=Mozilla/5.0 (Windows
NT 6.1; WOW64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/50.0.2661.102
Safari/537.36</font></div>
<div><font face="monospace, monospace">
header=Authorization=Basic
bmljZSB0cnkgYnV0IGFtIG5vdCBmcm9tIHllc3RlcmRheQo=</font></div>
<div><font face="monospace, monospace">
header=X-Forwarded-Proto=https</font></div>
<div><font face="monospace, monospace">
header=X-Forwarded-Port=443</font></div>
<div><font face="monospace, monospace">
header=X-Forwarded-For=192.168.33.1</font></div>
<div><font face="monospace, monospace">
header=Referer=<a
moz-do-not-send="true"
href="https://login.vagrant.dev/auth/"
target="_blank"><a class="moz-txt-link-freetext" href="https://login.vagrant.dev/auth/">https://login.vagrant.dev/auth/</a></a></font></div>
<div><font face="monospace, monospace">
header=Host=login.vagrant.dev</font></div>
<div><font face="monospace, monospace">
locale=[en_US, en, de]</font></div>
<div><font face="monospace, monospace">
method=GET</font></div>
<div><font face="monospace, monospace">
protocol=HTTP/1.1</font></div>
<div><font face="monospace, monospace">
queryString=</font></div>
<div><font face="monospace, monospace">
remoteAddr=<a moz-do-not-send="true"
href="http://192.168.33.1:0"
target="_blank">192.168.33.1:0</a></font></div>
<div><font face="monospace, monospace">
remoteHost=192.168.33.1</font></div>
<div><font face="monospace, monospace">
scheme=https</font></div>
<div><font face="monospace, monospace">
host=login.vagrant.dev</font></div>
<div><font face="monospace, monospace">
serverPort=443</font></div>
<div><font face="monospace, monospace">--------------------------RESPONSE--------------------------</font></div>
<div><font face="monospace, monospace">
contentLength=627</font></div>
<div><font face="monospace, monospace">
contentType=application/octet-stream</font></div>
<div><font face="monospace, monospace">
header=Cache-Control=max-age=2592000</font></div>
<div><font face="monospace, monospace">
header=X-Powered-By=Undertow/1</font></div>
<div><font face="monospace, monospace">
header=Server=WildFly/10</font></div>
</div>
<div><br>
</div>
<div><br>
</div>
<div>Hope this helps diagnosing your issue.
Niels</div>
</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Tue, May 24, 2016 at
1:20 AM, Aritz Maeztu <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:amaeztu@tesicnor.com"
target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:amaeztu@tesicnor.com">amaeztu@tesicnor.com</a></a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0
0 0 .8ex;border-left:1px #ccc
solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<p>I'm using keycloak to securize some
Spring based services (with the keycloak
spring security adapter). The adapter
creates a `/login` endpoint in each of the
services which redirects to the keycloak
login page and then redirects back to the
service when authentication is done. I
also have a proxy service which I want to
publish in the 80 port and will take care
of routing all the requests to each
service. The proxy performs a plain
FORWARD to the service, but the problem
comes when I securize the service with the
keycloak adapter. <br>
</p>
<p>When I make a request, the adapter
redirects to its login endpoint and then
to the keycloak auth url. When keycloak
sends the redirection, the url shown in
the browser is the one from the service
and not the one from the proxy. Do I have
some choice to tell the adapter I want to
redirect back to the first requested url?<span><font
color="#888888"><br>
</font></span></p>
<span><font color="#888888"> <br>
<div>-- <br>
<div>
<table
style="width:600;border-collapse:collapse">
<tbody>
<tr>
<td
style="border-bottom-width:1px;border-bottom-style:solid;border-bottom-color:#989898">
<span
style="font-weight:bold">Aritz
Maeztu Otaño</span><br>
<span style="font-size:12px">Departamento
Desarrollo de Software</span>
</td>
<td
style="border-bottom-width:1px;border-bottom-style:solid;border-bottom-color:#989898;padding-left:20px">
<a moz-do-not-send="true"
href="https://www.linkedin.com/profile/preview?vpa=pub&locale=es_ES"
target="_blank"> <img
src="cid:part9.CC7B5985.A86E4A1B@tesicnor.com"
border="0"> </a> </td>
</tr>
<tr>
<td> <a
moz-do-not-send="true"
href="http://www.tesicnor.com"
target="_blank"> <img
src="cid:part11.10E327B9.3D2CDDFC@tesicnor.com"
border="0" width="143">
</a> </td>
<td style="font-size:12px">
<p style="padding-left:20px">
<span>Pol. Ind. Mocholi.</span>
<span>C/Rio Elorz, Nave
13E </span><span
style="font-weight:bold">31110
Noain (Navarra)</span><br>
<span>Telf.: 948 21 40 40</span>
<br>
<span>Fax.: 948 21 40 41</span>
<br>
</p>
</td>
</tr>
<tr>
<td colspan="2"> <span
style="color:#009900;font-size:12px">Antes
de imprimir este e-mail
piense bien si es
necesario hacerlo: El
medioambiente es cosa de
todos.</span> </td>
</tr>
</tbody>
</table>
</div>
</div>
</font></span></div>
<br>
_______________________________________________<br>
keycloak-user mailing list<br>
<a moz-do-not-send="true"
href="mailto:keycloak-user@lists.jboss.org"
target="_blank">keycloak-user@lists.jboss.org</a><br>
<a moz-do-not-send="true"
href="https://lists.jboss.org/mailman/listinfo/keycloak-user"
rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
<div>-- <br>
<div>
<table style="width:600;border-collapse:collapse">
<tbody>
<tr>
<td
style="border-bottom-width:1px;border-bottom-style:solid;border-bottom-color:#989898">
<span style="font-weight:bold">Aritz
Maeztu Otaño</span><br>
<span style="font-size:12px">Departamento
Desarrollo de Software</span> </td>
<td
style="border-bottom-width:1px;border-bottom-style:solid;border-bottom-color:#989898;padding-left:20px">
<a moz-do-not-send="true"
href="https://www.linkedin.com/profile/preview?vpa=pub&locale=es_ES"
target="_blank"> <img
src="cid:part15.2112231A.E23D61E7@tesicnor.com"
border="0"> </a> </td>
</tr>
<tr>
<td> <a moz-do-not-send="true"
href="http://www.tesicnor.com"
target="_blank"> <img
src="cid:part17.E8DB27B4.A3B2D1F7@tesicnor.com"
border="0" width="143"> </a> </td>
<td style="font-size:12px">
<p style="padding-left:20px"> <span>Pol.
Ind. Mocholi.</span> <span>C/Rio
Elorz, Nave 13E </span><span
style="font-weight:bold">31110 Noain
(Navarra)</span><br>
<span>Telf.: 948 21 40 40</span> <br>
<span>Fax.: 948 21 40 41</span> <br>
</p>
</td>
</tr>
<tr>
<td colspan="2"> <span
style="color:#009900;font-size:12px">Antes
de imprimir este e-mail piense bien si
es necesario hacerlo: El medioambiente
es cosa de todos.</span> </td>
</tr>
</tbody>
</table>
</div>
</div>
</div>
</div>
</div>
<br>
_______________________________________________<br>
keycloak-user mailing list<br>
<a moz-do-not-send="true"
href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
<a moz-do-not-send="true"
href="https://lists.jboss.org/mailman/listinfo/keycloak-user"
rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
<div class="moz-signature">-- <br>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
<div class="moz-signature">
<table style="cellspadding: 0; width: 600; align: left;
border-collapse: collapse;">
<tbody>
<tr>
<td style="border-bottom-width: 1px; border-bottom-style:
solid; border-bottom-color: #989898;"> <span
style="font-weight:bold">Aritz Maeztu Otaño</span><br>
<span style="font-size: 12px;">Departamento Desarrollo
de Software</span> </td>
<td style="border-bottom-width: 1px; border-bottom-style:
solid; border-bottom-color: #989898; padding-left:
20px;"> <a target="_blank"
href="https://www.linkedin.com/profile/preview?vpa=pub&locale=es_ES">
<img src="cid:part21.49EFD1CC.4CD797E6@tesicnor.com"
border="0">
<!--<img src="linkdin.gif" border="0" />--> </a> </td>
</tr>
<tr>
<td> <a target="_blank" href="http://www.tesicnor.com"> <img
shrinktofit="true"
src="cid:part23.C17064D7.8591534B@tesicnor.com"
border="0" width="143">
<!--<img shrinktofit="true" src="logo.png" width="143" border="0" />-->
</a> </td>
<td style="font-size: 12px;">
<p style="padding-left: 20px;"> <span>Pol. Ind.
Mocholi.</span> <span>C/Rio Elorz, Nave 13E </span><span
style="font-weight:bold">31110 Noain (Navarra)</span><br>
<span>Telf.: 948 21 40 40</span> <br>
<span>Fax.: 948 21 40 41</span> <br>
</p>
</td>
</tr>
<tr>
<td colspan="2"> <span style="color: #009900;font-size:
12px;">Antes de imprimir este e-mail piense bien si es
necesario hacerlo: El medioambiente es cosa de todos.</span>
</td>
</tr>
</tbody>
</table>
</div>
</div>
</body>
</html>