<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<p>Hi Scott and all,</p>
<p>Tried removing the tomcat adapter from my project, it was my
mistake putting it with the Spring Security one, all together.
Thanks for the link to the question, it was a question I made in
SO some time ago and your answer worked that time. However, even I
leave /sso/login unprotected by Spring Security, the same
behaviour happens. So I tried creating a sample scenario from
scratch and I can reproduce the issue. Here it is, three maven
projects, the service discovery (Eureka), the proxy service (Zuul)
and the sample secured service:</p>
<p><a class="moz-txt-link-freetext" href="https://github.com/xtremebiker/zuul-keycloak-test">https://github.com/xtremebiker/zuul-keycloak-test</a></p>
<p>The keycloak.json file in the secured service should be replaced
by the one for your client, of course. And here there is a filter
declaration that can be made in Spring Boot to show the request
dumper for Tomcat:</p>
<p><a class="moz-txt-link-freetext" href="http://stackoverflow.com/questions/23325389/spring-boot-enable-http-requests-logging/37523922#37523922">http://stackoverflow.com/questions/23325389/spring-boot-enable-http-requests-logging/37523922#37523922</a></p>
<p>The steps to reproduce it are:</p>
<p>1- Boot the three projects</p>
<p>2- Wait till the two services are registered in Eureka and
navigate to localhost:8765/secured-service/path</p>
<p>3- After logging in in Keycloak, the port changes to 8083<br>
</p>
<p>I'll continue struggling and see if I can figure it out myself.</p>
<p>Regards<br>
</p>
<br>
<div class="moz-cite-prefix">31/05/2016 22:56(e)an, Scott Rossillo
igorleak idatzi zuen:<br>
</div>
<blockquote
cite="mid:11921D36-82CD-4B90-8E65-4C3209D5DE52@smartling.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
Hi Artiz,
<div class=""><br class="">
</div>
<div class="">If you’re using the Tomcat adapter and Spring
Security adapter together, they may be interfering with each
other. I’m not saying this is the problem you’re having but I’d
avoid using both adapters together.</div>
<div class=""><br class="">
</div>
<div class="">Please also take a look at this Stack Overflow
answer[0] related to redirect issues. If none of this helps I’ll
try to debug with Eureka and Zuul.</div>
<div class=""><br class="">
</div>
<div class="">[0]: <a moz-do-not-send="true"
href="http://stackoverflow.com/questions/33543672/keycloak-redirects-me-to-my-index-url-instead-of-to-the-requested-one?answertab=votes#tab-top"
class="">http://stackoverflow.com/questions/33543672/keycloak-redirects-me-to-my-index-url-instead-of-to-the-requested-one?answertab=votes#tab-top</a></div>
<div class=""><br class="">
<div class="">
<div style="color: rgb(0, 0, 0); letter-spacing: normal;
orphans: auto; text-align: start; text-indent: 0px;
text-transform: none; white-space: normal; widows: auto;
word-spacing: 0px; -webkit-text-stroke-width: 0px;
word-wrap: break-word; -webkit-nbsp-mode: space;
-webkit-line-break: after-white-space;" class="">
<div style="color: rgb(0, 0, 0); font-family: Helvetica;
font-size: 12px; font-style: normal; font-variant: normal;
font-weight: normal; letter-spacing: normal; orphans:
auto; text-align: start; text-indent: 0px; text-transform:
none; white-space: normal; widows: auto; word-spacing:
0px; -webkit-text-stroke-width: 0px;" class="">Scott
Rossillo</div>
<div style="color: rgb(0, 0, 0); font-family: Helvetica;
font-size: 12px; font-style: normal; font-variant: normal;
font-weight: normal; letter-spacing: normal; orphans:
auto; text-align: start; text-indent: 0px; text-transform:
none; white-space: normal; widows: auto; word-spacing:
0px; -webkit-text-stroke-width: 0px;" class="">Smartling |
Senior Software Engineer</div>
<div style="color: rgb(0, 0, 0); font-family: Helvetica;
font-size: 12px; font-style: normal; font-variant: normal;
font-weight: normal; letter-spacing: normal; orphans:
auto; text-align: start; text-indent: 0px; text-transform:
none; white-space: normal; widows: auto; word-spacing:
0px; -webkit-text-stroke-width: 0px;" class=""><a
moz-do-not-send="true"
href="mailto:srossillo@smartling.com" class=""><a class="moz-txt-link-abbreviated" href="mailto:srossillo@smartling.com">srossillo@smartling.com</a></a></div>
<div style="color: rgb(0, 0, 0); font-family: Helvetica;
font-size: 12px; font-style: normal; font-variant: normal;
font-weight: normal; letter-spacing: normal; orphans:
auto; text-align: start; text-indent: 0px; text-transform:
none; white-space: normal; widows: auto; word-spacing:
0px; -webkit-text-stroke-width: 0px;" class="">
</div>
</div>
</div>
<br class="">
<div>
<blockquote type="cite" class="">
<div class="">On May 31, 2016, at 4:00 PM, Aritz Maeztu <<a
moz-do-not-send="true"
href="mailto:amaeztu@tesicnor.com" class=""><a class="moz-txt-link-abbreviated" href="mailto:amaeztu@tesicnor.com">amaeztu@tesicnor.com</a></a>>
wrote:</div>
<br class="Apple-interchange-newline">
<div class="">
<meta content="text/html; charset=utf-8"
http-equiv="Content-Type" class="">
<div bgcolor="#FFFFFF" text="#000000" class="">
<p class="">Hello Scott,</p>
<p class="">I've got the spring security and tomcat
keycloak adapters both as a project dependency for
each service (as I'm running the services in Tomcat 8
embedded servers). Basically I want to base my
security in Spring Security, that's why I chose this
adapter over the Spring Boot adapter.</p>
<p class="">As the behaviour states, a redirection is
made first to the /sso/login endpoint, then other one
to the keycloak authorization server. The question is,
as a redirection is a mere instruction stated from the
server to the browser, which chances do I have to send
the original x-forwarded headers to the keycloak
authorization server, so that it can make the
redirection to the url requested at the very beginning
(to the reverse proxy)?</p>
<p class="">I could implement a playground scenario for
you if you happen to require it.</p>
<p class="">Many thanks<br class="">
</p>
<br class="">
<div class="moz-cite-prefix">31/05/2016 20:14(e)an,
Scott Rossillo igorleak idatzi zuen:<br class="">
</div>
<blockquote
cite="mid:D8C74651-F010-49A7-92AF-3A771D68C560@smartling.com"
type="cite" class="">
<meta http-equiv="Content-Type" content="text/html;
charset=utf-8" class="">
Hi Artiz,
<div class=""><br class="">
</div>
<div class="">So just to be clear, which Keycloak
adapter are you using? The Spring Boot Adapter or
the Spring Security Adapter?</div>
<div class=""><br class="">
<div class="">
<div style="letter-spacing: normal; orphans: auto;
text-align: start; text-indent: 0px;
text-transform: none; white-space: normal;
widows: auto; word-spacing: 0px;
-webkit-text-stroke-width: 0px; word-wrap:
break-word; -webkit-nbsp-mode: space;
-webkit-line-break: after-white-space;" class="">
<div style="font-family: Helvetica; font-size:
12px; font-style: normal;
font-variant-ligatures: normal;
font-variant-position: normal;
font-variant-caps: normal;
font-variant-numeric: normal;
font-variant-alternates: normal;
font-variant-east-asian: normal; font-weight:
normal; letter-spacing: normal; orphans: auto;
text-align: start; text-indent: 0px;
text-transform: none; white-space: normal;
widows: auto; word-spacing: 0px;
-webkit-text-stroke-width: 0px;" class="">Scott
Rossillo</div>
<div style="font-family: Helvetica; font-size:
12px; font-style: normal;
font-variant-ligatures: normal;
font-variant-position: normal;
font-variant-caps: normal;
font-variant-numeric: normal;
font-variant-alternates: normal;
font-variant-east-asian: normal; font-weight:
normal; letter-spacing: normal; orphans: auto;
text-align: start; text-indent: 0px;
text-transform: none; white-space: normal;
widows: auto; word-spacing: 0px;
-webkit-text-stroke-width: 0px;" class="">Smartling
| Senior Software Engineer</div>
<div style="font-family: Helvetica; font-size:
12px; font-style: normal;
font-variant-ligatures: normal;
font-variant-position: normal;
font-variant-caps: normal;
font-variant-numeric: normal;
font-variant-alternates: normal;
font-variant-east-asian: normal; font-weight:
normal; letter-spacing: normal; orphans: auto;
text-align: start; text-indent: 0px;
text-transform: none; white-space: normal;
widows: auto; word-spacing: 0px;
-webkit-text-stroke-width: 0px;" class=""><a
moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:srossillo@smartling.com"><a class="moz-txt-link-abbreviated" href="mailto:srossillo@smartling.com">srossillo@smartling.com</a></a></div>
<div style="font-family: Helvetica; font-size:
12px; font-style: normal;
font-variant-ligatures: normal;
font-variant-position: normal;
font-variant-caps: normal;
font-variant-numeric: normal;
font-variant-alternates: normal;
font-variant-east-asian: normal; font-weight:
normal; letter-spacing: normal; orphans: auto;
text-align: start; text-indent: 0px;
text-transform: none; white-space: normal;
widows: auto; word-spacing: 0px;
-webkit-text-stroke-width: 0px;" class=""> </div>
</div>
</div>
<br class="">
<div class="">
<blockquote type="cite" class="">
<div class="">On May 31, 2016, at 3:13 AM, Aritz
Maeztu <<a moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:amaeztu@tesicnor.com">amaeztu@tesicnor.com</a>>
wrote:</div>
<br class="Apple-interchange-newline">
<div class="">
<p style="font-family: Helvetica; font-size:
12px; font-style: normal; font-variant-caps:
normal; font-weight: normal; letter-spacing:
normal; orphans: auto; text-align: start;
text-indent: 0px; text-transform: none;
white-space: normal; widows: auto;
word-spacing: 0px;
-webkit-text-stroke-width: 0px;
background-color: rgb(255, 255, 255);"
class="">I've got some Spring Boot
application instances with embeded Tomcat
servlet containers. Tomcat has a similar
system to Wildfly for request dumpering,
that's what I have enabled for getting the
trace below. In short words that's the
behaviour I'm able to see:<span
class="Apple-converted-space"> </span><br
class="">
</p>
<p style="font-family: Helvetica; font-size:
12px; font-style: normal; font-variant-caps:
normal; font-weight: normal; letter-spacing:
normal; orphans: auto; text-align: start;
text-indent: 0px; text-transform: none;
white-space: normal; widows: auto;
word-spacing: 0px;
-webkit-text-stroke-width: 0px;
background-color: rgb(255, 255, 255);"
class="">1. Zuul Proxy (Spring Boot in
Tomcat) -> Organization Service (8083
port) : A forward request where X-forwarded
headers are included</p>
<p style="font-family: Helvetica; font-size:
12px; font-style: normal; font-variant-caps:
normal; font-weight: normal; letter-spacing:
normal; orphans: auto; text-align: start;
text-indent: 0px; text-transform: none;
white-space: normal; widows: auto;
word-spacing: 0px;
-webkit-text-stroke-width: 0px;
background-color: rgb(255, 255, 255);"
class="">2. Organization Service
(localhost:8083) : Looks for a token and if
it's not available, the keycloak adapter
redirects to the /sso/login of the same
service (Here the traceability from the
proxy gets losts)</p>
<p style="font-family: Helvetica; font-size:
12px; font-style: normal; font-variant-caps:
normal; font-weight: normal; letter-spacing:
normal; orphans: auto; text-align: start;
text-indent: 0px; text-transform: none;
white-space: normal; widows: auto;
word-spacing: 0px;
-webkit-text-stroke-width: 0px;
background-color: rgb(255, 255, 255);"
class="">3. localhost:8083/sso/login:
Redirects to the keycloak wildfly server,
saving the requested url<span
class="Apple-converted-space"> </span><br
class="">
</p>
<p style="font-family: Helvetica; font-size:
12px; font-style: normal; font-variant-caps:
normal; font-weight: normal; letter-spacing:
normal; orphans: auto; text-align: start;
text-indent: 0px; text-transform: none;
white-space: normal; widows: auto;
word-spacing: 0px;
-webkit-text-stroke-width: 0px;
background-color: rgb(255, 255, 255);"
class="">4. Keycloak login: The user
performs the authentication and the
redirectUri is localhost:8083/sso/login.
Later on, the login endpoint redirects the
user to the url requested in point 2, not
the first one from the proxy.</p>
<p style="font-family: Helvetica; font-size:
12px; font-style: normal; font-variant-caps:
normal; font-weight: normal; letter-spacing:
normal; orphans: auto; text-align: start;
text-indent: 0px; text-transform: none;
white-space: normal; widows: auto;
word-spacing: 0px;
-webkit-text-stroke-width: 0px;
background-color: rgb(255, 255, 255);"
class="">I only have this problem when my
organization service needs to verify the
token (or a token doesn't exist) using the
keycloak adapter. When the /sso/login
endpoint is not requested, everything is
working properly. Hope I've explained it
well!<br class="">
</p>
<br style="font-family: Helvetica; font-size:
12px; font-style: normal; font-variant-caps:
normal; font-weight: normal; letter-spacing:
normal; orphans: auto; text-align: start;
text-indent: 0px; text-transform: none;
white-space: normal; widows: auto;
word-spacing: 0px;
-webkit-text-stroke-width: 0px;
background-color: rgb(255, 255, 255);"
class="">
<div class="moz-cite-prefix"
style="font-family: Helvetica; font-size:
12px; font-style: normal; font-variant-caps:
normal; font-weight: normal; letter-spacing:
normal; orphans: auto; text-align: start;
text-indent: 0px; text-transform: none;
white-space: normal; widows: auto;
word-spacing: 0px;
-webkit-text-stroke-width: 0px;
background-color: rgb(255, 255, 255);">31/05/2016
7:15(e)an, Stian Thorgersen igorleak idatzi
zuen:<br class="">
</div>
<blockquote
cite="mid:CAJgngAfQUcz1hJwqkpOgr3j9DCxfxdgc_iA73Coyfc7j1EnLJQ@mail.gmail.com"
type="cite" style="font-family: Helvetica;
font-size: 12px; font-style: normal;
font-variant-caps: normal; font-weight:
normal; letter-spacing: normal; orphans:
auto; text-align: start; text-indent: 0px;
text-transform: none; white-space: normal;
widows: auto; word-spacing: 0px;
-webkit-text-stroke-width: 0px;
background-color: rgb(255, 255, 255);"
class="">
<div dir="ltr" class="">Where is your app
deployed? If it's on WildFly you can
follow the same steps used to configure
reverse proxy for Keycloak Server to
configure WildFly. Check if getRequestURL
returns the correct URL in your app.</div>
<div class="gmail_extra"><br class="">
<div class="gmail_quote">On 30 May 2016 at
15:08, Aritz Maeztu<span
class="Apple-converted-space"> </span><span
dir="ltr" class=""><<a
moz-do-not-send="true"
href="mailto:amaeztu@tesicnor.com"
target="_blank" class=""><a class="moz-txt-link-abbreviated" href="mailto:amaeztu@tesicnor.com">amaeztu@tesicnor.com</a></a>></span><span
class="Apple-converted-space"> </span>wrote:<br
class="">
<blockquote class="gmail_quote"
style="margin: 0px 0px 0px 0.8ex;
border-left-width: 1px;
border-left-color: rgb(204, 204, 204);
border-left-style: solid;
padding-left: 1ex;">
<div bgcolor="#FFFFFF" text="#000000"
class="">
<p class=""><br class="">
</p>
<div class=""><br class="">
<br class="">
-------- Birbidalitako mezua
--------
<table class="" border="0"
cellpadding="0" cellspacing="0">
<tbody class="">
<tr class="">
<th class="" align="RIGHT"
nowrap="nowrap"
valign="BASELINE">Gaia:</th>
<td class="">Re:
[keycloak-user]
Redirection issue with
proxy behind keycloak</td>
</tr>
<tr class="">
<th class="" align="RIGHT"
nowrap="nowrap"
valign="BASELINE">Data:</th>
<td class="">Mon, 30 May
2016 13:28:21 +0200</td>
</tr>
<tr class="">
<th class="" align="RIGHT"
nowrap="nowrap"
valign="BASELINE">Nork:</th>
<td class="">Aritz Maeztu<span
class="Apple-converted-space"> </span><a moz-do-not-send="true"
class="moz-txt-link-rfc2396E"
href="mailto:amaeztu@tesicnor.com"><amaeztu@tesicnor.com></a></td>
</tr>
<tr class="">
<th class="" align="RIGHT"
nowrap="nowrap"
valign="BASELINE">Nori:</th>
<td class=""><a
moz-do-not-send="true"
href="mailto:stian@redhat.com"
target="_blank" class=""><a class="moz-txt-link-abbreviated" href="mailto:stian@redhat.com">stian@redhat.com</a></a></td>
</tr>
<tr class="">
<th class="" align="RIGHT"
nowrap="nowrap"
valign="BASELINE">CC:</th>
<td class="">Niels Bertram<span
class="Apple-converted-space"> </span><a moz-do-not-send="true"
class="moz-txt-link-rfc2396E"
href="mailto:nielsbne@gmail.com"><nielsbne@gmail.com></a>,
keycloak-user<span
class="Apple-converted-space"> </span><a
moz-do-not-send="true"
class="moz-txt-link-rfc2396E"
href="mailto:keycloak-user@lists.jboss.org"><a class="moz-txt-link-rfc2396E" href="mailto:keycloak-user@lists.jboss.org"><keycloak-user@lists.jboss.org></a></a>,
Scott Rossillo<span
class="Apple-converted-space"> </span><a
moz-do-not-send="true"
class="moz-txt-link-rfc2396E"
href="mailto:srossillo@smartling.com"><a class="moz-txt-link-rfc2396E" href="mailto:srossillo@smartling.com"><srossillo@smartling.com></a></a></td>
</tr>
</tbody>
</table>
<div class="">
<div class="h5"><br class="">
<br class="">
<p class="">I've done all the
traceability from the proxy
server till the login page
is displayed:</p>
<p class="">First step,
/organization/organizations
is requested, so the proxy
server knows it has to be
forwarded to the 8083 port
(the one for the
organization service).
That's the first request
received by my application's
Tomcat:</p>
<p class=""><font class=""
face="Courier New"
size="-2">2016-05-30
13:01:18.888 INFO 18096
--- [nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter
: http-nio-8083-exec-9
START TIME
=30-may-2016 13:01:18<br
class="">
2016-05-30 13:01:18.888
INFO 18096 ---
[nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter
:
http-nio-8083-exec-9
requestURI=/organizations<br
class="">
2016-05-30 13:01:18.888
INFO 18096 ---
[nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter
:
http-nio-8083-exec-9
authType=null<br class="">
2016-05-30 13:01:18.888
INFO 18096 ---
[nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter
: http-nio-8083-exec-9
characterEncoding=UTF-8<br
class="">
2016-05-30 13:01:18.888
INFO 18096 ---
[nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter
:
http-nio-8083-exec-9
contentLength=-1<br
class="">
2016-05-30 13:01:18.888
INFO 18096 ---
[nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter
:
http-nio-8083-exec-9
contentType=null<br
class="">
2016-05-30 13:01:18.888
INFO 18096 ---
[nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter
:
http-nio-8083-exec-9
contextPath=<br class="">
2016-05-30 13:01:18.888
INFO 18096 ---
[nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter
:
http-nio-8083-exec-9
header=accept-language=es-ES,es;q=0.8<br class="">
2016-05-30 13:01:18.888
INFO 18096 ---
[nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter
:
http-nio-8083-exec-9
header=x-forwarded-host=mies-057:8765<br class="">
2016-05-30 13:01:18.888
INFO 18096 ---
[nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter
:
http-nio-8083-exec-9
header=x-forwarded-prefix=/organization<br class="">
2016-05-30 13:01:18.888
INFO 18096 ---
[nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter
:
http-nio-8083-exec-9
header=upgrade-insecure-requests=1<br class="">
2016-05-30 13:01:18.888
INFO 18096 ---
[nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter
:
http-nio-8083-exec-9
header=accept-encoding=gzip<br class="">
2016-05-30 13:01:18.888
INFO 18096 ---
[nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter
:
http-nio-8083-exec-9
header=accept=text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8<br
class="">
2016-05-30 13:01:18.889
INFO 18096 ---
[nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter
:
http-nio-8083-exec-9
header=user-agent=Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36
(KHTML, like Gecko)
Chrome/50.0.2661.102
Safari/537.36<br class="">
2016-05-30 13:01:18.889
INFO 18096 ---
[nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter
:
http-nio-8083-exec-9
header=netflix.nfhttpclient.version=1.0<br class="">
2016-05-30 13:01:18.889
INFO 18096 ---
[nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter
:
http-nio-8083-exec-9
header=x-netflix-httpclientname=organization<br class="">
2016-05-30 13:01:18.889
INFO 18096 ---
[nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter
:
http-nio-8083-exec-9
header=host=mies-057:8083<br
class="">
2016-05-30 13:01:18.889
INFO 18096 ---
[nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter
:
http-nio-8083-exec-9
header=connection=Keep-Alive<br class="">
2016-05-30 13:01:18.889
INFO 18096 ---
[nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter
:
http-nio-8083-exec-9
locale=es_ES<br class="">
2016-05-30 13:01:18.889
INFO 18096 ---
[nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter
:
http-nio-8083-exec-9
method=GET<br class="">
2016-05-30 13:01:18.889
INFO 18096 ---
[nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter
:
http-nio-8083-exec-9
pathInfo=null<br class="">
2016-05-30 13:01:18.889
INFO 18096 ---
[nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter
:
http-nio-8083-exec-9
protocol=HTTP/1.1<br
class="">
2016-05-30 13:01:18.889
INFO 18096 ---
[nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter
:
http-nio-8083-exec-9
queryString=null<br
class="">
2016-05-30 13:01:18.889
INFO 18096 ---
[nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter
:
http-nio-8083-exec-9
remoteAddr=192.168.56.1<br
class="">
2016-05-30 13:01:18.889
INFO 18096 ---
[nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter
:
http-nio-8083-exec-9
remoteHost=192.168.56.1<br
class="">
2016-05-30 13:01:18.889
INFO 18096 ---
[nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter
:
http-nio-8083-exec-9
remoteUser=null<br
class="">
2016-05-30 13:01:18.890
INFO 18096 ---
[nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter
: http-nio-8083-exec-9
requestedSessionId=null<br
class="">
2016-05-30 13:01:18.890
INFO 18096 ---
[nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter
:
http-nio-8083-exec-9
scheme=http<br class="">
2016-05-30 13:01:18.890
INFO 18096 ---
[nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter
:
http-nio-8083-exec-9
serverName=mies-057<br
class="">
2016-05-30 13:01:18.890
INFO 18096 ---
[nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter
:
http-nio-8083-exec-9
serverPort=8083<br
class="">
2016-05-30 13:01:18.890
INFO 18096 ---
[nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter
:
http-nio-8083-exec-9
servletPath=/organizations<br
class="">
2016-05-30 13:01:18.891
INFO 18096 ---
[nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter
:
http-nio-8083-exec-9
isSecure=false<br class="">
2016-05-30 13:01:18.891
INFO 18096 ---
[nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter
: http-nio-8083-exec-9
------------------=--------------------------------------------</font></p>
<p class="">Here
x-forwarded-host is
mies-057:8765 (the proxy
server) and
x-forwarded-prefix is
/organization. So the
original request is kept in
the headers. Well, now my
service (8083) tries to
check for authorization via
the /sso/login endpoint from
the keycloak spring security
adapter:<br class="">
</p>
<p class=""><font class=""
face="Courier New"
size="-2">2016-05-30
13:01:18.892 DEBUG 18096
--- [nio-8083-exec-9]
o.k.a.s.management.HttpSessionManager
: Session created:
CDCA7AD4439DE94BD0B3B5803DAA0752<br
class="">
2016-05-30 13:01:18.892
DEBUG 18096 ---
[nio-8083-exec-9]
k.a.s.a.KeycloakAuthenticationEntryPoint
: Redirecting to login URI
/sso/login<br class="">
2016-05-30 13:01:18.892
INFO 18096 ---
[nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter
: http-nio-8083-exec-9
------------------=--------------------------------------------<br
class="">
2016-05-30 13:01:18.892
INFO 18096 ---
[nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter
:
http-nio-8083-exec-9
authType=null<br class="">
2016-05-30 13:01:18.892
INFO 18096 ---
[nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter
:
http-nio-8083-exec-9
contentType=null<br
class="">
2016-05-30 13:01:18.892
INFO 18096 ---
[nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter
:
http-nio-8083-exec-9
header=X-Content-Type-Options=nosniff<br class="">
2016-05-30 13:01:18.892
INFO 18096 ---
[nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter
:
http-nio-8083-exec-9
header=X-XSS-Protection=1;
mode=block<br class="">
2016-05-30 13:01:18.892
INFO 18096 ---
[nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter
:
http-nio-8083-exec-9
header=Cache-Control=no-cache, no-store, max-age=0, must-revalidate<br
class="">
2016-05-30 13:01:18.892
INFO 18096 ---
[nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter
:
http-nio-8083-exec-9
header=Pragma=no-cache<br
class="">
2016-05-30 13:01:18.892
INFO 18096 ---
[nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter
:
http-nio-8083-exec-9
header=Expires=0<br
class="">
2016-05-30 13:01:18.893
INFO 18096 ---
[nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter
:
http-nio-8083-exec-9
header=X-Frame-Options=DENY<br class="">
2016-05-30 13:01:18.893
INFO 18096 ---
[nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter
:
http-nio-8083-exec-9
header=Set-Cookie=JSESSIONID=CDCA7AD4439DE94BD0B3B5803DAA0752; Path=/;
HttpOnly<br class="">
2016-05-30 13:01:18.893
INFO 18096 ---
[nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter
:
http-nio-8083-exec-9
header=Location=<a
moz-do-not-send="true"
class="moz-txt-link-freetext"
href="http://mies-057:8083/sso/login"><a class="moz-txt-link-freetext" href="http://mies-057:8083/sso/login">http://mies-057:8083/sso/login</a></a><br
class="">
2016-05-30 13:01:18.893
INFO 18096 ---
[nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter
:
http-nio-8083-exec-9
remoteUser=null<br
class="">
2016-05-30 13:01:18.893
INFO 18096 ---
[nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter
:
http-nio-8083-exec-9
status=302<br class="">
2016-05-30 13:01:18.893
INFO 18096 ---
[nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter
: http-nio-8083-exec-9 END
TIME =30-may-2016
13:01:18<br class="">
2016-05-30 13:01:18.893
INFO 18096 ---
[nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter
: http-nio-8083-exec-9
===============================================================<br
class="">
2016-05-30 13:01:18.902
INFO 18096 ---
[io-8083-exec-10]
o.a.c.filters.RequestDumperFilter
: http-nio-8083-exec-10
START TIME
=30-may-2016 13:01:18<br
class="">
2016-05-30 13:01:18.902
INFO 18096 ---
[io-8083-exec-10]
o.a.c.filters.RequestDumperFilter
:
http-nio-8083-exec-10
requestURI=/sso/login<br
class="">
2016-05-30 13:01:18.902
INFO 18096 ---
[io-8083-exec-10]
o.a.c.filters.RequestDumperFilter
:
http-nio-8083-exec-10
authType=null<br class="">
2016-05-30 13:01:18.902
INFO 18096 ---
[io-8083-exec-10]
o.a.c.filters.RequestDumperFilter
: http-nio-8083-exec-10
characterEncoding=UTF-8<br
class="">
2016-05-30 13:01:18.902
INFO 18096 ---
[io-8083-exec-10]
o.a.c.filters.RequestDumperFilter
:
http-nio-8083-exec-10
contentLength=-1<br
class="">
2016-05-30 13:01:18.902
INFO 18096 ---
[io-8083-exec-10]
o.a.c.filters.RequestDumperFilter
:
http-nio-8083-exec-10
contentType=null<br
class="">
2016-05-30 13:01:18.902
INFO 18096 ---
[io-8083-exec-10]
o.a.c.filters.RequestDumperFilter
:
http-nio-8083-exec-10
contextPath=<br class="">
2016-05-30 13:01:18.902
INFO 18096 ---
[io-8083-exec-10]
o.a.c.filters.RequestDumperFilter
:
http-nio-8083-exec-10
cookie=JSESSIONID=CDCA7AD4439DE94BD0B3B5803DAA0752<br class="">
2016-05-30 13:01:18.902
INFO 18096 ---
[io-8083-exec-10]
o.a.c.filters.RequestDumperFilter
:
http-nio-8083-exec-10
header=host=mies-057:8083<br
class="">
2016-05-30 13:01:18.903
INFO 18096 ---
[io-8083-exec-10]
o.a.c.filters.RequestDumperFilter
:
http-nio-8083-exec-10
header=connection=keep-alive<br class="">
2016-05-30 13:01:18.903
INFO 18096 ---
[io-8083-exec-10]
o.a.c.filters.RequestDumperFilter
:
http-nio-8083-exec-10
header=accept=text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8<br
class="">
2016-05-30 13:01:18.903
INFO 18096 ---
[io-8083-exec-10]
o.a.c.filters.RequestDumperFilter
:
http-nio-8083-exec-10
header=upgrade-insecure-requests=1<br class="">
2016-05-30 13:01:18.903
INFO 18096 ---
[io-8083-exec-10]
o.a.c.filters.RequestDumperFilter
:
http-nio-8083-exec-10
header=user-agent=Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36
(KHTML, like Gecko)
Chrome/50.0.2661.102
Safari/537.36<br class="">
2016-05-30 13:01:18.903
INFO 18096 ---
[io-8083-exec-10]
o.a.c.filters.RequestDumperFilter
:
http-nio-8083-exec-10
header=accept-encoding=gzip, deflate, sdch<br class="">
2016-05-30 13:01:18.903
INFO 18096 ---
[io-8083-exec-10]
o.a.c.filters.RequestDumperFilter
:
http-nio-8083-exec-10
header=accept-language=es-ES,es;q=0.8<br class="">
2016-05-30 13:01:18.903
INFO 18096 ---
[io-8083-exec-10]
o.a.c.filters.RequestDumperFilter
:
http-nio-8083-exec-10
header=cookie=JSESSIONID=CDCA7AD4439DE94BD0B3B5803DAA0752<br class="">
2016-05-30 13:01:18.903
INFO 18096 ---
[io-8083-exec-10]
o.a.c.filters.RequestDumperFilter
:
http-nio-8083-exec-10
locale=es_ES<br class="">
2016-05-30 13:01:18.903
INFO 18096 ---
[io-8083-exec-10]
o.a.c.filters.RequestDumperFilter
:
http-nio-8083-exec-10
method=GET<br class="">
2016-05-30 13:01:18.903
INFO 18096 ---
[io-8083-exec-10]
o.a.c.filters.RequestDumperFilter
:
http-nio-8083-exec-10
pathInfo=null<br class="">
2016-05-30 13:01:18.903
INFO 18096 ---
[io-8083-exec-10]
o.a.c.filters.RequestDumperFilter
:
http-nio-8083-exec-10
protocol=HTTP/1.1<br
class="">
2016-05-30 13:01:18.904
INFO 18096 ---
[io-8083-exec-10]
o.a.c.filters.RequestDumperFilter
:
http-nio-8083-exec-10
queryString=null<br
class="">
2016-05-30 13:01:18.904
INFO 18096 ---
[io-8083-exec-10]
o.a.c.filters.RequestDumperFilter
:
http-nio-8083-exec-10
remoteAddr=192.168.56.1<br
class="">
2016-05-30 13:01:18.904
INFO 18096 ---
[io-8083-exec-10]
o.a.c.filters.RequestDumperFilter
:
http-nio-8083-exec-10
remoteHost=192.168.56.1<br
class="">
2016-05-30 13:01:18.904
INFO 18096 ---
[io-8083-exec-10]
o.a.c.filters.RequestDumperFilter
:
http-nio-8083-exec-10
remoteUser=null<br
class="">
2016-05-30 13:01:18.904
INFO 18096 ---
[io-8083-exec-10]
o.a.c.filters.RequestDumperFilter
: http-nio-8083-exec-10
requestedSessionId=CDCA7AD4439DE94BD0B3B5803DAA0752<br
class="">
2016-05-30 13:01:18.904
INFO 18096 ---
[io-8083-exec-10]
o.a.c.filters.RequestDumperFilter
:
http-nio-8083-exec-10
scheme=http<br class="">
2016-05-30 13:01:18.904
INFO 18096 ---
[io-8083-exec-10]
o.a.c.filters.RequestDumperFilter
:
http-nio-8083-exec-10
serverName=mies-057<br
class="">
2016-05-30 13:01:18.904
INFO 18096 ---
[io-8083-exec-10]
o.a.c.filters.RequestDumperFilter
:
http-nio-8083-exec-10
serverPort=8083<br
class="">
2016-05-30 13:01:18.904
INFO 18096 ---
[io-8083-exec-10]
o.a.c.filters.RequestDumperFilter
:
http-nio-8083-exec-10
servletPath=/sso/login<br
class="">
2016-05-30 13:01:18.904
INFO 18096 ---
[io-8083-exec-10]
o.a.c.filters.RequestDumperFilter
:
http-nio-8083-exec-10
isSecure=false<br class="">
2016-05-30 13:01:18.904
INFO 18096 ---
[io-8083-exec-10]
o.a.c.filters.RequestDumperFilter
: http-nio-8083-exec-10
------------------=--------------------------------------------<br
class="">
2016-05-30 13:01:18.904
DEBUG 18096 ---
[io-8083-exec-10]
o.k.adapters.PreAuthActionsHandler
: adminRequest<span
class="Apple-converted-space"> </span><a
moz-do-not-send="true"
class="moz-txt-link-freetext"
href="http://mies-057:8083/sso/login"><a class="moz-txt-link-freetext" href="http://mies-057:8083/sso/login">http://mies-057:8083/sso/login</a></a><br
class="">
2016-05-30 13:01:18.904
DEBUG 18096 ---
[io-8083-exec-10]
f.KeycloakAuthenticationProcessingFilter
: Request is to process
authentication<br class="">
2016-05-30 13:01:18.904
DEBUG 18096 ---
[io-8083-exec-10]
f.KeycloakAuthenticationProcessingFilter
: Attempting Keycloak
authentication<br class="">
2016-05-30 13:01:18.904
TRACE 18096 ---
[io-8083-exec-10]
o.k.adapters.RequestAuthenticator
: --> authenticate()<br
class="">
2016-05-30 13:01:18.904
TRACE 18096 ---
[io-8083-exec-10]
o.k.adapters.RequestAuthenticator
: try bearer<br class="">
2016-05-30 13:01:18.904
TRACE 18096 ---
[io-8083-exec-10]
o.k.adapters.RequestAuthenticator
: try oauth<br class="">
2016-05-30 13:01:18.905
DEBUG 18096 ---
[io-8083-exec-10]
o.k.a.s.token.SpringSecurityTokenStore
: Checking if
org.keycloak.adapters.springsecurity.authentication.SpringSecurityRequestAuthenticator@d328c2d
is cached<br class="">
2016-05-30 13:01:18.905
DEBUG 18096 ---
[io-8083-exec-10]
o.k.adapters.OAuthRequestAuthenticator
: there was no code<br
class="">
2016-05-30 13:01:18.905
DEBUG 18096 ---
[io-8083-exec-10]
o.k.adapters.OAuthRequestAuthenticator
: redirecting to auth
server<br class="">
2016-05-30 13:01:18.905
DEBUG 18096 ---
[io-8083-exec-10]
o.k.adapters.OAuthRequestAuthenticator
: callback uri:<span
class="Apple-converted-space"> </span><a
moz-do-not-send="true"
class="moz-txt-link-freetext"
href="http://mies-057:8083/sso/login"><a class="moz-txt-link-freetext" href="http://mies-057:8083/sso/login">http://mies-057:8083/sso/login</a></a><br
class="">
2016-05-30 13:01:18.905
DEBUG 18096 ---
[io-8083-exec-10]
f.KeycloakAuthenticationProcessingFilter
: Auth outcome:
NOT_ATTEMPTED<br class="">
2016-05-30 13:01:18.905
DEBUG 18096 ---
[io-8083-exec-10]
o.k.adapters.OAuthRequestAuthenticator
: Sending redirect to
login page:<span
class="Apple-converted-space"> </span><a
moz-do-not-send="true"
class="moz-txt-link-freetext"
href="http://mies-057.tesicnor.com:8080/auth/realms/master/protocol/openid-connect/auth?response_type=code&client_id=organization&redirect_uri=http%3A%2F%2Fmies-057%3A8083%2Fsso%2Flogin&state=1%2F21d709ec-1e69-41c5-ac6d-c705f8ce3907&login=true"><a class="moz-txt-link-freetext" href="http://mies-057.tesicnor.com:8080/auth/realms/master/protocol/openid-connect/auth?response_type=code&client_id=organization&redirect_uri=http%3A%2F%2Fmies-057%3A8083%2Fsso%2Flogin&state=1%2F21d709ec-1e69-41c5-ac6d-c705f8ce3907&login=true">http://mies-057.tesicnor.com:8080/auth/realms/master/protocol/openid-connect/auth?response_type=code&client_id=organization&redirect_uri=http%3A%2F%2Fmies-057%3A8083%2Fsso%2Flogin&state=1%2F21d709ec-1e69-41c5-ac6d-c705f8ce3907&login=true</a></a></font></p>
<p class="">As it's shown in
the logs, the X-forwarded
logs are not kept by the
keycloak adapter (look at
the lines below<span
class="Apple-converted-space"> </span><font
class="" face="Courier
New" size="-2">k.a.s.a.KeycloakAuthenticationEntryPoint
: Redirecting to login URI
/sso/login</font>). So
could it be the proxy server
itself being properly
configured but the keycloak
adapter losing the original
headers while performing the
redirection?</p>
<p class="">I've also set up
the request dumper in the
undertow server as Niels
suggested, but obviously,
X-forwarded headers are not
reaching the keycloak
server..</p>
<p class="">Thanks for your
time, again ;-)<br class="">
</p>
<p class=""><br class="">
</p>
<br class="">
<div class="">25/05/2016
7:22(e)an, Stian Thorgersen
igorleak idatzi zuen:<br
class="">
</div>
<blockquote type="cite"
class="">
<div dir="ltr" class="">You
need the Host and
X-Forwarded-For headers to
be included and there's
also some config to be
done on the Keycloak
server (see <a
moz-do-not-send="true"
href="http://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html#proxy-address-forwarding"
target="_blank" class=""><a class="moz-txt-link-freetext" href="http://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html#proxy-address-forwarding">http://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html#proxy-address-forwarding</a></a>)</div>
<div class="gmail_extra"><br
class="">
<div class="gmail_quote">On
24 May 2016 at 08:46,
Aritz Maeztu<span
class="Apple-converted-space"> </span><span
dir="ltr" class=""><<a
moz-do-not-send="true" class="moz-txt-link-abbreviated"
href="mailto:amaeztu@tesicnor.com"><a class="moz-txt-link-abbreviated" href="mailto:amaeztu@tesicnor.com">amaeztu@tesicnor.com</a></a>></span><span
class="Apple-converted-space"> </span>wrote:<br class="">
<blockquote
class="gmail_quote"
style="margin: 0px 0px
0px 0.8ex;
border-left-width:
1px;
border-left-color:
rgb(204, 204, 204);
border-left-style:
solid; padding-left:
1ex;">
<div bgcolor="#FFFFFF"
text="#000000"
class="">
<p class="">Hi Niels
and Scott. First
of all, thank you
very much for your
help. I'm
currently using
Zuul (Spring
Cloud) as the
reverse proxy. All
the services are
registered in a
discovery service
called Eureka and
then Zuul looks
for the service id
there and performs
de redirection. I
read about<span
class="Apple-converted-space"> </span><font
class=""
face="monospace,
monospace">X-Forwarded
headers, but I
thought it might
result in a
security issue
if not included,
not that it
could affect the
redirection
process.<span
class="Apple-converted-space"> </span><br
class="">
</font></p>
<p class=""><font
class=""
face="monospace,
monospace">As
Scott says, I
suppose the Host
and the
X-Real-Ip
headers are the
relevant ones
here, so I guess
I should
instruct Zuul to
send them when
the service is
addressed
(however I
wonder why they
are not already
being sent, as
Zuul is a proxy
service, all in
all).</font></p>
Here I include a
preview of the first
redirection made to
the keycloak login
page, which shows
the request headers
sent to the service
/login endpoint (at
port 8081 in
localhost):<br
class="">
<br class="">
<a
moz-do-not-send="true"
href="https://www.dropbox.com/s/iof9yefytzay6j2/screenshot.PNG?dl=0"
target="_blank"
class=""><a class="moz-txt-link-freetext" href="https://www.dropbox.com/s/iof9yefytzay6j2/screenshot.PNG?dl=0">https://www.dropbox.com/s/iof9yefytzay6j2/screenshot.PNG?dl=0</a></a><br
class="">
<br class="">
<div class="">24/05/2016
2:08(e)an, Niels
Bertram igorleak
idatzi zuen:<br
class="">
</div>
<div class="">
<div class="">
<blockquote
type="cite"
class="">
<div dir="ltr"
class="">Hi
Artitz,
<div class=""><br
class="">
</div>
<div class="">a
great way to
figure out
what is sent
from the
reverse proxy
to your
keycloak
server is to
use the
undertow
request
dumper.
<div class=""><br
class="">
</div>
<div class="">From
the jboss-cli
just add the
request dumper
filter to your
undertow
configuration
like this:</div>
<div class=""><br
class="">
</div>
<div class="">
<div class=""><font
class=""
face="monospace,
monospace">$KC_HOME/bin/jbpss-cli.sh
-c</font></div>
<div class=""><font
class=""
face="monospace,
monospace"><br
class="">
</font></div>
<div class=""><font
class=""
face="monospace,
monospace">/subsystem=undertow/configuration=filter/custom-filter=request-dumper:add(class-name=io.undertow.server.handlers.RequestDumpingHandler,
module=io.undertow.core)</font></div>
<div class=""><font
class=""
face="monospace,
monospace"><br
class="">
</font></div>
<div class=""><font
class=""
face="monospace,
monospace">/subsystem=undertow/server=default-server/host=default-host/filter-ref=request-dumper:add</font></div>
<div class=""><font
class=""
face="monospace,
monospace"><br
class="">
</font></div>
<div class=""><font
class=""
face="monospace,
monospace">/:reload</font></div>
<div class=""><font
class=""
face="monospace,
monospace"><br
class="">
</font></div>
<div class=""><font
class=""
face="arial,
helvetica,
sans-serif">given
your apache
config looks
something like
this:</font></div>
<div class=""><font
class=""
face="monospace,
monospace"><br
class="">
</font></div>
<div class=""><font
class=""
face="monospace,
monospace"> <span
class="Apple-converted-space"> </span>ProxyRequests Off</font></div>
<div class=""><font
class=""
face="monospace,
monospace"> <span
class="Apple-converted-space"> </span>ProxyPreserveHost On</font></div>
<div class=""><font
class=""
face="monospace,
monospace"> <span
class="Apple-converted-space"> </span>ProxyVia On</font></div>
<div class=""><br
class="">
</div>
<div class=""><font
class=""
face="monospace,
monospace"> <span
class="Apple-converted-space"> </span>ProxyPass /auth ajp://<a
moz-do-not-send="true"
href="http://127.0.0.1:8009/auth" target="_blank" class="">127.0.0.1:8009/auth</a></font></div>
<div class=""><font
class=""
face="monospace,
monospace"> <span
class="Apple-converted-space"> </span>ProxyPassReverse /auth ajp://<a
moz-do-not-send="true"
href="http://127.0.0.1:8009/auth" target="_blank" class="">127.0.0.1:8009/auth</a></font></div>
<div class=""><font
class=""
face="monospace,
monospace"><br
class="">
</font></div>
<div class=""><font
class=""
face="monospace,
monospace"><br
class="">
</font></div>
<div class=""><font
class=""
face="arial,
helvetica,
sans-serif">you
should see
something like
that (forwared
info is
somewhat
rubbish in
this example
as I am
running the
hosts on
Virtualbox -
but you can
see this
request was
put through 2
proxies from
local pc
192.168.33.1
to haproxy on
192.168.33.80
and then
apache reverse
proxy on
192.168.33.81
):</font></div>
<div class=""><font
class=""
face="arial,
helvetica,
sans-serif"><br
class="">
</font></div>
<div class=""><font
class=""
face="monospace,
monospace">==============================================================</font></div>
<div class=""><font
class=""
face="monospace,
monospace">23:47:20,563
INFO
[io.undertow.request.dump]
(default
task-14)</font></div>
<div class=""><font
class=""
face="monospace,
monospace">----------------------------REQUEST---------------------------</font></div>
<div class=""><font
class=""
face="monospace,
monospace">
URI=/auth/welcome-content/favicon.ico</font></div>
<div class=""><font
class=""
face="monospace,
monospace"> characterEncoding=null</font></div>
<div class=""><font
class=""
face="monospace,
monospace">
contentLength=-1</font></div>
<div class=""><font
class=""
face="monospace,
monospace">
contentType=null</font></div>
<div class=""><font
class=""
face="monospace,
monospace">
<span
class="Apple-converted-space"> </span>header=Accept=*/*</font></div>
<div class=""><font
class=""
face="monospace,
monospace">
<span
class="Apple-converted-space"> </span>header=Accept-Language=en-US,en;q=0.8,de;q=0.6</font></div>
<div class=""><font
class=""
face="monospace,
monospace">
<span
class="Apple-converted-space"> </span>header=Cache-Control=no-cache</font></div>
<div class=""><font
class=""
face="monospace,
monospace">
<span
class="Apple-converted-space"> </span>header=Accept-Encoding=gzip,
deflate, sdch</font></div>
<div class=""><font
class=""
face="monospace,
monospace">
<span
class="Apple-converted-space"> </span>header=DNT=1</font></div>
<div class=""><font
class=""
face="monospace,
monospace">
<span
class="Apple-converted-space"> </span>header=Pragma=no-cache</font></div>
<div class=""><font
class=""
face="monospace,
monospace">
<span
class="Apple-converted-space"> </span>header=X-Original-To=192.168.33.80</font></div>
<div class=""><font
class=""
face="monospace,
monospace">
<span
class="Apple-converted-space"> </span>header=User-Agent=Mozilla/5.0
(Windows NT
6.1; WOW64)
AppleWebKit/537.36
(KHTML, like
Gecko)
Chrome/50.0.2661.102
Safari/537.36</font></div>
<div class=""><font
class=""
face="monospace,
monospace">
<span
class="Apple-converted-space"> </span>header=Authorization=Basic
bmljZSB0cnkgYnV0IGFtIG5vdCBmcm9tIHllc3RlcmRheQo=</font></div>
<div class=""><font
class=""
face="monospace,
monospace">
<span
class="Apple-converted-space"> </span>header=X-Forwarded-Proto=https</font></div>
<div class=""><font
class=""
face="monospace,
monospace">
<span
class="Apple-converted-space"> </span>header=X-Forwarded-Port=443</font></div>
<div class=""><font
class=""
face="monospace,
monospace">
<span
class="Apple-converted-space"> </span>header=X-Forwarded-For=192.168.33.1</font></div>
<div class=""><font
class=""
face="monospace,
monospace">
<span
class="Apple-converted-space"> </span>header=Referer=<a
moz-do-not-send="true" class="moz-txt-link-freetext"
href="https://login.vagrant.dev/auth/"><a class="moz-txt-link-freetext" href="https://login.vagrant.dev/auth/">https://login.vagrant.dev/auth/</a></a></font></div>
<div class=""><font
class=""
face="monospace,
monospace">
<span
class="Apple-converted-space"> </span>header=Host=login.vagrant.dev</font></div>
<div class=""><font
class=""
face="monospace,
monospace">
<span
class="Apple-converted-space"> </span>locale=[en_US,
en, de]</font></div>
<div class=""><font
class=""
face="monospace,
monospace">
<span
class="Apple-converted-space"> </span>method=GET</font></div>
<div class=""><font
class=""
face="monospace,
monospace">
<span
class="Apple-converted-space"> </span>protocol=HTTP/1.1</font></div>
<div class=""><font
class=""
face="monospace,
monospace">
queryString=</font></div>
<div class=""><font
class=""
face="monospace,
monospace">
<span
class="Apple-converted-space"> </span>remoteAddr=<a
moz-do-not-send="true" href="http://192.168.33.1:0/" target="_blank"
class="">192.168.33.1:0</a></font></div>
<div class=""><font
class=""
face="monospace,
monospace">
<span
class="Apple-converted-space"> </span>remoteHost=192.168.33.1</font></div>
<div class=""><font
class=""
face="monospace,
monospace">
<span
class="Apple-converted-space"> </span>scheme=https</font></div>
<div class=""><font
class=""
face="monospace,
monospace">
<span
class="Apple-converted-space"> </span>host=login.vagrant.dev</font></div>
<div class=""><font
class=""
face="monospace,
monospace">
<span
class="Apple-converted-space"> </span>serverPort=443</font></div>
<div class=""><font
class=""
face="monospace,
monospace">--------------------------RESPONSE--------------------------</font></div>
<div class=""><font
class=""
face="monospace,
monospace">
contentLength=627</font></div>
<div class=""><font
class=""
face="monospace,
monospace">
contentType=application/octet-stream</font></div>
<div class=""><font
class=""
face="monospace,
monospace">
<span
class="Apple-converted-space"> </span>header=Cache-Control=max-age=2592000</font></div>
<div class=""><font
class=""
face="monospace,
monospace">
<span
class="Apple-converted-space"> </span>header=X-Powered-By=Undertow/1</font></div>
<div class=""><font
class=""
face="monospace,
monospace">
<span
class="Apple-converted-space"> </span>header=Server=WildFly/10</font></div>
</div>
<div class=""><br
class="">
</div>
<div class=""><br
class="">
</div>
<div class="">Hope
this helps
diagnosing
your issue.
Niels</div>
</div>
</div>
<div
class="gmail_extra"><br
class="">
<div
class="gmail_quote">On
Tue, May 24,
2016 at 1:20
AM, Aritz
Maeztu<span
class="Apple-converted-space"> </span><span
dir="ltr"
class=""><<a
moz-do-not-send="true" class="moz-txt-link-abbreviated"
href="mailto:amaeztu@tesicnor.com"><a class="moz-txt-link-abbreviated" href="mailto:amaeztu@tesicnor.com">amaeztu@tesicnor.com</a></a>></span><span
class="Apple-converted-space"> </span>wrote:<br class="">
<blockquote
class="gmail_quote"
style="margin:
0px 0px 0px
0.8ex;
border-left-width:
1px;
border-left-color:
rgb(204, 204,
204);
border-left-style:
solid;
padding-left:
1ex;">
<div
bgcolor="#FFFFFF"
text="#000000"
class="">
<p class="">I'm
using keycloak
to securize
some Spring
based services
(with the
keycloak
spring
security
adapter). The
adapter
creates a
`/login`
endpoint in
each of the
services which
redirects to
the keycloak
login page and
then redirects
back to the
service when
authentication
is done. I
also have a
proxy service
which I want
to publish in
the 80 port
and will take
care of
routing all
the requests
to each
service. The
proxy performs
a plain
FORWARD to the
service, but
the problem
comes when I
securize the
service with
the keycloak
adapter.<span
class="Apple-converted-space"> </span><br class="">
</p>
<p class="">When
I make a
request, the
adapter
redirects to
its login
endpoint and
then to the
keycloak auth
url. When
keycloak sends
the
redirection,
the url shown
in the browser
is the one
from the
service and
not the one
from the
proxy. Do I
have some
choice to tell
the adapter I
want to
redirect back
to the first
requested url?<span
class=""><font
class=""
color="#888888"><br
class="">
</font></span></p>
<span class=""><font
class=""
color="#888888"><br
class="">
<div class="">--<span
class="Apple-converted-space"> </span><br class="">
<div class="">
<table
style="width:
600px;
border-collapse:
collapse;"
class="">
<tbody
class="">
<tr class="">
<td
style="border-bottom-width:
1px;
border-bottom-style:
solid;
border-bottom-color:
rgb(152, 152,
152);"
class=""><span
style="font-weight: bold;" class="">Aritz Maeztu Otaño</span><br
class="">
<span
style="font-size:
12px;"
class="">Departamento
Desarrollo de
Software</span></td>
<td
style="border-bottom-width:
1px;
border-bottom-style:
solid;
border-bottom-color:
rgb(152, 152,
152);
padding-left:
20px;"
class=""><a
moz-do-not-send="true"
href="https://www.linkedin.com/profile/preview?vpa=pub&locale=es_ES"
target="_blank" class=""><span
id="cid:part19.56DB68FA.497140B7@tesicnor.com"
class=""><Mail
Attachment.gif></span></a></td>
</tr>
<tr class="">
<td class=""><a
moz-do-not-send="true" href="http://www.tesicnor.com/" target="_blank"
class=""><span
id="cid:part21.58E351AA.F2ED0CD9@tesicnor.com" class=""><Mail
Attachment.png></span></a></td>
<td
style="font-size:
12px;"
class="">
<p
style="padding-left:
20px;"
class=""><span
class="">Pol.
Ind. Mocholi.</span><span
class="Apple-converted-space"> </span><span class="">C/Rio Elorz, Nave
13E<span
class="Apple-converted-space"> </span></span><span
style="font-weight: bold;" class="">31110 Noain (Navarra)</span><br
class="">
<span class="">Telf.:
948 21 40 40</span><span
class="Apple-converted-space"> </span><br class="">
<span class="">Fax.:
948 21 40 41</span><span
class="Apple-converted-space"> </span><br class="">
</p>
</td>
</tr>
<tr class="">
<td
colspan="2"
class=""><span
style="color:
rgb(0, 153,
0); font-size:
12px;"
class="">Antes
de imprimir
este e-mail
piense bien si
es necesario
hacerlo: El
medioambiente
es cosa de
todos.</span></td>
</tr>
</tbody>
</table>
</div>
</div>
</font></span></div>
<br class="">
_______________________________________________<br class="">
keycloak-user
mailing list<br
class="">
<a
moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:keycloak-user@lists.jboss.org"><a class="moz-txt-link-abbreviated" href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a></a><br
class="">
<a
moz-do-not-send="true"
class="moz-txt-link-freetext"
href="https://lists.jboss.org/mailman/listinfo/keycloak-user"><a class="moz-txt-link-freetext" href="https://lists.jboss.org/mailman/listinfo/keycloak-user">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></a><br
class="">
</blockquote>
</div>
<br class="">
</div>
</blockquote>
<br class="">
<div class="">--<span
class="Apple-converted-space"> </span><br class="">
<div class="">
<table
style="width:
600px;
border-collapse:
collapse;"
class="">
<tbody
class="">
<tr class="">
<td
style="border-bottom-width:
1px;
border-bottom-style:
solid;
border-bottom-color:
rgb(152, 152,
152);"
class=""><span
style="font-weight: bold;" class="">Aritz Maeztu Otaño</span><br
class="">
<span
style="font-size:
12px;"
class="">Departamento
Desarrollo de
Software</span></td>
<td
style="border-bottom-width:
1px;
border-bottom-style:
solid;
border-bottom-color:
rgb(152, 152,
152);
padding-left:
20px;"
class=""><a
moz-do-not-send="true"
href="https://www.linkedin.com/profile/preview?vpa=pub&locale=es_ES"
target="_blank" class=""><span
id="cid:part25.2C9B09F3.39D2312E@tesicnor.com"
class=""><Mail
Attachment.gif></span></a></td>
</tr>
<tr class="">
<td class=""><a
moz-do-not-send="true" href="http://www.tesicnor.com/" target="_blank"
class=""><span
id="cid:part27.32F0155C.797C1982@tesicnor.com" class=""><Mail
Attachment.png></span></a></td>
<td
style="font-size:
12px;"
class="">
<p
style="padding-left:
20px;"
class=""><span
class="">Pol.
Ind. Mocholi.</span><span
class="Apple-converted-space"> </span><span class="">C/Rio Elorz, Nave
13E<span
class="Apple-converted-space"> </span></span><span
style="font-weight: bold;" class="">31110 Noain (Navarra)</span><br
class="">
<span class="">Telf.:
948 21 40 40</span><span
class="Apple-converted-space"> </span><br class="">
<span class="">Fax.:
948 21 40 41</span><span
class="Apple-converted-space"> </span><br class="">
</p>
</td>
</tr>
<tr class="">
<td
colspan="2"
class=""><span
style="color:
rgb(0, 153,
0); font-size:
12px;"
class="">Antes
de imprimir
este e-mail
piense bien si
es necesario
hacerlo: El
medioambiente
es cosa de
todos.</span></td>
</tr>
</tbody>
</table>
</div>
</div>
</div>
</div>
</div>
<br class="">
_______________________________________________<br class="">
keycloak-user mailing
list<br class="">
<a
moz-do-not-send="true"
href="mailto:keycloak-user@lists.jboss.org" target="_blank" class=""><a class="moz-txt-link-abbreviated" href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a></a><br
class="">
<a
moz-do-not-send="true"
href="https://lists.jboss.org/mailman/listinfo/keycloak-user"
rel="noreferrer"
target="_blank"
class=""><a class="moz-txt-link-freetext" href="https://lists.jboss.org/mailman/listinfo/keycloak-user">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></a><br
class="">
</blockquote>
</div>
<br class="">
</div>
</blockquote>
<br class="">
<div class="">--<span
class="Apple-converted-space"> </span><br
class="">
<div class="">
<table style="width:
600px; border-collapse:
collapse;" class="">
<tbody class="">
<tr class="">
<td
style="border-bottom-width:
1px;
border-bottom-style:
solid;
border-bottom-color:
rgb(152, 152,
152);" class=""><span
style="font-weight: bold;" class="">Aritz Maeztu Otaño</span><br
class="">
<span
style="font-size:
12px;" class="">Departamento
Desarrollo de
Software</span></td>
<td
style="border-bottom-width:
1px;
border-bottom-style:
solid;
border-bottom-color:
rgb(152, 152,
152);
padding-left:
20px;" class=""><a
moz-do-not-send="true"
href="https://www.linkedin.com/profile/preview?vpa=pub&locale=es_ES"
target="_blank"
class=""><span
id="cid:part31.44462D60.3CB18DF8@tesicnor.com"
class=""><Mail
Attachment.gif></span></a></td>
</tr>
<tr class="">
<td class=""><a
moz-do-not-send="true"
href="http://www.tesicnor.com/" target="_blank" class=""><span
id="cid:part33.A4B1AB31.24F4A888@tesicnor.com"
class=""><Mail
Attachment.png></span></a></td>
<td
style="font-size:
12px;" class="">
<p
style="padding-left:
20px;" class=""><span
class="">Pol.
Ind. Mocholi.</span><span
class="Apple-converted-space"> </span><span class="">C/Rio Elorz, Nave
13E<span
class="Apple-converted-space"> </span></span><span
style="font-weight: bold;" class="">31110 Noain (Navarra)</span><br
class="">
<span class="">Telf.:
948 21 40 40</span><span
class="Apple-converted-space"> </span><br class="">
<span class="">Fax.:
948 21 40 41</span><span
class="Apple-converted-space"> </span><br class="">
</p>
</td>
</tr>
<tr class="">
<td colspan="2"
class=""><span
style="color:
rgb(0, 153, 0);
font-size:
12px;" class="">Antes
de imprimir este
e-mail piense
bien si es
necesario
hacerlo: El
medioambiente es
cosa de todos.</span></td>
</tr>
</tbody>
</table>
</div>
</div>
</div>
</div>
</div>
</div>
<br class="">
_______________________________________________<br class="">
keycloak-user mailing list<br class="">
<a moz-do-not-send="true"
href="mailto:keycloak-user@lists.jboss.org"
class="">keycloak-user@lists.jboss.org</a><br
class="">
<a moz-do-not-send="true"
href="https://lists.jboss.org/mailman/listinfo/keycloak-user"
rel="noreferrer" target="_blank"
class="">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br
class="">
</blockquote>
</div>
<br class="">
</div>
</blockquote>
<br style="font-family: Helvetica; font-size:
12px; font-style: normal; font-variant-caps:
normal; font-weight: normal; letter-spacing:
normal; orphans: auto; text-align: start;
text-indent: 0px; text-transform: none;
white-space: normal; widows: auto;
word-spacing: 0px;
-webkit-text-stroke-width: 0px;
background-color: rgb(255, 255, 255);"
class="">
<div class="moz-signature" style="font-family:
Helvetica; font-size: 12px; font-style:
normal; font-variant-caps: normal;
font-weight: normal; letter-spacing: normal;
orphans: auto; text-align: start;
text-indent: 0px; text-transform: none;
white-space: normal; widows: auto;
word-spacing: 0px;
-webkit-text-stroke-width: 0px;
background-color: rgb(255, 255, 255);">--<span
class="Apple-converted-space"> </span><br
class="">
<div class="moz-signature">
<table style="width: 600px;
border-collapse: collapse;" class="">
<tbody class="">
<tr class="">
<td style="border-bottom-width: 1px;
border-bottom-style: solid;
border-bottom-color: rgb(152, 152,
152);" class=""><span
style="font-weight: bold;"
class="">Aritz Maeztu Otaño</span><br
class="">
<span style="font-size: 12px;"
class="">Departamento Desarrollo
de Software</span></td>
<td style="border-bottom-width: 1px;
border-bottom-style: solid;
border-bottom-color: rgb(152, 152,
152); padding-left: 20px;"
class=""><a moz-do-not-send="true"
target="_blank"
href="https://www.linkedin.com/profile/preview?vpa=pub&locale=es_ES"
class=""><span
id="cid:part37.F59A5EDB.10D112D3@tesicnor.com"
class=""><linkdin.gif></span></a></td>
</tr>
<tr class="">
<td class=""><a
moz-do-not-send="true"
target="_blank"
href="http://www.tesicnor.com/"
class=""><span
id="cid:part39.C21A5AC2.3618B928@tesicnor.com"
class=""><logo.png></span></a></td>
<td style="font-size: 12px;"
class="">
<p style="padding-left: 20px;"
class=""><span class="">Pol.
Ind. Mocholi.</span><span
class="Apple-converted-space"> </span><span
class="">C/Rio Elorz, Nave 13E<span
class="Apple-converted-space"> </span></span><span style="font-weight:
bold;" class="">31110 Noain
(Navarra)</span><br class="">
<span class="">Telf.: 948 21 40
40</span><span
class="Apple-converted-space"> </span><br
class="">
<span class="">Fax.: 948 21 40
41</span><span
class="Apple-converted-space"> </span><br
class="">
</p>
</td>
</tr>
<tr class="">
<td colspan="2" class=""><span
style="color: rgb(0, 153, 0);
font-size: 12px;" class="">Antes
de imprimir este e-mail piense
bien si es necesario hacerlo: El
medioambiente es cosa de todos.</span></td>
</tr>
</tbody>
</table>
</div>
</div>
<span style="font-family: Helvetica;
font-size: 12px; font-style: normal;
font-variant-caps: normal; font-weight:
normal; letter-spacing: normal; orphans:
auto; text-align: start; text-indent: 0px;
text-transform: none; white-space: normal;
widows: auto; word-spacing: 0px;
-webkit-text-stroke-width: 0px;
background-color: rgb(255, 255, 255); float:
none; display: inline !important;" class="">_______________________________________________</span><br
style="font-family: Helvetica; font-size:
12px; font-style: normal; font-variant-caps:
normal; font-weight: normal; letter-spacing:
normal; orphans: auto; text-align: start;
text-indent: 0px; text-transform: none;
white-space: normal; widows: auto;
word-spacing: 0px;
-webkit-text-stroke-width: 0px;
background-color: rgb(255, 255, 255);"
class="">
<span style="font-family: Helvetica;
font-size: 12px; font-style: normal;
font-variant-caps: normal; font-weight:
normal; letter-spacing: normal; orphans:
auto; text-align: start; text-indent: 0px;
text-transform: none; white-space: normal;
widows: auto; word-spacing: 0px;
-webkit-text-stroke-width: 0px;
background-color: rgb(255, 255, 255); float:
none; display: inline !important;" class="">keycloak-user
mailing list</span><br style="font-family:
Helvetica; font-size: 12px; font-style:
normal; font-variant-caps: normal;
font-weight: normal; letter-spacing: normal;
orphans: auto; text-align: start;
text-indent: 0px; text-transform: none;
white-space: normal; widows: auto;
word-spacing: 0px;
-webkit-text-stroke-width: 0px;
background-color: rgb(255, 255, 255);"
class="">
<a moz-do-not-send="true"
href="mailto:keycloak-user@lists.jboss.org"
style="font-family: Helvetica; font-size:
12px; font-style: normal; font-variant-caps:
normal; font-weight: normal; letter-spacing:
normal; orphans: auto; text-align: start;
text-indent: 0px; text-transform: none;
white-space: normal; widows: auto;
word-spacing: 0px;
-webkit-text-stroke-width: 0px;
background-color: rgb(255, 255, 255);"
class="">keycloak-user@lists.jboss.org</a><br
style="font-family: Helvetica; font-size:
12px; font-style: normal; font-variant-caps:
normal; font-weight: normal; letter-spacing:
normal; orphans: auto; text-align: start;
text-indent: 0px; text-transform: none;
white-space: normal; widows: auto;
word-spacing: 0px;
-webkit-text-stroke-width: 0px;
background-color: rgb(255, 255, 255);"
class="">
<a moz-do-not-send="true"
href="https://lists.jboss.org/mailman/listinfo/keycloak-user"
style="font-family: Helvetica; font-size:
12px; font-style: normal; font-variant-caps:
normal; font-weight: normal; letter-spacing:
normal; orphans: auto; text-align: start;
text-indent: 0px; text-transform: none;
white-space: normal; widows: auto;
word-spacing: 0px;
-webkit-text-stroke-width: 0px;
background-color: rgb(255, 255, 255);"
class="">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></div>
</blockquote>
</div>
<br class="">
</div>
</blockquote>
<br class="">
<br class="">
<br class="">
<hr style="border:none; color:#909090;
background-color:#B0B0B0; height: 1px; width: 99%;"
class="">
<table style="border-collapse:collapse;border:none;"
class="">
<tbody class="">
<tr class="">
<td style="border:none;padding:0px 15px 0px 8px"
class=""> <a moz-do-not-send="true"
href="https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient"
class=""> <img moz-do-not-send="true"
src="http://static.avast.com/emails/avast-mail-stamp.png"
alt="Avast logo" class="" border="0"> </a>
</td>
<td class="">
<p style="color:#3d4d5a;
font-family:"Calibri","Verdana","Arial","Helvetica";
font-size:12pt;" class=""> El software de
antivirus Avast ha analizado este correo
electrónico en busca de virus. <br class="">
<a moz-do-not-send="true"
href="https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient"
class="">www.avast.com</a> </p>
</td>
</tr>
</tbody>
</table>
<br class="">
</div>
</div>
</blockquote>
</div>
<br class="">
</div>
</blockquote>
<br>
<br /><br />
<hr style='border:none; color:#909090; background-color:#B0B0B0; height: 1px; width: 99%;' />
<table style='border-collapse:collapse;border:none;'>
<tr>
<td style='border:none;padding:0px 15px 0px 8px'>
<a href="https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient">
<img border=0 src="http://static.avast.com/emails/avast-mail-stamp.png" alt="Avast logo" />
</a>
</td>
<td>
<p style='color:#3d4d5a; font-family:"Calibri","Verdana","Arial","Helvetica"; font-size:12pt;'>
El software de antivirus Avast ha analizado este correo electrónico en busca de virus.
<br><a href="https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient">www.avast.com</a>
</p>
</td>
</tr>
</table>
<br />
</body>
</html>