I've pinged Undertow list on why auth mechanisms is invoked for
unsecured resources.
On 12/22/2014 10:32 AM, Bill Burke wrote:
Ok, I set up a JIRA.
https://issues.jboss.org/browse/KEYCLOAK-901
I need to look at Jetty/Tomcat to see if authenticate() is called. BTW,
I'm not sure why Undertow is calling the authentication mechanism for
unsecure resources.
On 12/19/2014 11:03 AM, Michael Gerber wrote:
> I created today a build from the latest master branch and struggled with
> the following problem.
> I've got some REST services which are excluded from keycloak, so I can
> access them without a logged in user. (see detail from web.xml)
> The request body in these post rest services were always empty. I found
> out that my wildfly tried to authenticate all requests.
> The tokenStore.saveRequest() method in the OAuthRequestAuthenticator
> class read the inputStream and so it was empty later on.
>
> I dont understand why all my requests are authenticated, even when they
> are excluded through the web.xml file.
> So, I added the following lines in the ServletKeycloakAuthMech class in
> the authenticate method: (see
>
https://github.com/gerbermichi/keycloak/commit/1eaafcd3d9ad4082429ab500a4...)
> if (!deployment.isConfigured() ||
> !securityContext.isAuthenticationRequired()) {
> return AuthenticationMechanismOutcome.NOT_ATTEMPTED;
> }
>
> This hack solved all my problems. Is this a bug and should i create a
> pull request? Or are there some problems in my project configuration?
>
> Detail from my web.xml file:
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>Client WS</web-resource-name>
> <url-pattern>/clientws/*</url-pattern>
> </web-resource-collection>
> <web-resource-collection>
> <web-resource-name>Client Exchange WS</web-resource-name>
> <url-pattern>/services/exchange/*</url-pattern>
> </web-resource-collection>
> <user-data-constraint>
> <transport-guarantee>CONFIDENTIAL</transport-guarantee>
> </user-data-constraint>
> </security-constraint>
>
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>All</web-resource-name>
> <url-pattern>/*</url-pattern>
> </web-resource-collection>
> <auth-constraint>
> <role-name>myRole</role-name>
> </auth-constraint>
> <user-data-constraint>
> <transport-guarantee>CONFIDENTIAL</transport-guarantee>
> </user-data-constraint>
> </security-constraint>
>
> <login-config>
> <auth-method>KEYCLOAK</auth-method>
> <realm-name>myRealm</realm-name>
> </login-config>
>
> <security-role>
> <role-name>myRole</role-name>
> </security-role>