Re: [keycloak-dev] resource excludes in web.xml not working in latest master build

Monday, 22 December 2014

Ok, I set up a JIRA.

https://issues.jboss.org/browse/KEYCLOAK-901

I need to look at Jetty/Tomcat to see if authenticate() is called.  BTW, 
I'm not sure why Undertow is calling the authentication mechanism for 
unsecure resources.

On 12/19/2014 11:03 AM, Michael Gerber wrote:
...
 I created today a build from the latest master branch and struggled
with
 the following problem.
 I've got some REST services which are excluded from keycloak, so I can
 access them without a logged in user. (see detail from web.xml)
 The request body in these post rest services were always empty. I found
 out that my wildfly tried to authenticate all requests.
 The tokenStore.saveRequest() method in the OAuthRequestAuthenticator
 class read the inputStream and so it was empty later on.

 I dont understand why all my requests are authenticated, even when they
 are excluded through the web.xml file.
 So, I added the following lines in the ServletKeycloakAuthMech class in
 the authenticate method: (see
 https://github.com/gerbermichi/keycloak/commit/1eaafcd3d9ad4082429ab500a4...)
 if (!deployment.isConfigured() ||
 !securityContext.isAuthenticationRequired()) {
              return AuthenticationMechanismOutcome.NOT_ATTEMPTED;
 }

 This hack solved all my problems. Is this a bug and should i create a
 pull request? Or are there some problems in my project configuration?

 Detail from my web.xml file:
    <security-constraint>
          <web-resource-collection>
              <web-resource-name>Client WS</web-resource-name>
              <url-pattern>/clientws/*</url-pattern>
          </web-resource-collection>
          <web-resource-collection>
              <web-resource-name>Client Exchange WS</web-resource-name>
              <url-pattern>/services/exchange/*</url-pattern>
          </web-resource-collection>
          <user-data-constraint>
              <transport-guarantee>CONFIDENTIAL</transport-guarantee>
          </user-data-constraint>
      </security-constraint>

      <security-constraint>
          <web-resource-collection>
              <web-resource-name>All</web-resource-name>
              <url-pattern>/*</url-pattern>
          </web-resource-collection>
          <auth-constraint>
              <role-name>myRole</role-name>
          </auth-constraint>
          <user-data-constraint>
              <transport-guarantee>CONFIDENTIAL</transport-guarantee>
          </user-data-constraint>
      </security-constraint>

      <login-config>
          <auth-method>KEYCLOAK</auth-method>
          <realm-name>myRealm</realm-name>
      </login-config>

      <security-role>
          <role-name>myRole</role-name>
      </security-role> 
-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

Re: [keycloak-dev] resource excludes in web.xml not working in latest master build