I created a small demo app to show you what I meant: https://github.com/gerbermichi/keycloak/tree/master/examples/demo-templat... As you can see, keycloak consumes the post data during the authentication step, which is wrong, because the resource should be public (without any authentication) curl -X POST -H „Content-Type: text/plain" http://localhost:8080/rest-resources/public -d 'hello world' You said: My previous bug fix for this problem was wrong, but I think my latests changes in the RequestAuthenticator class would solve this problem. You can find all my changes here: https://github.com/gerbermichi/keycloak/commit/512a68c5fa405567fe56968b5f... curl -X POST -H „Content-Type: text/plain" http://localhost:8080/rest-resources/public -d 'hello world' You said: hello world The only question is, how to implement the protected abstract boolean isAuthenticationRequired(); method correctly in the JettyRequestAuthenticator and CatalinaRequestAuthenticator class. > Am 19.12.2014 um 17:03 schrieb Michael Gerber <gerbermichi(a)me.com > <mailto:gerbermichi@me.com>>: > > Hi all, > > I created today a build from the latest master branch and struggled > with the following problem. > I've got some REST services which are excluded from keycloak, so I can > access them without a logged in user. (see detail from web.xml) > The request body in these post rest services were always empty. I > found out that my wildfly tried to authenticate all requests. > The tokenStore.saveRequest() method in the OAuthRequestAuthenticator > class read the inputStream and so it was empty later on. > > I dont understand why all my requests are authenticated, even when > they are excluded through the web.xml file. > So, I added the following lines in the ServletKeycloakAuthMech class > in the authenticate method: (see > https://github.com/gerbermichi/keycloak/commit/1eaafcd3d9ad4082429ab500a4...) > if (!deployment.isConfigured() || > !securityContext.isAuthenticationRequired()) { > return AuthenticationMechanismOutcome.NOT_ATTEMPTED; > } > > This hack solved all my problems. Is this a bug and should i create a > pull request? Or are there some problems in my project configuration? > > Detail from my web.xml file: > <security-constraint> > <web-resource-collection> > <web-resource-name>Client WS</web-resource-name> > <url-pattern>/clientws/*</url-pattern> > </web-resource-collection> > <web-resource-collection> > <web-resource-name>Client Exchange WS</web-resource-name> > <url-pattern>/services/exchange/*</url-pattern> > </web-resource-collection> > <user-data-constraint> > <transport-guarantee>CONFIDENTIAL</transport-guarantee> > </user-data-constraint> > </security-constraint> > > <security-constraint> > <web-resource-collection> > <web-resource-name>All</web-resource-name> > <url-pattern>/*</url-pattern> > </web-resource-collection> > <auth-constraint> > <role-name>myRole</role-name> > </auth-constraint> > <user-data-constraint> > <transport-guarantee>CONFIDENTIAL</transport-guarantee> > </user-data-constraint> > </security-constraint> > > <login-config> > <auth-method>KEYCLOAK</auth-method> > <realm-name>myRealm</realm-name> > </login-config> > > <security-role> > <role-name>myRole</role-name> > </security-role> > > > > _______________________________________________ > keycloak-dev mailing list > keycloak-dev(a)lists.jboss.org <mailto:keycloak-dev@lists.jboss.org> > https://lists.jboss.org/mailman/listinfo/keycloak-dev _______________________________________________ keycloak-dev mailing list keycloak-dev(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-dev

Ok, I set up a JIRA. https://issues.jboss.org/browse/KEYCLOAK-901 I need to look at Jetty/Tomcat to see if authenticate() is called. BTW, I'm not sure why Undertow is calling the authentication mechanism for unsecure resources. On 12/19/2014 11:03 AM, Michael Gerber wrote: > I created today a build from the latest master branch and struggled with > the following problem. > I've got some REST services which are excluded from keycloak, so I can > access them without a logged in user. (see detail from web.xml) > The request body in these post rest services were always empty. I found > out that my wildfly tried to authenticate all requests. > The tokenStore.saveRequest() method in the OAuthRequestAuthenticator > class read the inputStream and so it was empty later on. > > I dont understand why all my requests are authenticated, even when they > are excluded through the web.xml file. > So, I added the following lines in the ServletKeycloakAuthMech class in > the authenticate method: (see > https://github.com/gerbermichi/keycloak/commit/1eaafcd3d9ad4082429ab500a4...) > if (!deployment.isConfigured() || > !securityContext.isAuthenticationRequired()) { > return AuthenticationMechanismOutcome.NOT_ATTEMPTED; > } > > This hack solved all my problems. Is this a bug and should i create a > pull request? Or are there some problems in my project configuration? > > Detail from my web.xml file: > <security-constraint> > <web-resource-collection> > <web-resource-name>Client WS</web-resource-name> > <url-pattern>/clientws/*</url-pattern> > </web-resource-collection> > <web-resource-collection> > <web-resource-name>Client Exchange WS</web-resource-name> > <url-pattern>/services/exchange/*</url-pattern> > </web-resource-collection> > <user-data-constraint> > <transport-guarantee>CONFIDENTIAL</transport-guarantee> > </user-data-constraint> > </security-constraint> > > <security-constraint> > <web-resource-collection> > <web-resource-name>All</web-resource-name> > <url-pattern>/*</url-pattern> > </web-resource-collection> > <auth-constraint> > <role-name>myRole</role-name> > </auth-constraint> > <user-data-constraint> > <transport-guarantee>CONFIDENTIAL</transport-guarantee> > </user-data-constraint> > </security-constraint> > > <login-config> > <auth-method>KEYCLOAK</auth-method> > <realm-name>myRealm</realm-name> > </login-config> > > <security-role> > <role-name>myRole</role-name> > </security-role>