Arquillian Remote Container / Secured Webroot
by Lauer Markus
Hello,
This problem is not really Keycloak-specific, but maybe someone else
using Keycloak stumbled over this:
A WAR deployment with context-root "/" has a security-constraint as
follows:
<security-constraint>
<web-resource-collection>
<web-resource-name>Customers</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>user</role-name>
</auth-constraint>
</security-constraint>
Each access to application should be restricted.
Now Arquillian deploys it's testing deployment also to the same webroot
and as a result the tests can not be run. (Can not handle redirect to
Keycloak server.)
Error launching test at
http://0.0.0.0:8080/dd2ff55e-faa7-41fe-b092-8cc14d8ef4ae/ArquillianServle.... Got 302 (Found)
I do not want to blacklist all application paths/resources separately
(so that access to arquillian's UUID-named deployment would be
possible), because I'm afraid to forget one path.
Solution could be s/th like get a token via direct access grant and
inject it somehow into arquillian's requests...
How do you handle this?
Regards,
Markus.
________________________________
Zum Lesen der rechtlichen Hinweise dieser Mail, kopieren Sie bitte die aufgeführte URL in Ihren Browser oder folgen Sie dem Link.
http://disclaimer.tec-saar.de/co-met.htm
8 years, 9 months
Keycloak 1.9.1 Wildfly admin user not created
by Niels Bertram
Hi everyone,
I am trying to setup Wildfly admin console access on the 1.9.1 release
running in standalone mode. Following the keycloak documentation I
used ./bin/add-user
-u admin -r master to add a keycloak admin but when I browse to
http://localhost:9990/console I get prompted with a screen that reads:
*WildFly Application Server is running.*
*However you have not yet added any users to be able to access the admin
console.*
*To add a new user execute the add-user.sh script within the bin folder of
your WildFly installationand enter the requested information.*
Looking through the wildfly documentation
https://docs.jboss.org/author/display/WFLY10/add-user+utility and also
comparing the add-user.sh script in the keycloak distro to a normal wildfly
distro it looks like it has been replaced.
How do you create a wildfly admin user with the keycloak distro? Shouldn't
the wildfly admin scripts stay as they are and the keycloak script added
with a different name?
Cheers,
Niels
8 years, 9 months
spring security adapter and single log out
by Anthony Fryer
I've noticed some issues when testing single logout with the spring security adapter.
I setup the admin url for the test application that used the spring security adapter in keycloak and tested logging out from keycloak and it didn't invalidate the session. This is consistent with what I saw in other environments while testing. I did some digging and found that the spring adapter isn't working correctly for single log out in my environments. We're not using spring boot so not sure if that might be a reason why its not working out of the box.
The issue is with the org.keycloak.adapters.springsecurity.management.HtttpSessionManager class. This implements javax.servlet.http.HttpSessionListener to receive events when sessions are created and stores the sessions in a hash map. When you do a logout from keycloak, it sends a POST request to <admin_url>/k_logout. This results in a call to the HttpSessionManager.logoutHttpSessions method with the session id passed in as an argument. This method attempts to lookup the session in the hashmap and call the invalidate() method.
The problem is by default the HttpSessionManager class isn't receiving the session create events. You need to configure it as a listener in web.xml to enable that. But even if you do that it still doesn't work because the servlet container will create a instance of the class, but spring will also create another instance when creating the keycloak beans and this new instance is the one passed into the KeycloakPreAuthActionsFilter constructor. So the instance that is created by the servlet container is the one receiving the session create event and the one used by spring isn't receiving any events but is the one used to do the logoutHttpSessions() call. The spring instance has no sessions in the hashmap, so logoutHttpSessions() does nothing.
The fix is to make a new version of HttpSessionManager that implements org.keycloak.adapters.spi.UserSessionManagement and org.springframework.context.ApplicationListener<ApplicationEvent>, which is a spring interface that receives session create/destroy events. In web.xml you need to register org.springframework.security.web.session.HttpSessionEventPublisher as a listener so spring will receive those events from the servlet container. Then in the spring config, you need the KeycloakPreAuthActionsFilter to be initialized with the new HttpSessionManager instead of the default one.
The HttpSessionManager class that works for me is below...
package my.keycloak;
import java.util.List;
import javax.servlet.http.HttpSession;
import org.keycloak.adapters.spi.UserSessionManagement;
import org.keycloak.adapters.springsecurity.management.LocalSessionManagementStrategy;
import org.keycloak.adapters.springsecurity.management.SessionManagementStrategy;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.context.ApplicationEvent;
import org.springframework.context.ApplicationListener;
import org.springframework.security.web.session.HttpSessionCreatedEvent;
import org.springframework.security.web.session.HttpSessionDestroyedEvent;
public class HttpSessionManager implements UserSessionManagement, ApplicationListener<ApplicationEvent> {
private static final Logger log = LoggerFactory.getLogger(HttpSessionManager.class);
private SessionManagementStrategy sessions = new LocalSessionManagementStrategy();
@Override
public void logoutAll() {
log.info("Received request to log out all users.");
for (HttpSession session : sessions.getAll()) {
session.invalidate();
}
sessions.clear();
}
@Override
public void logoutHttpSessions(List<String> ids) {
log.info("Received request to log out {} session(s): {}", ids.size(), ids);
for (String id : ids) {
HttpSession session = sessions.remove(id);
if (session != null) {
session.invalidate();
}
}
sessions.clear();
}
@Override
public void onApplicationEvent(ApplicationEvent event) {
if (event instanceof HttpSessionCreatedEvent) {
HttpSessionCreatedEvent e = (HttpSessionCreatedEvent)event;
HttpSession session = e.getSession();
log.debug("Session created: {}", session.getId());
sessions.store(session);
} else if (event instanceof HttpSessionDestroyedEvent) {
HttpSessionDestroyedEvent e = (HttpSessionDestroyedEvent)event;
HttpSession session = e.getSession();
sessions.remove(session.getId());
log.debug("Session destroyed: {}", session.getId());
}
}
}
The keycloak config changes are below...
@Configuration
@EnableWebSecurity
@ComponentScan(basePackageClasses = KeycloakSecurityComponents.class)
public class WebSecurityConfig extends KeycloakWebSecurityConfigurerAdapter {
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth.authenticationProvider(keycloakAuthenticationProvider());
}
@Override
protected SessionAuthenticationStrategy sessionAuthenticationStrategy() {
return new RegisterSessionAuthenticationStrategy(new SessionRegistryImpl());
}
@Bean
protected KeycloakPreAuthActionsFilter keycloakPreAuthActionsFilter() {
return new KeycloakPreAuthActionsFilter(springHttpSessionManager());
}
@Bean
protected my.keycloak.HttpSessionManager springHttpSessionManager() {
return new my.keycloak.HttpSessionManager();
}
@Override
protected void configure(HttpSecurity http) throws Exception {
super.configure(http);
http
.logout()
.logoutRequestMatcher(new AntPathRequestMatcher("/sso/logout"))
.and()
.authorizeRequests()
.antMatchers("/user*").authenticated()
.anyRequest().permitAll();
}
}
and web.xml needs this added to it...
<listener>
<listener-class>org.springframework.security.web.session.HttpSessionEventPublisher</listener-class>
</listener>
After making the above changes, log out from the keycloak admin console works as expected.
Regards,
Anthony Fryer
The content of this e-mail, including any attachments, is a confidential communication between Virgin Australia Airlines Pty Ltd (Virgin Australia) or its related entities (or the sender if this email is a private communication) and the intended addressee and is for the sole use of that intended addressee. If you are not the intended addressee, any use, interference with, disclosure or copying of this material is unauthorized and prohibited. If you have received this e-mail in error please contact the sender immediately and then delete the message and any attachment(s). There is no warranty that this email is error, virus or defect free. This email is also subject to copyright. No part of it should be reproduced, adapted or communicated without the written consent of the copyright owner. If this is a private communication it does not represent the views of Virgin Australia or its related entities. Please be aware that the contents of any emails sent to or from Virgin Australia or its related entities may be periodically monitored and reviewed. Virgin Australia and its related entities respect your privacy. Our privacy policy can be accessed from our website: www.virginaustralia.com
8 years, 9 months
Is there a possibility to stop users changing their passwords too often?
by Kevin Thorpe
A standard practice for login systems is to stop users changing their
passwords too often. Keycloak does not support this as of 1.7.0. Is there a
possibility of adding a timeout to stop too frequent password changes?
*Kevin Thorpe*
VP Enterprise Platform
www.p-i.net | @PI_150 <https://twitter.com/@PI_150>
*T: +44 (0)20 3005 6750 <%2B44%20%280%2920%203005%206750> | F: +44(0)20
7730 2635 <%2B44%280%2920%207730%202635> | T: +44 (0)808 204 0344
<%2B44%20%280%29808%20204%200344> *
*150 Buckingham Palace Road, London, SW1W 9TR, UK*
*SAVE PAPER - THINK BEFORE YOU PRINT!*
____________________________________________________________________
This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify the system manager.
This message contains confidential information and is intended only for the
individual named. If you are not the named addressee you should not
disseminate, distribute or copy this e-mail. Please notify the sender
immediately by e-mail if you have received this e-mail by mistake and
delete this e-mail from your system. If you are not the intended recipient
you are notified that disclosing, copying, distributing or taking any
action in reliance on the contents of this information is strictly
prohibited.
8 years, 9 months
Fwd: Login.ftl converting realm name to upper case why
by Michael Mok
Hi All
I am using Keycloak 1.9.1 and notice the realm name displayed in login.ftl
is always uppercase. Can we have the realm name display in the way it is
entered. Eg if my realm say test demo, the login page displays it as TEST
DEMO.
Not sure if there is a flag somewhere to tell keycloak to preserve case in
the realm name?
<#if section = "title">
${msg("loginTitle",(realm.displayName!''))}
<#elseif section = "header">
${msg("loginTitleHtml",(realm.displayNameHtml!''))}
<#elseif section = "form">
Thanks.
8 years, 9 months
OAuth and achieving authorisation across apps - repost
by Simon Gordon
[Repost]
Hey all
I feel compelled to ask another basic question of you, thanks in advance!
Looking at the demos, in a basic OAuth2 scenario, the protected resource
server (let's use the database-server within the demo-templates) is
configured in keycloak.json as: {
"realm" : "demo",
"resource" : "database-service",
"realm-public-key" :
"MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrVrCuTtArbgaZzL1hvh0xtL5mc7o0NqPVnYXkLvgcwiC3BjLGw1tGEGoJaXDuSaRllobm53JBhjx33UNv+5z/UMG4kytBWxheNVKnL6GgqlNabMaFfPLPCF8kAgKnsi79NMo+n6KnSY8YeUmec/p2vjO2NjsSAVcWEQMVhJ31LwIDAQAB",
"auth-server-url": "/auth",
"bearer-only" : true,
"ssl-required" : "external"
}
In the web.xml, the database-service is permitting only requests ('/*') to
those clients that have been granted the 'user' role.
In the design, this service is receiving bearer tokens only - so can I
assume that the bearer token has the roles associated with the token
encoded within the bearer token? (Plus the token is signed with the realm
key)
Or is there a back-channel conversation which I can't see in the
configuration, maybe derived from 'auth-server-url'?
Thank you for any thoughts!
Regards,
Simon
8 years, 9 months
Brute Force Detection - Get status of a username in brute force detection
by Andrej Prievalsky
Hi,
I have question concerning your REST_API:
GET /admin/realms/{realm}/attack-detection/brute-force/usernames/{username}
In 1.9.1..Final my setting per realm Demo looks like:
[image: Inline image 1]
I have noticed with this endpoint:
- 1.) when user is not created the answer for this REST is same like for
created user with 0 numFailures:
{
"numFailures": 0,
"disabled": false,
"lastIPFailure": "n/a",
"lastFailure": 0
}
- 2.) when Max Login Failures is set to 3 and I put 2 times incorrect
password and 3rd time correct password numFailures is not reset by Keycloak:
{
"numFailures": 2,
"disabled": false,
....
....
}
Are this 2 cases correct from your point of view?
Thanks and Best Regards,
Andrej.
8 years, 9 months
issue on user registration
by daniele.capasso@dnshosting.it
Hi, i want to register a user via keycloak admin client.
This is the source, it works except for the role, what i wrong?
CredentialRepresentation credential = new CredentialRepresentation();
credential.setType(CredentialRepresentation.PASSWORD);
credential.setValue(model.getPassword());
credential.setTemporary(false);
UserRepresentation userRepresentation = new UserRepresentation();
userRepresentation.setEmail(model.getEmail());
userRepresentation.setFirstName(model.getName());
userRepresentation.setLastName(model.getSurname());
userRepresentation.setUsername(model.getEmail());
userRepresentation.setCredentials(Arrays.asList(credential));
userRepresentation.setEnabled(true);
userRepresentation.setClientRoles(new HashMap<String, List<String>>(){{
put(kcApi.getKeycloakCurrentClient(),Arrays.asList("ROLE_USER_HOST"));
}});
Response resp = kcApi.createUser(userRepresentation);
thank you
8 years, 9 months
How to detect if user is already logged in?
by Anthony Fryer
Hi All,
We're implementing SSO across multiple applications using keycloak. Some of these applications are traditional java web apps and some are single page javascript apps. For the java web applications, we're using standard flow and we're using the "Spring Security Adapter" to implement this.
One of the use cases we have to support is, when a user goes to the landing page of a web application, the header should show if the user is already logged in or not. When a user has logged in from a different application and then navigates to another application using a bookmark, they're accessing a non protected url. The user wouldn't have an authenticated session with the web application yet, so how can we tell if the user has already logged in from the previous application? They would already have a session with the keycloak server.
It seems this is possible from single page applications using the keycloak javascript adapter with the "check-sso" initialization option, but it is not clear how this can be achieved from a traditional web application using the "Spring Security Adapter". Any suggestions would be appreciated.
Cheers,
Anthony Fryer
The content of this e-mail, including any attachments, is a confidential communication between Virgin Australia Airlines Pty Ltd (Virgin Australia) or its related entities (or the sender if this email is a private communication) and the intended addressee and is for the sole use of that intended addressee. If you are not the intended addressee, any use, interference with, disclosure or copying of this material is unauthorized and prohibited. If you have received this e-mail in error please contact the sender immediately and then delete the message and any attachment(s). There is no warranty that this email is error, virus or defect free. This email is also subject to copyright. No part of it should be reproduced, adapted or communicated without the written consent of the copyright owner. If this is a private communication it does not represent the views of Virgin Australia or its related entities. Please be aware that the contents of any emails sent to or from Virgin Australia or its related entities may be periodically monitored and reviewed. Virgin Australia and its related entities respect your privacy. Our privacy policy can be accessed from our website: www.virginaustralia.com
8 years, 9 months
Obtain user from Keycloak admin API using LDAP_ID
by Edgar Vonk - Info.nl
Hi,
Since we use MSAD/LDAP as user store the user’s LDAP_ID in Keycloak is for us the unique ID of a user and not Keycloak’s internal user ID.
However it seems that it is not possible to retrieve users based on the LDAP_ID attribute using the Keycloak admin API?
There is:
GET /admin/realms/{realm}/users/{id}
but this uses the internal Keycloak user ID which we cannot use (if only because sometimes we wipe out the Keycloak database and re-import all users from MSAD/LDAP)
and:
GET /admin/realms/{realm}/users
only allows searching on a very limited number of standard user attributes
How should we go about solving this? Does it make sense to create a feature request in JIRA to extend the /users API endpoint to allow searching on arbitrary user attributes for example? Or is it feasible to add our own endpoint to Keycloak’s REST API perhaps?
cheers
8 years, 9 months
