Re: [keycloak-user] Noob question -- 'forbidden' on demo after redirect

I used everything in 1.0.5 ..... On Sat, Feb 14, 2015 at 2:03 PM, Bill Burke <bburke(a)redhat.com <mailto:bburke@redhat.com>> wrote: Which demo did you build off of? On 2/14/2015 4:40 AM, Walter Rice wrote: Hi Bill, Full scope allowed: ON I changed this to off then add user and admin roles... same result I realise it's probably silly mistake on my part! but I just can't see it... If i click *customer admin interface* i get the following: Customer Admin Interface User *96cfdfd1-ba0d-480a-9a80-__18ec830391fe *made this request. Admin REST To Get Role List of Realm There was a failure processing request. You either didn't configure Keycloak properly Status from database service invocation was: 404 /Brian On Sat, Feb 14, 2015 at 1:09 AM, Bill Burke <bburke(a)redhat.com <mailto:bburke@redhat.com> <mailto:bburke@redhat.com <mailto:bburke@redhat.com>>> wrote: Got to the admin console. Go to your application definition. Go to the scope tab. What does it say? On 2/13/2015 8:04 PM, Walter Rice wrote: Hi Bill, Thanks for the reply. I dunno! I followed the video to the letter.... below is my web.xml for customer-portal. Apologies for noob qn but how do i check application scope?... <?xml version="1.0" encoding="UTF-8"?> <web-app xmlns="http://java.sun.com/____xml/ns/javaee <http://java.sun.com/__xml/ns/javaee> <http://java.sun.com/xml/ns/__javaee <http://java.sun.com/xml/ns/javaee>>" xmlns:xsi="http://www.w3.org/____2001/XMLSchema-instance <http://www.w3.org/__2001/XMLSchema-instance> <http://www.w3.org/2001/__XMLSchema-instance <http://www.w3.org/2001/XMLSchema-instance>>" xsi:schemaLocation="http://__j__ava.sun.com/xml/ns/javaee <http://java.sun.com/xml/ns/javaee> <http://java.sun.com/xml/ns/__javaee <http://java.sun.com/xml/ns/javaee>> http://java.sun.com/xml/ns/____javaee/web-app_3_0.xsd <http://java.sun.com/xml/ns/__javaee/web-app_3_0.xsd> <http://java.sun.com/xml/ns/__javaee/web-app_3_0.xsd <http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd>>" version="3.0"> <module-name>customer-portal</____module-name> <security-constraint> <web-resource-collection> <web-resource-name>Admins</____web-resource-name> <url-pattern>/admin/*</url-____pattern> </web-resource-collection> <auth-constraint> <role-name>admin</role-name> </auth-constraint> </security-constraint> <security-constraint> <web-resource-collection> <web-resource-name>Customers</____web-resource-name> <url-pattern>/customers/*</____url-pattern> </web-resource-collection> <auth-constraint> <role-name>user</role-name> </auth-constraint> </security-constraint> <!-- <security-constraint> <web-resource-collection> <url-pattern>/*</url-pattern> </web-resource-collection> <user-data-constraint> <transport-guarantee>____CONFIDENTIAL</transport-____guarantee> </user-data-constraint> </security-constraint> --> <login-config> <auth-method>KEYCLOAK</auth-____method> <realm-name>cryo198</realm-____name> </login-config> <security-role> <role-name>admin</role-name> </security-role> <security-role> <role-name>user</role-name> </security-role> </web-app> On Sat, Feb 14, 2015 at 12:27 AM, Bill Burke <bburke(a)redhat.com <mailto:bburke@redhat.com> <mailto:bburke@redhat.com <mailto:bburke@redhat.com>> <mailto:bburke@redhat.com <mailto:bburke@redhat.com> <mailto:bburke@redhat.com <mailto:bburke@redhat.com>>>> wrote: You don't have constriants set up correctly in web.xml? You don't have the appropriate scope for the application set up? On 2/13/2015 4:47 PM, Walter Rice wrote: > Hi, > > I am trying to set up the demo as per the youtube videos (#1 and #2). I > am using keycloak 1.0.5. I have set up per the video (i think), however > things aren't working as expected. > > I browse tohttp://localhost:8080/____customer-portal/ and all is fine. I > click Customer Listing and I am redirected to login page as expected. I > enter my name/pw , this is successful and then I am redirected back to >http://localhost:8080/____customer-portal/customers/____view.jsp <http://localhost:8080/__customer-portal/customers/__view.jsp> <http://localhost:8080/__customer-portal/customers/__view.jsp <http://localhost:8080/customer-portal/customers/view.jsp>> but the page is > 'Forbidden' (redirect uri appears ok here?) > > I am using the 'full' version with bundled wildfly server. > > > > *customer app:* > keycloak file > > { > "realm": "cryo198", > "realm-public-key": > "____MIGfMA0GCSqGSIb3DQEBAQUAA4GNAD______CBiQKBgQCFnsEHg1o9UMBpMoHqLxYe______sXgDsTHnv1vF0AgrznxAcLfmYUdjvB______NdIXZNfB7I7tG9OMHvX21h9arHdcdg____2qqk9adLjHuImg/LhYHVOrosJ/____sybohrR/Im+k1fTsw/5p/____nwZKOF1DLL4/____4SZAY2h19FGCi0ZgIvE80psq98UvCN____QIDAQAB", > "auth-server-url": "http://localhost:8080/auth", > "ssl-required": "external", > "resource": "customer-portal", > "credentials": { > "secret": "a0872aa0-113d-435c-a9d6-____56cd9b270e22" > } > } > > *web.xml* > <login-config> > <auth-method>KEYCLOAK</auth-____method> > <realm-name>cryo198</realm-____name> > </login-config> > > *redirect URI:* > /customer-portal/* > > *database app:* > { > "realm": "cryo198", > "realm-public-key": > "____MIGfMA0GCSqGSIb3DQEBAQUAA4GNAD______CBiQKBgQCFnsEHg1o9UMBpMoHqLxYe______sXgDsTHnv1vF0AgrznxAcLfmYUdjvB______NdIXZNfB7I7tG9OMHvX21h9arHdcdg____2qqk9adLjHuImg/LhYHVOrosJ/____sybohrR/Im+k1fTsw/5p/____nwZKOF1DLL4/____4SZAY2h19FGCi0ZgIvE80psq98UvCN____QIDAQAB", > "auth-server-url": "http://localhost:8080/auth", > "ssl-required": "NONE", > "resource": "database", > "bearer-only": "true" > } > > > > *web.xml* > <login-config> > <auth-method>KEYCLOAK</auth-____method> > <realm-name>cryo198</realm-____name> > </login-config> > > *redirect URI:* > n./a ..set as bearer only > > *deployed apps:* > $ > /c/tools/keycloak-appliance-____dist-all-1.0.5.Final/keycloak-____appliance-dist-all-1.0.5.____Final/keycloak/bin/jboss-cli.____sh > -c --command="deploy -l" > NAME RUNTIME-NAME ENABLED STATUS > admin-access.war admin-access.war true OK > angular-product.war angular-product.war true OK > auth-server.war auth-server.war true OK > customer-portal-js.war customer-portal-js.war true OK > customer-portal.war customer-portal.war true OK > database.war database.war true OK > product-portal.war product-portal.war true OK > > > > > > > *Log:* > 2015-02-13 21:22:29,665 DEBUG > [org.keycloak.adapters.____PreAuthActionsHandler] (default task-41) > adminRequest http://localhost:8080/____customer-portal/custo <http://localhost:8080/__customer-portal/custo> <http://localhost:8080/__customer-portal/custo <http://localhost:8080/customer-portal/custo>> > mers/view.jsp > 2015-02-13 21:22:29,667 TRACE > [org.keycloak.adapters.____RequestAuthenticator] (default task-41) --> > authenticate() > 2015-02-13 21:22:29,668 TRACE > [org.keycloak.adapters.____RequestAuthenticator] (default task-41) try bearer > 2015-02-13 21:22:29,669 TRACE > [org.keycloak.adapters.____RequestAuthenticator] (default task-41) try oauth > 2015-02-13 21:22:29,669 DEBUG > [org.keycloak.adapters.____RequestAuthenticator] (default task-41) session > was null, returning null > 2015-02-13 21:22:29,670 DEBUG > [org.keycloak.adapters.____OAuthRequestAuthenticator] (default task-41) > there was no code > 2015-02-13 21:22:29,670 DEBUG > [org.keycloak.adapters.____OAuthRequestAuthenticator] (default task-41) > redirecting to auth server > 2015-02-13 21:22:29,671 DEBUG > [org.keycloak.adapters.____OAuthRequestAuthenticator] (default task-41) > callback uri: http://localhost:8080/____customer-portal/ <http://localhost:8080/__customer-portal/> <http://localhost:8080/__customer-portal/ <http://localhost:8080/customer-portal/>> > customers/view.jsp > 2015-02-13 21:22:29,672 DEBUG > [org.keycloak.adapters.____OAuthRequestAuthenticator] (default task-41) > Sending redirect to login page: http://localhost:808 > 0/auth/realms/cryo198/tokens/____login?client_id=customer-____portal&redirect_uri=http%3A%____2F%2Flocalhost%3A8080%____2Fcustomer-portal%2Fcustomers%____2Fview.jsp&state > =2%2F8185a8ea-5a38-4a91-b990-____1b32ccabb2e8&login=true > 2015-02-13 21:22:29,701 DEBUG > [org.keycloak.services.____resources.TokenService] (default task-42) > replacing relative valid redirect with: http://localhos > t:8080/customer-portal/* > 2015-02-13 21:22:29,702 DEBUG > [org.keycloak.services.____managers.____AuthenticationManager] (default task-42) > Could not find cookie: KEYCLOAK_IDENTITY > 2015-02-13 21:22:46,300 DEBUG > [org.keycloak.services.____resources.TokenService] (default task-43) > replacing relative valid redirect with: http://localhos > t:8080/customer-portal/* > 2015-02-13 21:22:46,301 DEBUG > [org.keycloak.services.____managers.____AuthenticationManager] (default task-43) > validating password for user: walt > 2015-02-13 21:22:46,306 DEBUG > [org.keycloak.services.____managers.____AuthenticationManager] (default task-43) > Expiring remember me cookie > 2015-02-13 21:22:46,307 DEBUG > [org.keycloak.services.____managers.____AuthenticationManager] (default task-43) > Expiring cookie: KEYCLOAK_REMEMBER_ME path: /au > th/realms/cryo198 > 2015-02-13 21:22:46,308 DEBUG > [org.keycloak.services.____resources.flows.OAuthFlows] (default task-43) > processAccessCode: isResource: true > 2015-02-13 21:22:46,308 DEBUG > [org.keycloak.services.____resources.flows.OAuthFlows] (default task-43) > processAccessCode: go to oauth page?: false > 2015-02-13 21:22:46,329 DEBUG > [org.keycloak.services.____resources.flows.OAuthFlows] (default task-43) > redirectAccessCode: state: 2/8185a8ea-5a38-4a91-b99 > 0-1b32ccabb2e8 > 2015-02-13 21:22:46,340 DEBUG > [org.keycloak.services.____managers.____AuthenticationManager] (default task-43) > Create login cookie - name: KEYCLOAK_IDENTITY, > path: /auth/realms/cryo198, max-age: -1 > 2015-02-13 21:22:46,387 DEBUG > [org.keycloak.adapters.____PreAuthActionsHandler] (default task-44) > adminRequest http://localhost:8080/____customer-portal/custo <http://localhost:8080/__customer-portal/custo> <http://localhost:8080/__customer-portal/custo <http://localhost:8080/customer-portal/custo>> > mers/view.jsp?code=zf9VUvG6-____QkAWtF8xDFcJfnBnrY.____OTY1YjllMzMtZDdlNS00YWQwLWEwMz____gtZjIzMTJhODZjMTIx&state=2%____2F8185a8ea-5a38-4a91-b990-____1b32ccabb2e8 > 2015-02-13 21:22:46,388 TRACE > [org.keycloak.adapters.____RequestAuthenticator] (default task-44) --> > authenticate() > 2015-02-13 21:22:46,389 TRACE > [org.keycloak.adapters.____RequestAuthenticator] (default task-44) try bearer > 2015-02-13 21:22:46,389 TRACE > [org.keycloak.adapters.____RequestAuthenticator] (default task-44) try oauth > 2015-02-13 21:22:46,389 DEBUG > [org.keycloak.adapters.____RequestAuthenticator] (default task-44) session > was null, returning null > 2015-02-13 21:22:46,390 DEBUG > [org.keycloak.adapters.____OAuthRequestAuthenticator] (default task-44) > there was a code, resolving > 2015-02-13 21:22:46,390 DEBUG > [org.keycloak.adapters.____OAuthRequestAuthenticator] (default task-44) > checking state cookie for after code > 2015-02-13 21:22:46,390 DEBUG > [org.keycloak.adapters.____OAuthRequestAuthenticator] (default task-44) ** > reseting application state cookie > 2015-02-13 21:22:46,477 DEBUG > [org.keycloak.adapters.____OAuthRequestAuthenticator] (default task-44) > Token Verification succeeded! > 2015-02-13 21:22:46,478 DEBUG > [org.keycloak.adapters.____OAuthRequestAuthenticator] (default task-44) > successful authenticated > 2015-02-13 21:22:46,478 TRACE > [org.keycloak.adapters.____RefreshableKeycloakSecurityCon____text] (default > task-44) checking whether to refresh. > 2015-02-13 21:22:46,478 TRACE > [org.keycloak.adapters.____undertow.____KeycloakUndertowAccount] (default > task-44) use realm role mappings > 2015-02-13 21:22:46,479 DEBUG > [org.keycloak.adapters.____wildfly.____WildflyRequestAuthenticator] (default > task-44) propagate security context to wildfly > 2015-02-13 21:22:46,481 TRACE > [org.keycloak.adapters.____RefreshableKeycloakSecurityCon____text] (default > task-44) checking whether to refresh. > 2015-02-13 21:22:46,484 DEBUG > [org.keycloak.adapters.____RequestAuthenticator] (default task-44) AUTHENTICATED > 2015-02-13 21:22:46,502 DEBUG > [org.keycloak.adapters.____PreAuthActionsHandler] (default task-46) > adminRequest http://localhost:8080/____customer-portal/custo <http://localhost:8080/__customer-portal/custo> <http://localhost:8080/__customer-portal/custo <http://localhost:8080/customer-portal/custo>> > mers/view.jsp > 2015-02-13 21:22:46,505 TRACE > [org.keycloak.adapters.____RequestAuthenticator] (default task-46) --> > authenticate() > 2015-02-13 21:22:46,506 TRACE > [org.keycloak.adapters.____RequestAuthenticator] (default task-46) try bearer > 2015-02-13 21:22:46,506 TRACE > [org.keycloak.adapters.____RequestAuthenticator] (default task-46) try oauth > 2015-02-13 21:22:46,507 DEBUG > [org.keycloak.adapters.____undertow.____KeycloakUndertowAccount] (default > task-46) session is active > 2015-02-13 21:22:46,508 DEBUG > [org.keycloak.adapters.____RequestAuthenticator] (default task-46) Cached > account found > 2015-02-13 21:22:46,508 DEBUG > [org.keycloak.adapters.____wildfly.____WildflyRequestAuthenticator] (default > task-46) propagate security context to wildfly > 2015-02-13 21:22:46,509 DEBUG > [org.keycloak.adapters.____RequestAuthenticator] (default task-46) > AUTHENTICATED: was cached > 2015-02-13 21:22:46,510 DEBUG > [org.keycloak.adapters.____AuthenticatedActionsHandler] (default task-46) > AuthenticatedActionsValve.____invoke http://localhost: > 8080/customer-portal/____customers/view.jsp > > > Many thanks > W > > > > > ___________________________________________________ > keycloak-user mailing list > keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org> <mailto:keycloak-user@lists.__jboss.org <mailto:keycloak-user@lists.jboss.org>> <mailto:keycloak-user@lists. <mailto:keycloak-user@lists.>____jboss.org <http://jboss.org> <mailto:keycloak-user@lists.__jboss.org <mailto:keycloak-user@lists.jboss.org>>> > https://lists.jboss.org/____mailman/listinfo/keycloak-user <https://lists.jboss.org/__mailman/listinfo/keycloak-user> <https://lists.jboss.org/__mailman/listinfo/keycloak-user <https://lists.jboss.org/mailman/listinfo/keycloak-user>__> > -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com ___________________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org> <mailto:keycloak-user@lists.__jboss.org <mailto:keycloak-user@lists.jboss.org>> <mailto:keycloak-user@lists. <mailto:keycloak-user@lists.>____jboss.org <http://jboss.org> <mailto:keycloak-user@lists.__jboss.org <mailto:keycloak-user@lists.jboss.org>>> https://lists.jboss.org/____mailman/listinfo/keycloak-user <https://lists.jboss.org/__mailman/listinfo/keycloak-user> <https://lists.jboss.org/__mailman/listinfo/keycloak-user <https://lists.jboss.org/mailman/listinfo/keycloak-user>__> -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com