Re: [keycloak-user] LDAP Role Mapping after the "memberOf" style (Marek Posolda)
by Giovanni Baruzzi
Merk,
Please see my comments inline.
Giovanni
>
>Message: 2
>Date: Thu, 5 Nov 2015 09:39:21 +0100
>From: Marek Posolda <mposolda(a)redhat.com>
>Subject: Re: [keycloak-user] LDAP Role Mapping after the "memberOf"
> style
>To: Giovanni Baruzzi <giovanni.baruzzi(a)syntlogo.de>,
> "keycloak-user(a)lists.jboss.org" <keycloak-user(a)lists.jboss.org>
>Message-ID: <563B15B9.8070207(a)redhat.com>
>Content-Type: text/plain; charset="windows-1252"
>
>Hi,
>
>
>On 04/11/15 19:58, Giovanni Baruzzi wrote:
>> Dear all,
>>
>>
>> at the moment using the LDAP Identity federation we can map a role to
>> the membership to a group.
>>
>> We are using instead of the groupMembership the ?menberOf? approach,
>> dedicating an attribute to list the values of the roles owned by the
>>user.
>
>AFAIK memberOf is just read-only mirror of "member" attribute where
>"member" is writable and it's available on the group (roles) objects
>when memberOf is mirrored on users. At least it works this way on the
>Active Directory and some other LDAP servers too. Or doesn't it work on
>your LDAP server and you are not seeing "member" attribute on groups?
Yes the „memberOf“ is just the group membership seen from the point of
view of the user object.
We resorted to this technique for mainly two reasons:
1) Scalability: the LDAP groups technique gives acceptable results up to
80.000 members. After this threshold the insert times are growing
unacceptable
2) flexibility: sometime, to describe a Role, you need more than just a
name. For this reason we defined a custom attribute „syUserRole“
containing a case ignore string, structured as a name and a parameter. One
value of this attribute describe a role.
This very simple approach would allow us to scale the design to 1.000.000
users, our target, because with just one access to the user object you get
even all the needed roles.
Of course it would be nice to map those roles to the Keycloak roles.
I’m going to follow your suggestion to implement a "custom
LDAPFederationMapper“.
I will keep you current.
Regards,
Giovanni
>
>Our RoleLDAPFederationMapper implementation is using "member" attribute
>approach because "member" attribute is writable and it's sufficient to
>achieve to all of CRUD user role mappings operations.
>
>At this moment, the only reason when I can see the advantage of
>"memberOf" is better performance in read-only LDAP servers as you need
>to query just user object to receive both it's attributes and role
>mappings in single step. Is this the reason why you want it or do you
>have other reason?
As said above this is one of the reasons, the other one is to have a
parameter.
>> How would you suggest the implementation of this requirement?
>> Can you imagine a way to implement it using the planned customised
>>filter?
>> Should we go for a custom federation provider?
>There are 2 steps to achieve it.
>
>1) You can use existing "User attribute" mapper to map "memberOf"
>attribute to some attribute in user model. This way the "memberOf" will
>be queried from LDAP and saved into Keycloak DB as part of the user
>record. You can check in admin console (tab "Attributes" of user) if the
>memberOf was successfully returned
>
>2) Then you may need to implement custom LDAPFederationMapper, which
>will return proxy user object and you override some methods of this
>proxy ( getRoleMappings , hasRole, maybe getRealmRoleMappings and
>getClientRoleMappings) to return the roles based on the "memberOf"
>attribute, which is available on UserModel thanks to previous step. See
>existing RoleLDAPFederationMapper for inspiration.
>
>So you don't need custom federation provider, but just custom federation
>mapper.
>
>I wonder if we should support "memberOf" in Keycloak OOTB. I am curious
>about your reasons to use it in prefer to "member" .
>
>Marek
>>
>> thank you for your answers,
>> Giovanni
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user(a)lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>-------------- next part --------------
>An HTML attachment was scrubbed...
>URL:
>http://lists.jboss.org/pipermail/keycloak-user/attachments/20151105/d84c32
>0b/attachment-0001.html
>
>------------------------------
>
>Message: 3
>Date: Thu, 5 Nov 2015 12:38:51 +0100
>From: Stian Thorgersen <sthorger(a)redhat.com>
>Subject: Re: [keycloak-user] Generate offline token
>To: Thomas Raehalme <thomas.raehalme(a)aitiofinland.com>
>Cc: keycloak-user <keycloak-user(a)lists.jboss.org>, P?l Orby
> <orby(a)sendregning.no>
>Message-ID:
> <CAJgngAdN=M+pgtB8WzqBHOKPtjvj_AJiHn4TSa4+bS4jNwrNCg(a)mail.gmail.com>
>Content-Type: text/plain; charset="utf-8"
>
>On 3 November 2015 at 09:32, Thomas Raehalme <
>thomas.raehalme(a)aitiofinland.com> wrote:
>
>> On Tue, Nov 3, 2015 at 10:23 AM, Stian Thorgersen <sthorger(a)redhat.com>
>> wrote:
>>
>>> * Create service account for customers - they can then use this to
>>>obtain
>>> a token (offline or standard refresh) using REST endpoints on Keycloak
>>>
>>
>> Sorry to step in, but could you please explain the use case or the
>> reasoning for offline tokens on service accounts? If I have understood
>>it
>> correctly you'll still need clientId and secret to generate the access
>> token from the offline token. Why not just use them to login whenever
>> necessary? Thanks!
>>
>
>I wouldn't use offline tokens myself, but if you want to provide customers
>with a "token" rather than a service account it should be an offline
>token.
>Problem is that it'll be rather big, not just a short "api key".
>
>
>>
>> Best regards,
>> Thomas
>>
>>
>>
>-------------- next part --------------
>An HTML attachment was scrubbed...
>URL:
>http://lists.jboss.org/pipermail/keycloak-user/attachments/20151105/4f2eec
>b2/attachment-0001.html
>
>------------------------------
>
>Message: 4
>Date: Thu, 5 Nov 2015 12:42:48 +0100
>From: Stian Thorgersen <sthorger(a)redhat.com>
>Subject: Re: [keycloak-user] Generate offline token
>To: P?l Orby <orby(a)sendregning.no>
>Cc: Thomas Raehalme <thomas.raehalme(a)aitiofinland.com>, keycloak-user
> <keycloak-user(a)lists.jboss.org>
>Message-ID:
> <CAJgngAdRHHsXFkrAvPuT5H9voj=L+dmns9t0aSzt7M4oiusdfA(a)mail.gmail.com>
>Content-Type: text/plain; charset="utf-8"
>
>On 3 November 2015 at 19:10, P?l Orby <orby(a)sendregning.no> wrote:
>
>> Ok, so after reading the replies here I understand that it isn't offline
>> tokens I'm looking for.
>>
>> The token I'm looking for is what I would call an "application token".
>>Any
>> plans implementing that?
>>
>
>No, we don't have any plans for that. However as I suggested you can
>relatively easily provide that yourself by creating a client with service
>account for a customer then create an offline token to send to them. Main
>issue still stands though is that an offline token is not just a short
>"API
>Key" it's a relatively big base64 string.
>
>If you want a short "API Key" you'd need a proxy in front of your services
>that can swap the key for the actual token.
>
>
>>
>> Example:
>> If you enable two factor authentication on Github, you can't connect
>>with
>> username/password anymore in terminal or other 3. party applications
>> integrated with GitHub without using an "application token" that you
>>create
>> on your GitHub account page.
>>
>> /P?l
>>
>> *P?l Orby*
>> UNIT4 Agresso AS
>> Programvareingeni?r
>> Tlf: 22 58 85 00
>> Mobil: 900 91 705
>>
>> SendRegning - Gj?r det enkelt!
>> http://www.sendregning.no
>> http://facebook.com/sendregning
>> http://twitter.com/sendregning
>> http://faktura.no
>>
>> 2015-11-03 13:49 GMT+01:00 Marek Posolda <mposolda(a)redhat.com>:
>>
>>> On 03/11/15 09:32, Thomas Raehalme wrote:
>>>
>>> On Tue, Nov 3, 2015 at 10:23 AM, Stian Thorgersen <
>>><sthorger(a)redhat.com>
>>> sthorger(a)redhat.com> wrote:
>>>
>>>> * Create service account for customers - they can then use this to
>>>> obtain a token (offline or standard refresh) using REST endpoints on
>>>> Keycloak
>>>>
>>>
>>> Sorry to step in, but could you please explain the use case or the
>>> reasoning for offline tokens on service accounts? If I have understood
>>>it
>>> correctly you'll still need clientId and secret to generate the access
>>> token from the offline token. Why not just use them to login whenever
>>> necessary? Thanks!
>>>
>>> We support offline tokens for service accounts because there is no
>>>reason
>>> (bad side effect) of not supporting it. Or at least I am not aware of
>>>any.
>>> Are you? Adding this support came "for free".
>>>
>>> One usecase when it can be useful is, for example if you have offline
>>> token and you don't know how was this offline token authenticated (if
>>>it
>>> was direct grant, service account or browser). You can send the refresh
>>> token request with this token regardless of the offline token type as
>>>the
>>> refreshToken endpoint is same for all cases.
>>>
>>> Marek
>>>
>>>
>>> Best regards,
>>> Thomas
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> keycloak-user mailing
>>>listkeycloak-user@lists.jboss.orghttps://lists.jboss.org/mailman/listinf
>>>o/keycloak-user
>>>
>>>
>>>
>>
>-------------- next part --------------
>An HTML attachment was scrubbed...
>URL:
>http://lists.jboss.org/pipermail/keycloak-user/attachments/20151105/e47298
>d7/attachment.html
>
>------------------------------
>
>_______________________________________________
>keycloak-user mailing list
>keycloak-user(a)lists.jboss.org
>https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>End of keycloak-user Digest, Vol 23, Issue 17
>*********************************************
9 years, 1 month
setting log level
by alex orl
I'm trying to setting the log level on keycloak.Opening the wildfly admin console... or editing wildfly standalone.xml and adding a new category:
category= my.userfederation.providerlevel= debug
Nothing happens.My user federation provider is installed as module. What am i missing?Thanks a lot.
9 years, 1 month
Keycloak redirects me to my index url instead of to the requested one
by Aritz Maeztu
StackOverflow link to the question
<http://stackoverflow.com/questions/33543672/keycloak-redirects-me-to-my-i...>
I'm using Keycloak server (v 1.5.1) to perform an open-id-connect like
authentication to my service. I've set up a basic web application which
has two urls, the */index.html* one and other one called /hello. I use
Spring security, Spring boot and Spring MVC for all of that. That's my
pom.xml configuration:
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0
http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>com.keycloaktes</groupId>
<artifactId>keycloaktes</artifactId>
<version>0.0.1-SNAPSHOT</version>
<packaging>jar</packaging>
<name>demo</name>
<description>Demo project for Spring Boot</description>
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>1.2.7.RELEASE</version>
<relativePath />
</parent>
<properties>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
<java.version>1.7</java.version>
</properties>
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.keycloak</groupId>
<artifactId>keycloak-spring-security-adapter</artifactId>
<version>1.5.1.Final</version>
</dependency>
<dependency>
<groupId>org.keycloak</groupId>
<artifactId>keycloak-tomcat8-adapter</artifactId>
<version>1.5.1.Final</version>
</dependency>
</dependencies>
<build>
<plugins>
<plugin>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId>
</plugin>
</plugins>
</build>
</project>
The issue comes when I address to /hello url when not logged in, the
keycloak login screen shows properly, but instead of performing a
redirection to /hello after successful login, it does it to my
/index.html page. That's how I've configured the security adapter:
<!-- language: lang-java -->
@Configuration
@EnableWebSecurity
@ComponentScan(basePackageClasses = KeycloakSecurityComponents.class)
public class SecurityConfig extends
KeycloakWebSecurityConfigurerAdapter {
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth)
throws Exception {
auth.authenticationProvider(keycloakAuthenticationProvider());
}
/**
* Defines the session authentication strategy.
*/
@Bean
@Override
protected SessionAuthenticationStrategy
sessionAuthenticationStrategy() {
return new RegisterSessionAuthenticationStrategy(
new SessionRegistryImpl());
}
@Bean
public FilterRegistrationBean
keycloakAuthenticationProcessingFilterRegistrationBean(
KeycloakAuthenticationProcessingFilter filter) {
FilterRegistrationBean registrationBean = new
FilterRegistrationBean(
filter);
registrationBean.setEnabled(false);
return registrationBean;
}
@Bean
public FilterRegistrationBean
keycloakPreAuthActionsFilterRegistrationBean(
KeycloakPreAuthActionsFilter filter) {
FilterRegistrationBean registrationBean = new
FilterRegistrationBean(
filter);
registrationBean.setEnabled(false);
return registrationBean;
}
@Override
protected void configure(HttpSecurity http) throws Exception {
super.configure(http);
http.authorizeRequests().antMatchers("/*").hasRole("ADMIN")
.anyRequest().permitAll();
http.csrf().disable();
}
}
I've been trying enabling both the
`KeycloakAuthenticationProcessingFilter` and
`KeycloakPreAuthActionsFilter`, but result keeps the same. Does anybody
know how to solve the issue?
9 years, 1 month
LDAP Role Mapping after the "memberOf" style
by Giovanni Baruzzi
Dear all,
at the moment using the LDAP Identity federation we can map a role to the
membership to a group.
We are using instead of the groupMembership the „menberOf“ approach,
dedicating an attribute to list the values of the roles owned by the user.
How would you suggest the implementation of this requirement?
Can you imagine a way to implement it using the planned customised filter?
Should we go for a custom federation provider?
thank you for your answers,
Giovanni
9 years, 1 month
Keycloak Mysql
by Chen Keong Yap
Hi Guys,
Have you encountered this error before using mysql to store keycloak data?
- JDK 1.8
- mysql-connector-java-5.1.25.jar
- MYSQL 5.6.23-log
- Keycloak.json
"connectionsJpa": {
"default": {
"dataSource": "java:jboss/datasources/KeycloakDS",
"databaseSchema": "update",
"driverDialect" : "org.hibernate.dialect.MySQL5InnoDBDialect"
}
},
- logs
04:23:26,251 WARN [org.hibernate.engine.jdbc.spi.SqlExceptionHelper]
(ServerService Thread Pool -- 56) SQL Error: 1064, SQLState: 42000
04:23:26,251 ERROR [org.hibernate.engine.jdbc.spi.SqlExceptionHelper]
(ServerService Thread Pool -- 56) You have an error in your SQL syntax;
check the manual that corresponds to your MySQL server version for the
right syntax to use near ')) order by persistent0_.USER_SESSION_ID' at line
1
04:23:26,267 ERROR
[org.apache.catalina.core.ContainerBase.[jboss.web].[default-host].[/auth]]
(ServerService Thread Pool -- 56) JBWEB000289: Servlet Keycloak REST
Interface threw load() exception:
com.mysql.jdbc.exceptions.jdbc4.MySQLSyntaxErrorException: You have an
error in your SQL syntax; check the manual that corresponds to your MySQL
server version for the right syntax to use near ')) order by
persistent0_.USER_SESSION_ID' at line 1
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native
Method) [rt.jar:1.8.0_65]
at
sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
[rt.jar:1.8.0_65]
at
sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
[rt.jar:1.8.0_65]
at java.lang.reflect.Constructor.newInstance(Constructor.java:422)
[rt.jar:1.8.0_65]
at com.mysql.jdbc.Util.handleNewInstance(Util.java:411)
at com.mysql.jdbc.Util.getInstance(Util.java:386)
at com.mysql.jdbc.SQLError.createSQLException(SQLError.java:1054)
at com.mysql.jdbc.MysqlIO.checkErrorPacket(MysqlIO.java:4187)
at com.mysql.jdbc.MysqlIO.checkErrorPacket(MysqlIO.java:4119)
at com.mysql.jdbc.MysqlIO.sendCommand(MysqlIO.java:2570)
at com.mysql.jdbc.MysqlIO.sqlQueryDirect(MysqlIO.java:2731)
at com.mysql.jdbc.ConnectionImpl.execSQL(ConnectionImpl.java:2815)
at
com.mysql.jdbc.PreparedStatement.executeInternal(PreparedStatement.java:2155)
at
com.mysql.jdbc.PreparedStatement.executeQuery(PreparedStatement.java:2322)
at
org.jboss.jca.adapters.jdbc.CachedPreparedStatement.executeQuery(CachedPreparedStatement.java:107)
at
org.jboss.jca.adapters.jdbc.WrappedPreparedStatement.executeQuery(WrappedPreparedStatement.java:462)
at
org.hibernate.engine.jdbc.internal.ResultSetReturnImpl.extract(ResultSetReturnImpl.java:79)
[hibernate-core-4.2.18.Final-redhat-2.jar:4.2.18.Final-redhat-2]
at org.hibernate.loader.Loader.getResultSet(Loader.java:2062)
[hibernate-core-4.2.18.Final-redhat-2.jar:4.2.18.Final-redhat-2]
at
org.hibernate.loader.Loader.executeQueryStatement(Loader.java:1859)
[hibernate-core-4.2.18.Final-redhat-2.jar:4.2.18.Final-redhat-2]
at
org.hibernate.loader.Loader.executeQueryStatement(Loader.java:1838)
[hibernate-core-4.2.18.Final-redhat-2.jar:4.2.18.Final-redhat-2]
at org.hibernate.loader.Loader.doQuery(Loader.java:906)
[hibernate-core-4.2.18.Final-redhat-2.jar:4.2.18.Final-redhat-2]
at
org.hibernate.loader.Loader.doQueryAndInitializeNonLazyCollections(Loader.java:348)
[hibernate-core-4.2.18.Final-redhat-2.jar:4.2.18.Final-redhat-2]
at org.hibernate.loader.Loader.doList(Loader.java:2550)
[hibernate-core-4.2.18.Final-redhat-2.jar:4.2.18.Final-redhat-2]
at org.hibernate.loader.Loader.doList(Loader.java:2536)
[hibernate-core-4.2.18.Final-redhat-2.jar:4.2.18.Final-redhat-2]
at
org.hibernate.loader.Loader.listIgnoreQueryCache(Loader.java:2366)
[hibernate-core-4.2.18.Final-redhat-2.jar:4.2.18.Final-redhat-2]
at org.hibernate.loader.Loader.list(Loader.java:2361)
[hibernate-core-4.2.18.Final-redhat-2.jar:4.2.18.Final-redhat-2]
at org.hibernate.loader.hql.QueryLoader.list(QueryLoader.java:495)
[hibernate-core-4.2.18.Final-redhat-2.jar:4.2.18.Final-redhat-2]
at
org.hibernate.hql.internal.ast.QueryTranslatorImpl.list(QueryTranslatorImpl.java:357)
[hibernate-core-4.2.18.Final-redhat-2.jar:4.2.18.Final-redhat-2]
at
org.hibernate.engine.query.spi.HQLQueryPlan.performList(HQLQueryPlan.java:198)
[hibernate-core-4.2.18.Final-redhat-2.jar:4.2.18.Final-redhat-2]
at org.hibernate.internal.SessionImpl.list(SessionImpl.java:1230)
[hibernate-core-4.2.18.Final-redhat-2.jar:4.2.18.Final-redhat-2]
at org.hibernate.internal.QueryImpl.list(QueryImpl.java:101)
[hibernate-core-4.2.18.Final-redhat-2.jar:4.2.18.Final-redhat-2]
at org.hibernate.ejb.QueryImpl.getResultList(QueryImpl.java:268)
[hibernate-entitymanager-4.2.18.Final-redhat-2.jar:4.2.18.Final-redhat-2]
9 years, 1 month
Ldap sync
by Fadi Abdin
I have setup my keycloak with a read only LDAP User Federation Provider and
set it up to sync periodically, but for some reason only some users are not
syncing , not all users , only some.
I tried to trigger the sync with the "Synchronize all users" but no luck.
The only way it worked is by completely removing the provider and adding it
again. which is not a great solution . Have anyone seen this ? is there a
way to fix it ?
Thanks
9 years, 1 month
Invalid URI redirect using j_security_check
by Victor Neves Evangelista
Original question https://issues.jboss.org/browse/KEYCLOAK-2029
Hi,
I'm studing how integrate my applications whit keycloak whit minor impact.
I'm using JBoss EAP 6.3.0, i instaled keycloak adapters like reference guide says in chapter 8 and keycloak 1.6.0.
#1 I have a form html:
<form class="form-signin" id="loginform" action="j_security_check" method="POST" >
<label for="inputUsernamel" class="sr-only">Usuário</label>
<input name="j_username" type="text" id="usuario" class="form-control" placeholder="Usuario" required autofocus >
<label for="inputPassword" class="sr-only">Senha</label>
<input name="j_password" type="password" id="senha" class="form-control" placeholder="Senha" required >
<button class="btn btn-lg btn-primary btn-block" type="submit" id="btnLogin" >Acessar</button>
</form>
#2 In my web.xml i have <auth-method>KEYCLOAK</auth-method>
#3 I have WEB-INF/keycloak.json like reference says.
#4 my client is configured like image attached
#5 When i send a user and pass in html form i have:
We're sorry ...
Invalid parameter: redirect_uri
#6 the keycloak log sasy:
12:14:26,904 DEBUG [org.jboss.ejb.client.txn] (Periodic Recovery) Send recover request for transaction origin node identifier 1 to EJB receiver with node name cd7390sx006
12:14:33,270 DEBUG [org.jboss.resteasy.core.SynchronousDispatcher] (default task-24) PathInfo: /realms/laboratorio/protocol/openid-connect/auth
12:14:33,273 DEBUG [org.keycloak.protocol.oidc.utils.RedirectUtils] (default task-24) replacing relative valid redirect with: /sisduweb/
12:14:33,273 WARN [org.keycloak.events] (default task-24) type=LOGIN_ERROR, realmId=laboratorio, clientId=sisdu, userId=null, ipAddress=10.208.20.97, error=invalid_redirect_uri, response_type=code, redirect_uri=http://10.208.20.97:8080/sisduweb/j_security_check*
12:14:33,274 DEBUG [freemarker.cache] (default task-24) TemplateLoader.findTemplateSource("template_pt_BR.ftl"): Not found
12:14:33,274 DEBUG [freemarker.cache] (default task-24) TemplateLoader.findTemplateSource("template_pt.ftl"): Not found
12:14:33,274 DEBUG [freemarker.cache] (default task-24) TemplateLoader.findTemplateSource("template.ftl"): Found
12:14:33,275 DEBUG [freemarker.cache] (default task-24) "template.ftl"("pt_BR", UTF-8, parsed): using cached since file:/opt/kc/keycloak-1.6.0.Final/standalone/configuration/themes/base/login/template.ftl<file:///\\opt\kc\keycloak-1.6.0.Final\standalone\configuration\themes\base\login\template.ftl> hasn't changed.
12:14:33,277 DEBUG [freemarker.cache] (default task-24) "template.ftl"("pt_BR", UTF-8, parsed) cached copy not yet stale; using cached.
12:14:33,280 DEBUG [freemarker.cache] (default task-24) "template.ftl"("pt_BR", UTF-8, parsed) cached copy not yet stale; using cached.
9 years, 1 month
Issue with Tomcat 8 adapter ?
by harsh mahey
Hi guys,
Has any one faced any issue with tomcat 8 adapters.
For some reason i am not get keycloak login screen on my web app,Here is my
scenario
1. Latest version of Keycloak runs on wildfly
2. A war runs on tomcat.I put all the jar files under tomcat/lib dir.Below
is the keycloak.json and my web.xml file which goes under my WEB-INF
3. When i login , i directly gets my webapp page and it does not redirects
me to keycloak login page.
4. My webapp is build using angularjs
keycloak.json
********************
{
"realm": "SnrAppsRealm",
"realm-public-key":
"MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAutb9hlKhbZvIm6RDPPFFpR1RcNAt/NpzCWemJOveG1Ve5eu2AwPKwmqvkhTaMWUW990BFPIkBRPv13Grt9AVTMTgU10IeK/PM9CGN05eFr6S3KMSSTskpszIN3opiRQ5r8/eCYjC4Bk6qFkbtrlp6ORvUkLS7nMLwVLh9JDo2Fx9nWd+l1oLq1YpYMYeLDcaOAW/vdjYSfyLueu2wESjY9oSEs8x43ZyIhNKGRmW3oDXYL8X5guiqalZD5gbhWv6v3WpeTqdi0sLv4GI2B3oSG76Z/x2On/Sc2r3szfM8kUllyV7K8uYoMgD7DFVOZX5g6Bi6xntzkJHwLMJtW4UPwIDAQAB",
"auth-server-url": "http://xxxxx.com:9322/auth",
"ssl-required": "none",
"resource": "snrapps-web",
"credentials": {
"secret": "dda19c87-efee-4c33-a1b3-8b64ad545s0f"
},
"use-resource-role-mappings": true
}
*****************************
web.xml
<web-app xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="
http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" version="3.0">
<module-name>snrapps-web</module-name>
<security-constraint>
<web-resource-collection>
<web-resource-name>/snrapps-web</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>user</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>this is ignored currently</realm-name>
</login-config>
<security-role>
<role-name>admin</role-name>
</security-role>
<security-role>
<role-name>user</role-name>
</security-role>
</web-app>
***************
META-INF/context.xml
<?xml version="1.0" encoding="UTF-8"?>
<Context path="/snrapps-web">
<Valve className=
"org.keycloak.adapters.tomcat.KeycloakAuthenticatorValve" />
</Context>
***********
9 years, 1 month
