development debugging / deployment
by Jeremy Simon
Hi All,
I'm attempting to write my own User Federation Provider and I'm wonder
for tips on how to manage development deployments of it. I had seen
the registering steps in section 4.2 of the guide (1.7), but I'm
wondering if there are any tricks or ways or methods to continuously
deploy to my local instance as I make code changes to try... you know
ala JRebel or whatever. (I do have JRebel and have done this for
WARs, but not sure to to manage modules...) Is there a way to set that
up, or do I need to stick with making a shell script build, shutdown
web server, copy over the new jar overtop of the registered one, then
restart?
Help is much appreciated! Thanks all!
jeremy
jeremy(a)jeremysimon.com
http://jeremysimon.com
http://vikingcamelstudio.com
8 years, 3 months
Need help configuring security constraints programmatically
by Andrey Saroul
Hello, I'm trying to configure security for simple Spring Rest Webapp and
Keycloak.
I've configured Keycloak server 1.7.0.Final on WildFly 9.0.2 (created
realms, clients, roles, etc.). And it works just fine.
Then I created simple Spring Rest App (boot-less) to test Keycloak security
login. I generated keycloak.json file and put it in my WEB-INF folder.
Then I configured web.xml and Spring dispatcher-servlet.xml. And finally
created annotation driven security config.
protected void configure(HttpSecurity http) throws Exception {
super.configure(http);
http.authorizeRequests().antMatchers("/*").hasRole("tms-rest");
}
But when I try to test my web app in browser it does not redirect me to
keycloak login page. I made it work when I configured security-constraint
in web.xml.
<security-constraint>
<web-resource-collection>
<web-resource-name>tms</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>tms-rest</role-name>
</auth-constraint>
</security-constraint>
<security-role>
<role-name>tms-rest</role-name>
</security-role>
It seems to me that Spring isn't picking up my security rules from security
config bean. Is there any suggestion what am I doing wrong?
And how to be able to set config programmatically?
My app source is in attachment.
8 years, 3 months
To LDAP or NOT?
by Christopher Wallace
We are building a new application with RBAC Security Model, we always
attempt to use as much COTs functionality of our technology stack as
possible. We are working with 1.7 version of KEYCLOAK for SSO (Thank you
for this product by the way) We are at a decision point of where to persist
our users, roles and permissions. We considered LDAP, but then with the
introduction of composite roles into KEYCLOAK there was consolidation could
we support users and roles directly in KEYCLOAK and permissions in our
datastore. My question to the group what is the best practice? Is there
value in having the additional LDAP user repository? Most places my
experience is there is both LDAP or AD and SSO I wanted to keep the email
fairly short, but if you have additional questions please feel free.
Thank You!
8 years, 4 months
Viewing users in keycloak
by Frank van Veen
Hi,
The last few weeks I've been working on a federation provider implementation. It runs smoothly so far, but today i ran into the following issue;
I was testing functionality of keycloak and wanted to delete a user. When I pressed the view all users button nothing happened so I pressed it again.
Still nothing so I pressed 20 or so more times. Finally I got an error stating I had too much connections to my user federation endpoint (Error originated from my federated storage).
Every time view all users is pressed five more request are made checking if a user exists in federated storage. If you spam the button, while the connection is rather slow, it breaks.
When the first 5 calls return the information isn't displayed yet. The remaining pending calls are the cause for that.
I was wondering why keycloak has this behavior. It might be a better solution to disable functionality of this button while there are still previous calls pending.
Best regards,
Frank van Veen
8 years, 4 months
Admin Rest API Documentation Issue (1.6.1.Final)
by Lohitha Chiranjeewa
Hi,
Client level role mappings related endpoints are currently misleading
because it gives the feeling that the client-id could be passed instead of
the id-of-client. But that's not the case. Hence please update the
endpoints which has the signature:
...role-mappings/clients/{client}... -->
...role-mappings/clients/{id-of-client}...
8 years, 4 months
Replace use of Infinispan with User Sessions SPI ?
by Niko Köbler
Hi,
in my current project, it’s not wanted to use Infinispan as cache in a cluster.
However, I have to deal with the user session and token information.
And as I can remember, in early versions of Keycloak was an option, to store this information via JPA or MongoDB instead of Infinispan.
Also, I saw there is a User Sessions SPI, and also a User Cache SPI and Realm Cache SPI.
If I implement those SPIs, can I get rid of Infinispan replication in a cluster?
And are there some examples or good starting points? (documentation?)
Regards,
- Niko
8 years, 4 months
Why do I need to include an adapter to work with Spring Security or Spring Boot
by Aritz Maeztu
Even though both Spring Security and Spring Boot happen to support
OpenId and OAuth2, an specific keycloak adapter in needed in order to
configure them to work with the keycloak server. Also in Spring Security
we need to provide the keycloak.json file with the client configuration.
If keycloak supports both standards shouldn't we be able to access it in
a non-coupling way?
Thanks in advance
--
Aritz Maeztu Otaño
Departamento Desarrollo de Software
<https://www.linkedin.com/profile/preview?vpa=pub&locale=es_ES>
<http://www.tesicnor.com>
Pol. Ind. Mocholi. C/Rio Elorz, Nave 13E 31110 Noain (Navarra)
Telf.: 948 21 40 40
Fax.: 948 21 40 41
Antes de imprimir este e-mail piense bien si es necesario hacerlo: El
medioambiente es cosa de todos.
8 years, 4 months
Brute Force Detection and login number of failure
by Notarnicola, Mara
Dear all,
We are using Keycloak 1.5.0 and we are switching to 1.7.0 version.
We have extended the AbstractUsernameFormAuthenticator and implemented our UserFederationProvider.
We currently use the Brute Force Detection to detect user login failures.
We have noted that at the first time the BruteForceProtector initializes UsernameLoginFailureModel in its failure method, so both in the FormAuthenticator and in FederationProvider, the UsernameLoginFailureModel of the current session is null.
Our problem is to disable Brute Force for a set of users, it's now possible to do this?
Thanks for your time
Mara
8 years, 4 months
Getting logged in user through Node API's
by Rushil Agarwal
Hi Team,
I ave implemented Keycloak using npm package "connect-keycloak"
I am not able to find any example or help to fetch in the currently logged
in userid through Node API's.
Any help would be appreciated.
My code snippet:
*App.js*
var memoryStore = new session.MemoryStore();
var routes = require('./routes/index');
var users = require('./routes/users');
app.use( session({
secret: 'aaslkdhlkhsd',
resave: false,
saveUninitialized: true,
store: memoryStore,
} ))
var keycloak = new Keycloak({
store: memoryStore
});
app.use( keycloak.middleware( {
logout: '/logout',
admin: '/',
} ));
*Index.js*
router.get('/',keycloak.protect(),function(req, res, next) {
res.sendfile('pages/index.html',{root:'./public'});
});
--
--
*With best regards :-*
Rushil Agarwal
Mobile: +91 78298 86000
Please don't print this e-mail unless you really need to. SAVE PAPER TO
SAVE TREES
8 years, 4 months
Porting user passwords to keycloak
by Orestis Tsakiridis
Hello,
I'm trying to create some migration scripts that will port users from
Application1 into keycloak. Users in Application1 already have usernames,
passwords etc. I use the admin rest api to create the users.
The problem i'm facing is that user passwords in Application1 database are
already hashed using md5. So, i don't really know the actual passwords
(security wise that makes sense).
The only solution i've come down to is store the password as they are in
keycloak (md5ed) and tell the users to use the hashed value instead of the
plaintext one wieh signing in. Then, force them to reset passwords. Not the
best UX :-(
Is there a way to tell keycloak that "these passwords are already hashed in
md5" so, "store them as they are" and "when a user tries to sign in, first
hash his password with md5 and the compare to the value stored in db" or
sth like that?
Any alternatives come to mind ?
Regards
Orestis
8 years, 4 months
