Spring Security annotation problem
by Andrey Saroul
Hello! I'm just a begginer in Spring Security, but I would like to know is
it possible to configure keycloak in a way that I can use @PreAuthorize,
@PostAuthorize, @Secured and other annotations.
For example, I've configured the keycloak-spring-security-adapter and
Spring Security in my simple Spring Rest webapp so that I have access to
Principal object in my controller, like this:
@RestController
public class TMSRestController {
@RequestMapping("/greeting")
public Greeting greeting(Principal principal,
@RequestParam(value="name") String name) {
return new Greeting(String.format(template, name));
}
...
}
But when I try this (just an example, actually I want to execute custom EL
expression before authorization):
@RestController
public class TMSRestController {
@RequestMapping("/greeting")
@PreAuthorize("hasRole('ADMIN')")
public Greeting greeting(Principal principal,
@RequestParam(value="name") String name) {
return new Greeting(String.format(template, name));
}
...
}
... I get
exception: org.springframework.security.authentication.AuthenticationCredentialsNotFoundException:
An Authentication object was not found in the SecurityContext
What do I need to make this spring security annotations work?
8 years, 3 months
spring security integration example
by alex orl
hi to all,i was looking for a complete example of integration of a spring-sercured-application with keycloak sso. Is it availble?thanks.
8 years, 3 months
Additional Required functionalities
by Satyajit Das
Hi Team,
Can you guys please incorporate the below functionalities in subsequent
releases.
1)Bulk User creation via restful services(for a particular realm)
2)Reset password/ Forgot password functionality for a particular user via
restful services.
3)Social network ids registration and login via restful services eg: google
or facebook registering to keycloak.
Regards,
Satya.
8 years, 3 months
Ajax login
by Helder dos S. Alves
Hi everybody.
I'm new to Keycloak and I wonder if is possible to login via ajax without
redirecting to a login page.
Maybe anyone has already asked it (and others answered it, I hope), but I
could not find a way to search on older topics.
Thanks in advance.
Helder Alves
8 years, 3 months
Can add-user.sh be used to change the admin user password?
by Paul Blair
I'm running keycloak 1.7.0.Final and tried to use the add-user.sh script to change the admin default password after deployment. The password didn't seem to take.
If I go to the admin console and log in as admin with a password of "admin" I am prompted to change the password.
My understanding was that the purpose of the script was to get away from having an admin user with a default password. Is this not supported yet?
Before trying to change the admin user with the script, I had already brought up the server once and tried to log in as admin. After that I realized I wanted to use the script, and shut everything down before running the script; not sure if that's relevant or not.
8 years, 3 months
"Invalid parameter: redirect_uri"
by Paul Blair
I am using Keycloak with the apiman API manager. Both are on AWS and are behind Elastic Load Balancers (Keycloak is clustered using JDBC_PING). When I request the apiman admin UI page (https://[apimanLoadBalancer]/apimanui), I get redirected to the following URL:
https://[KeycloakLoadBalancer]/auth/realms/apiman/protocol/openid-connect...
Keycloak then displays the error "We're Sorry... Invalid parameter: redirect_uri"
In the Keycloak log I see:
DEBUG [org.keycloak.protocol.oidc.utils.RedirectUtils] (default task-7) replacing relative valid redirect with: https://[KeycloakLoadBalancer]/apimanui/*
WARN [org.keycloak.events] (default task-7) type=LOGIN_ERROR, realmId=apiman, clientId=apimanui, userId=null, ipAddress=[IP], error=invalid_redirect_uri, response_type=code, redirect_uri=https://[apimanLoadBalancer]/apimanui/index.html, response_mode=query
This looks to me as though Keycloak thinks that the redirect URI is a relative path. I also notice that the query string parameters for redirect_uri are not URL encoded by apiman. Would this be the source of the problem?
8 years, 3 months
Token audience doesn't match domain.
by Thomas Barcia
I have my keycloak 1.6.1-final cluster running behind a Netscaler that terminates the SSL connections, therefore communication from the Netscaler to Keycloak is http but from the Internet to the Netscaler is https. We've managed the rewrites so that logging in works however we're now getting an error that the token audience doesn't match the domain because the issuer is http://keycloakserver but the URL from configuration is https://keycloakserver. Is there a way to make this configuration work? When the error says "URL from configuration" does it mean the java app configuration or the Keycloak configuration?
Thank you.
*** This communication has been sent from World Fuel Services
Corporation or its subsidiaries or its affiliates for the intended recipient
only and may contain proprietary, confidential or privileged information.
If you are not the intended recipient, any review, disclosure, copying,
use, or distribution of the information included in this communication
and any attachments is strictly prohibited. If you have received this
communication in error, please notify us immediately by replying to this
communication and delete the communication, including any
attachments, from your computer. Electronic communications sent to or
from World Fuel Services Corporation or its subsidiaries or its affiliates
may be monitored for quality assurance and compliance purposes.***
8 years, 3 months
how to clear server caches...
by Adrian Matei
Hi everyone,
how can i clear the server caches without using the Admin Console. If I add
the
*"realmCache": {*
* "provider": "${keycloak.realm.cache.provider:none}"*
* },*
* "userCache": {*
* "provider": "${keycloak.user.cache.provider:none}"*
* }*
to *keycloak-server.json* as mentioned in the documentation won't work.
The values are not even present "anymore" in the file...
Thanks,
Adrian
8 years, 3 months
Relationship of Groups to Roles?
by Giovanni Baruzzi
I’m very glad about the discussion here about roles and groups, since
granting access to user is the core of access management.
This said, we had been forced to look forward the group object 8or a similar
role object) to managing access entitlements because these run out of gas at
about 100.000 users and we are targeting millions of users.
We had even to go further on the „role“: the current definition describe an
entitlement just with the name of a role (or a group) and we needed
something more.
At the end we come up with a simple concept.
1. the Roles are modeled by an attribute in the user object itself. Of
course the Attribute is multivalued. This gives us the capability to
retrieve all the needed information with a single LDAP operation. No more
group search, cascading groups: which are cumbersome and time consuming.
2. This Attribute contains a structured value of the type:
<realm><client><role><parameter>. WE are playing with the idea to store this
in a son structure. In the future, given the sensitivity of the access, we
may think to have this signed (like in a JWT), to ensure reliability of the
information.
3. A separate identity management system will take care of the management of
this attribute, AMS has only the task to pass over the values to the
application.
We are going to implement that with our resources, extending KeyCloak where
needed, but I would like to share this ideas to have an open discussion on
this.
Further it would be nice to see some aspects of this implemented in
KeyCloak. We may decide to share the code.
Regards,
Giovanni
8 years, 3 months
Get user by username on version 1.7.0
by Kalinga Dissanayake
I have a simple requirement.
I need to check if a user is already present on IDM before allowing the user to register himself. I basically use the admin rest apis offered by keycloak for all my user activities.
I was able to do this before 1.6.0, since there was an api to get user by username. I believe that this has been deprecated (removed completely) and replaced by get user by userId.
If there any way to fulfill my need in idm 1.7.0?
Regards,
Kalinga
8 years, 3 months