Hi Artiz,
So just to be clear, which Keycloak adapter are you using? The Spring Boot Adapter or the
Spring Security Adapter?
Scott Rossillo
Smartling | Senior Software Engineer
srossillo(a)smartling.com
On May 31, 2016, at 3:13 AM, Aritz Maeztu
<amaeztu(a)tesicnor.com> wrote:
I've got some Spring Boot application instances with embeded Tomcat servlet
containers. Tomcat has a similar system to Wildfly for request dumpering, that's what
I have enabled for getting the trace below. In short words that's the behaviour
I'm able to see:
1. Zuul Proxy (Spring Boot in Tomcat) -> Organization Service (8083 port) : A forward
request where X-forwarded headers are included
2. Organization Service (localhost:8083) : Looks for a token and if it's not
available, the keycloak adapter redirects to the /sso/login of the same service (Here the
traceability from the proxy gets losts)
3. localhost:8083/sso/login: Redirects to the keycloak wildfly server, saving the
requested url
4. Keycloak login: The user performs the authentication and the redirectUri is
localhost:8083/sso/login. Later on, the login endpoint redirects the user to the url
requested in point 2, not the first one from the proxy.
I only have this problem when my organization service needs to verify the token (or a
token doesn't exist) using the keycloak adapter. When the /sso/login endpoint is not
requested, everything is working properly. Hope I've explained it well!
31/05/2016 7:15(e)an, Stian Thorgersen igorleak idatzi zuen:
> Where is your app deployed? If it's on WildFly you can follow the same steps used
to configure reverse proxy for Keycloak Server to configure WildFly. Check if
getRequestURL returns the correct URL in your app.
>
> On 30 May 2016 at 15:08, Aritz Maeztu <amaeztu(a)tesicnor.com
<mailto:amaeztu@tesicnor.com>> wrote:
>
>
>
>
> -------- Birbidalitako mezua --------
> Gaia: Re: [keycloak-user] Redirection issue with proxy behind keycloak
> Data: Mon, 30 May 2016 13:28:21 +0200
> Nork: Aritz Maeztu <amaeztu(a)tesicnor.com> <mailto:amaeztu@tesicnor.com>
> Nori: stian(a)redhat.com <mailto:stian@redhat.com>
> CC: Niels Bertram <nielsbne(a)gmail.com> <mailto:nielsbne@gmail.com>,
keycloak-user <keycloak-user(a)lists.jboss.org>
<mailto:keycloak-user@lists.jboss.org>, Scott Rossillo
<srossillo(a)smartling.com> <mailto:srossillo@smartling.com>
>
>
> I've done all the traceability from the proxy server till the login page is
displayed:
>
> First step, /organization/organizations is requested, so the proxy server knows it
has to be forwarded to the 8083 port (the one for the organization service). That's
the first request received by my application's Tomcat:
>
> 2016-05-30 13:01:18.888 INFO 18096 --- [nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-9 START TIME
=30-may-2016 13:01:18
> 2016-05-30 13:01:18.888 INFO 18096 --- [nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-9
requestURI=/organizations
> 2016-05-30 13:01:18.888 INFO 18096 --- [nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-9 authType=null
> 2016-05-30 13:01:18.888 INFO 18096 --- [nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-9 characterEncoding=UTF-8
> 2016-05-30 13:01:18.888 INFO 18096 --- [nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-9 contentLength=-1
> 2016-05-30 13:01:18.888 INFO 18096 --- [nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-9 contentType=null
> 2016-05-30 13:01:18.888 INFO 18096 --- [nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-9 contextPath=
> 2016-05-30 13:01:18.888 INFO 18096 --- [nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-9
header=accept-language=es-ES,es;q=0.8
> 2016-05-30 13:01:18.888 INFO 18096 --- [nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-9
header=x-forwarded-host=mies-057:8765
> 2016-05-30 13:01:18.888 INFO 18096 --- [nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-9
header=x-forwarded-prefix=/organization
> 2016-05-30 13:01:18.888 INFO 18096 --- [nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-9
header=upgrade-insecure-requests=1
> 2016-05-30 13:01:18.888 INFO 18096 --- [nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-9
header=accept-encoding=gzip
> 2016-05-30 13:01:18.888 INFO 18096 --- [nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-9
header=accept=text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
> 2016-05-30 13:01:18.889 INFO 18096 --- [nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-9
header=user-agent=Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like
Gecko) Chrome/50.0.2661.102 Safari/537.36
> 2016-05-30 13:01:18.889 INFO 18096 --- [nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-9
header=netflix.nfhttpclient.version=1.0
> 2016-05-30 13:01:18.889 INFO 18096 --- [nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-9
header=x-netflix-httpclientname=organization
> 2016-05-30 13:01:18.889 INFO 18096 --- [nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-9
header=host=mies-057:8083
> 2016-05-30 13:01:18.889 INFO 18096 --- [nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-9
header=connection=Keep-Alive
> 2016-05-30 13:01:18.889 INFO 18096 --- [nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-9 locale=es_ES
> 2016-05-30 13:01:18.889 INFO 18096 --- [nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-9 method=GET
> 2016-05-30 13:01:18.889 INFO 18096 --- [nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-9 pathInfo=null
> 2016-05-30 13:01:18.889 INFO 18096 --- [nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-9
protocol=HTTP/1.1
> 2016-05-30 13:01:18.889 INFO 18096 --- [nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-9 queryString=null
> 2016-05-30 13:01:18.889 INFO 18096 --- [nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-9
remoteAddr=192.168.56.1
> 2016-05-30 13:01:18.889 INFO 18096 --- [nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-9
remoteHost=192.168.56.1
> 2016-05-30 13:01:18.889 INFO 18096 --- [nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-9 remoteUser=null
> 2016-05-30 13:01:18.890 INFO 18096 --- [nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-9 requestedSessionId=null
> 2016-05-30 13:01:18.890 INFO 18096 --- [nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-9 scheme=http
> 2016-05-30 13:01:18.890 INFO 18096 --- [nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-9
serverName=mies-057
> 2016-05-30 13:01:18.890 INFO 18096 --- [nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-9 serverPort=8083
> 2016-05-30 13:01:18.890 INFO 18096 --- [nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-9
servletPath=/organizations
> 2016-05-30 13:01:18.891 INFO 18096 --- [nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-9 isSecure=false
> 2016-05-30 13:01:18.891 INFO 18096 --- [nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-9
------------------=--------------------------------------------
>
> Here x-forwarded-host is mies-057:8765 (the proxy server) and x-forwarded-prefix is
/organization. So the original request is kept in the headers. Well, now my service (8083)
tries to check for authorization via the /sso/login endpoint from the keycloak spring
security adapter:
>
> 2016-05-30 13:01:18.892 DEBUG 18096 --- [nio-8083-exec-9]
o.k.a.s.management.HttpSessionManager : Session created:
CDCA7AD4439DE94BD0B3B5803DAA0752
> 2016-05-30 13:01:18.892 DEBUG 18096 --- [nio-8083-exec-9]
k.a.s.a.KeycloakAuthenticationEntryPoint : Redirecting to login URI /sso/login
> 2016-05-30 13:01:18.892 INFO 18096 --- [nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-9
------------------=--------------------------------------------
> 2016-05-30 13:01:18.892 INFO 18096 --- [nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-9 authType=null
> 2016-05-30 13:01:18.892 INFO 18096 --- [nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-9 contentType=null
> 2016-05-30 13:01:18.892 INFO 18096 --- [nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-9
header=X-Content-Type-Options=nosniff
> 2016-05-30 13:01:18.892 INFO 18096 --- [nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-9
header=X-XSS-Protection=1; mode=block
> 2016-05-30 13:01:18.892 INFO 18096 --- [nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-9
header=Cache-Control=no-cache, no-store, max-age=0, must-revalidate
> 2016-05-30 13:01:18.892 INFO 18096 --- [nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-9
header=Pragma=no-cache
> 2016-05-30 13:01:18.892 INFO 18096 --- [nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-9
header=Expires=0
> 2016-05-30 13:01:18.893 INFO 18096 --- [nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-9
header=X-Frame-Options=DENY
> 2016-05-30 13:01:18.893 INFO 18096 --- [nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-9
header=Set-Cookie=JSESSIONID=CDCA7AD4439DE94BD0B3B5803DAA0752; Path=/; HttpOnly
> 2016-05-30 13:01:18.893 INFO 18096 --- [nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-9
header=Location=http://mies-057:8083/sso/login <
http://mies-057:8083/sso/login>
> 2016-05-30 13:01:18.893 INFO 18096 --- [nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-9 remoteUser=null
> 2016-05-30 13:01:18.893 INFO 18096 --- [nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-9 status=302
> 2016-05-30 13:01:18.893 INFO 18096 --- [nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-9 END TIME
=30-may-2016 13:01:18
> 2016-05-30 13:01:18.893 INFO 18096 --- [nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-9
===============================================================
> 2016-05-30 13:01:18.902 INFO 18096 --- [io-8083-exec-10]
o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-10 START TIME
=30-may-2016 13:01:18
> 2016-05-30 13:01:18.902 INFO 18096 --- [io-8083-exec-10]
o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-10
requestURI=/sso/login
> 2016-05-30 13:01:18.902 INFO 18096 --- [io-8083-exec-10]
o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-10 authType=null
> 2016-05-30 13:01:18.902 INFO 18096 --- [io-8083-exec-10]
o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-10 characterEncoding=UTF-8
> 2016-05-30 13:01:18.902 INFO 18096 --- [io-8083-exec-10]
o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-10 contentLength=-1
> 2016-05-30 13:01:18.902 INFO 18096 --- [io-8083-exec-10]
o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-10 contentType=null
> 2016-05-30 13:01:18.902 INFO 18096 --- [io-8083-exec-10]
o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-10 contextPath=
> 2016-05-30 13:01:18.902 INFO 18096 --- [io-8083-exec-10]
o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-10
cookie=JSESSIONID=CDCA7AD4439DE94BD0B3B5803DAA0752
> 2016-05-30 13:01:18.902 INFO 18096 --- [io-8083-exec-10]
o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-10
header=host=mies-057:8083
> 2016-05-30 13:01:18.903 INFO 18096 --- [io-8083-exec-10]
o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-10
header=connection=keep-alive
> 2016-05-30 13:01:18.903 INFO 18096 --- [io-8083-exec-10]
o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-10
header=accept=text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
> 2016-05-30 13:01:18.903 INFO 18096 --- [io-8083-exec-10]
o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-10
header=upgrade-insecure-requests=1
> 2016-05-30 13:01:18.903 INFO 18096 --- [io-8083-exec-10]
o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-10
header=user-agent=Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like
Gecko) Chrome/50.0.2661.102 Safari/537.36
> 2016-05-30 13:01:18.903 INFO 18096 --- [io-8083-exec-10]
o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-10
header=accept-encoding=gzip, deflate, sdch
> 2016-05-30 13:01:18.903 INFO 18096 --- [io-8083-exec-10]
o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-10
header=accept-language=es-ES,es;q=0.8
> 2016-05-30 13:01:18.903 INFO 18096 --- [io-8083-exec-10]
o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-10
header=cookie=JSESSIONID=CDCA7AD4439DE94BD0B3B5803DAA0752
> 2016-05-30 13:01:18.903 INFO 18096 --- [io-8083-exec-10]
o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-10 locale=es_ES
> 2016-05-30 13:01:18.903 INFO 18096 --- [io-8083-exec-10]
o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-10 method=GET
> 2016-05-30 13:01:18.903 INFO 18096 --- [io-8083-exec-10]
o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-10 pathInfo=null
> 2016-05-30 13:01:18.903 INFO 18096 --- [io-8083-exec-10]
o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-10
protocol=HTTP/1.1
> 2016-05-30 13:01:18.904 INFO 18096 --- [io-8083-exec-10]
o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-10 queryString=null
> 2016-05-30 13:01:18.904 INFO 18096 --- [io-8083-exec-10]
o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-10
remoteAddr=192.168.56.1
> 2016-05-30 13:01:18.904 INFO 18096 --- [io-8083-exec-10]
o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-10
remoteHost=192.168.56.1
> 2016-05-30 13:01:18.904 INFO 18096 --- [io-8083-exec-10]
o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-10 remoteUser=null
> 2016-05-30 13:01:18.904 INFO 18096 --- [io-8083-exec-10]
o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-10
requestedSessionId=CDCA7AD4439DE94BD0B3B5803DAA0752
> 2016-05-30 13:01:18.904 INFO 18096 --- [io-8083-exec-10]
o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-10 scheme=http
> 2016-05-30 13:01:18.904 INFO 18096 --- [io-8083-exec-10]
o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-10
serverName=mies-057
> 2016-05-30 13:01:18.904 INFO 18096 --- [io-8083-exec-10]
o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-10 serverPort=8083
> 2016-05-30 13:01:18.904 INFO 18096 --- [io-8083-exec-10]
o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-10
servletPath=/sso/login
> 2016-05-30 13:01:18.904 INFO 18096 --- [io-8083-exec-10]
o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-10 isSecure=false
> 2016-05-30 13:01:18.904 INFO 18096 --- [io-8083-exec-10]
o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-10
------------------=--------------------------------------------
> 2016-05-30 13:01:18.904 DEBUG 18096 --- [io-8083-exec-10]
o.k.adapters.PreAuthActionsHandler : adminRequest
http://mies-057:8083/sso/login
<
http://mies-057:8083/sso/login>
> 2016-05-30 13:01:18.904 DEBUG 18096 --- [io-8083-exec-10]
f.KeycloakAuthenticationProcessingFilter : Request is to process authentication
> 2016-05-30 13:01:18.904 DEBUG 18096 --- [io-8083-exec-10]
f.KeycloakAuthenticationProcessingFilter : Attempting Keycloak authentication
> 2016-05-30 13:01:18.904 TRACE 18096 --- [io-8083-exec-10]
o.k.adapters.RequestAuthenticator : --> authenticate()
> 2016-05-30 13:01:18.904 TRACE 18096 --- [io-8083-exec-10]
o.k.adapters.RequestAuthenticator : try bearer
> 2016-05-30 13:01:18.904 TRACE 18096 --- [io-8083-exec-10]
o.k.adapters.RequestAuthenticator : try oauth
> 2016-05-30 13:01:18.905 DEBUG 18096 --- [io-8083-exec-10]
o.k.a.s.token.SpringSecurityTokenStore : Checking if
org.keycloak.adapters.springsecurity.authentication.SpringSecurityRequestAuthenticator@d328c2d
is cached
> 2016-05-30 13:01:18.905 DEBUG 18096 --- [io-8083-exec-10]
o.k.adapters.OAuthRequestAuthenticator : there was no code
> 2016-05-30 13:01:18.905 DEBUG 18096 --- [io-8083-exec-10]
o.k.adapters.OAuthRequestAuthenticator : redirecting to auth server
> 2016-05-30 13:01:18.905 DEBUG 18096 --- [io-8083-exec-10]
o.k.adapters.OAuthRequestAuthenticator : callback uri:
http://mies-057:8083/sso/login
<
http://mies-057:8083/sso/login>
> 2016-05-30 13:01:18.905 DEBUG 18096 --- [io-8083-exec-10]
f.KeycloakAuthenticationProcessingFilter : Auth outcome: NOT_ATTEMPTED
> 2016-05-30 13:01:18.905 DEBUG 18096 --- [io-8083-exec-10]
o.k.adapters.OAuthRequestAuthenticator : Sending redirect to login page:
<
http://mies-057.tesicnor.com:8080/auth/realms/master/protocol/openid-conn...
<
http://mies-057.tesicnor.com:8080/auth/realms/master/protocol/openid-conn...
> As it's shown in the logs, the X-forwarded logs are not kept by the keycloak
adapter (look at the lines below k.a.s.a.KeycloakAuthenticationEntryPoint : Redirecting to
login URI /sso/login). So could it be the proxy server itself being properly configured
but the keycloak adapter losing the original headers while performing the redirection?
>
> I've also set up the request dumper in the undertow server as Niels suggested,
but obviously, X-forwarded headers are not reaching the keycloak server..
>
> Thanks for your time, again ;-)
>
>
>
>
> 25/05/2016 7:22(e)an, Stian Thorgersen igorleak idatzi zuen:
>> You need the Host and X-Forwarded-For headers to be included and there's also
some config to be done on the Keycloak server (see
http://keycloak.github.io/docs/userguide/keycloak-server/html/server-inst...
<
http://keycloak.github.io/docs/userguide/keycloak-server/html/server-inst...>)
>>
>> On 24 May 2016 at 08:46, Aritz Maeztu <
<mailto:amaeztu@tesicnor.com>amaeztu@tesicnor.com
<mailto:amaeztu@tesicnor.com>> wrote:
>> Hi Niels and Scott. First of all, thank you very much for your help. I'm
currently using Zuul (Spring Cloud) as the reverse proxy. All the services are registered
in a discovery service called Eureka and then Zuul looks for the service id there and
performs de redirection. I read about X-Forwarded headers, but I thought it might result
in a security issue if not included, not that it could affect the redirection process.
>>
>> As Scott says, I suppose the Host and the X-Real-Ip headers are the relevant ones
here, so I guess I should instruct Zuul to send them when the service is addressed
(however I wonder why they are not already being sent, as Zuul is a proxy service, all in
all).
>>
>> Here I include a preview of the first redirection made to the keycloak login
page, which shows the request headers sent to the service /login endpoint (at port 8081 in
localhost):
>>
>>
https://www.dropbox.com/s/iof9yefytzay6j2/screenshot.PNG?dl=0
<
https://www.dropbox.com/s/iof9yefytzay6j2/screenshot.PNG?dl=0>
>>
>> 24/05/2016 2:08(e)an, Niels Bertram igorleak idatzi zuen:
>>> Hi Artitz,
>>>
>>> a great way to figure out what is sent from the reverse proxy to your
keycloak server is to use the undertow request dumper.
>>>
>>> From the jboss-cli just add the request dumper filter to your undertow
configuration like this:
>>>
>>> $KC_HOME/bin/jbpss-cli.sh -c
>>>
>>>
/subsystem=undertow/configuration=filter/custom-filter=request-dumper:add(class-name=io.undertow.server.handlers.RequestDumpingHandler,
module=io.undertow.core)
>>>
>>>
/subsystem=undertow/server=default-server/host=default-host/filter-ref=request-dumper:add
>>>
>>> /:reload
>>>
>>> given your apache config looks something like this:
>>>
>>> ProxyRequests Off
>>> ProxyPreserveHost On
>>> ProxyVia On
>>>
>>> ProxyPass /auth ajp://127.0.0.1:8009/auth
<
http://127.0.0.1:8009/auth>
>>> ProxyPassReverse /auth ajp://127.0.0.1:8009/auth
<
http://127.0.0.1:8009/auth>
>>>
>>>
>>> you should see something like that (forwared info is somewhat rubbish in this
example as I am running the hosts on Virtualbox - but you can see this request was put
through 2 proxies from local pc 192.168.33.1 to haproxy on 192.168.33.80 and then apache
reverse proxy on 192.168.33.81 ):
>>>
>>> ==============================================================
>>> 23:47:20,563 INFO [io.undertow.request.dump] (default task-14)
>>> ----------------------------REQUEST---------------------------
>>> URI=/auth/welcome-content/favicon.ico
>>> characterEncoding=null
>>> contentLength=-1
>>> contentType=null
>>> header=Accept=*/*
>>> header=Accept-Language=en-US,en;q=0.8,de;q=0.6
>>> header=Cache-Control=no-cache
>>> header=Accept-Encoding=gzip, deflate, sdch
>>> header=DNT=1
>>> header=Pragma=no-cache
>>> header=X-Original-To=192.168.33.80
>>> header=User-Agent=Mozilla/5.0 (Windows NT 6.1; WOW64)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36
>>> header=Authorization=Basic
bmljZSB0cnkgYnV0IGFtIG5vdCBmcm9tIHllc3RlcmRheQo=
>>> header=X-Forwarded-Proto=https
>>> header=X-Forwarded-Port=443
>>> header=X-Forwarded-For=192.168.33.1
>>> header=Referer=
<
https://login.vagrant.dev/auth/>https://login.vagrant.dev/auth/
<
https://login.vagrant.dev/auth/>
>>> header=Host=login.vagrant.dev
>>> locale=[en_US, en, de]
>>> method=GET
>>> protocol=HTTP/1.1
>>> queryString=
>>> remoteAddr=192.168.33.1:0 <
http://192.168.33.1:0/>
>>> remoteHost=192.168.33.1
>>> scheme=https
>>> host=login.vagrant.dev
>>> serverPort=443
>>> --------------------------RESPONSE--------------------------
>>> contentLength=627
>>> contentType=application/octet-stream
>>> header=Cache-Control=max-age=2592000
>>> header=X-Powered-By=Undertow/1
>>> header=Server=WildFly/10
>>>
>>>
>>> Hope this helps diagnosing your issue. Niels
>>>
>>> On Tue, May 24, 2016 at 1:20 AM, Aritz Maeztu <
<mailto:amaeztu@tesicnor.com>amaeztu@tesicnor.com
<mailto:amaeztu@tesicnor.com>> wrote:
>>> I'm using keycloak to securize some Spring based services (with the
keycloak spring security adapter). The adapter creates a `/login` endpoint in each of the
services which redirects to the keycloak login page and then redirects back to the service
when authentication is done. I also have a proxy service which I want to publish in the 80
port and will take care of routing all the requests to each service. The proxy performs a
plain FORWARD to the service, but the problem comes when I securize the service with the
keycloak adapter.
>>>
>>> When I make a request, the adapter redirects to its login endpoint and then
to the keycloak auth url. When keycloak sends the redirection, the url shown in the
browser is the one from the service and not the one from the proxy. Do I have some choice
to tell the adapter I want to redirect back to the first requested url?
>>>
>>>
>>> --
>>> Aritz Maeztu Otaño
>>> Departamento Desarrollo de Software <Mail Attachment.gif>
<
https://www.linkedin.com/profile/preview?vpa=pub&locale=es_ES>
>>> <Mail Attachment.png> <
http://www.tesicnor.com/>
>>> Pol. Ind. Mocholi. C/Rio Elorz, Nave 13E 31110 Noain (Navarra)
>>> Telf.: 948 21 40 40
>>> Fax.: 948 21 40 41
>>>
>>> Antes de imprimir este e-mail piense bien si es necesario hacerlo: El
medioambiente es cosa de todos.
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org>
>>>
https://lists.jboss.org/mailman/listinfo/keycloak-user
<
https://lists.jboss.org/mailman/listinfo/keycloak-user>
>>>
>>
>> --
>> Aritz Maeztu Otaño
>> Departamento Desarrollo de Software <Mail Attachment.gif>
<
https://www.linkedin.com/profile/preview?vpa=pub&locale=es_ES>
>> <Mail Attachment.png> <
http://www.tesicnor.com/>
>> Pol. Ind. Mocholi. C/Rio Elorz, Nave 13E 31110 Noain (Navarra)
>> Telf.: 948 21 40 40
>> Fax.: 948 21 40 41
>>
>> Antes de imprimir este e-mail piense bien si es necesario hacerlo: El
medioambiente es cosa de todos.
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org>
>>
https://lists.jboss.org/mailman/listinfo/keycloak-user
<
https://lists.jboss.org/mailman/listinfo/keycloak-user>
>>
>
> --
> Aritz Maeztu Otaño
> Departamento Desarrollo de Software <Mail Attachment.gif>
<
https://www.linkedin.com/profile/preview?vpa=pub&locale=es_ES>
> <Mail Attachment.png> <
http://www.tesicnor.com/>
> Pol. Ind. Mocholi. C/Rio Elorz, Nave 13E 31110 Noain (Navarra)
> Telf.: 948 21 40 40
> Fax.: 948 21 40 41
>
> Antes de imprimir este e-mail piense bien si es necesario hacerlo: El medioambiente
es cosa de todos.
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org>
>
https://lists.jboss.org/mailman/listinfo/keycloak-user
<
https://lists.jboss.org/mailman/listinfo/keycloak-user>
>
--
Aritz Maeztu Otaño
Departamento Desarrollo de Software <linkdin.gif>
<
https://www.linkedin.com/profile/preview?vpa=pub&locale=es_ES>
<logo.png> <
http://www.tesicnor.com/>
Pol. Ind. Mocholi. C/Rio Elorz, Nave 13E 31110 Noain (Navarra)
Telf.: 948 21 40 40
Fax.: 948 21 40 41
Antes de imprimir este e-mail piense bien si es necesario hacerlo: El medioambiente es
cosa de todos.
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user
<
https://lists.jboss.org/mailman/listinfo/keycloak-user>