5:02 a.m.
Hum interesting indeed I did the test , the ignoring stuff works as long no
token is added ... I wonder if this is working as designed or if it is
actually a bug.
On Fri, May 26, 2017 at 8:48 AM, Hylton Peimer <
hylton.peimer(a)datos-health.com> wrote:
Unfortunately that didn't work.
I've implemented a hack which is something like overriding the
KeycloakAuthenticationProcessingFilter and returning an
AnonymousAuthenticationToken if the particular path is requested.
Maybe there's a more elegant way.
protected KeycloakAuthenticationProcessingFilter
keycloakAuthenticationProcessingFilter() throws Exception {
KeycloakAuthenticationProcessingFilter filter = new
KeycloakAuthenticationProcessingFilter(this.authenticationManagerBean()) {
@Override
public Authentication attemptAuthentication(HttpServletRequest
request, HttpServletResponse response) throws AuthenticationException,
IOException, ServletException {
if (request.getServletPath().equals("/mobile/api/refresh")) {
logger.error("Mobile device sent expired bearer token for
/mobile/api/refresh request");
return new AnonymousAuthenticationToken("blah",
"blah",
Collections.singleton(new SimpleGrantedAuthority("blah")));
}
return super.attemptAuthentication(request, response);
}
};
filter.setSessionAuthenticationStrategy(this.
sessionAuthenticationStrategy());
return filter;
}
On Fri, May 26, 2017 at 9:15 AM, Sebastien Blanc <sblanc(a)redhat.com>
wrote:
> I haven't tried it but you could try to override the
> configure(WebSecurity web) method as well :
>
> @Override
> public void configure(WebSecurity web) throws Exception {
> web
> .ignoring()
> .antMatchers("/mobile/api/login",
>
> "/mobile/api/refresh");
> }
>
>
> On Thu, May 25, 2017 at 9:50 PM, Hylton Peimer <
> hylton.peimer(a)datos-health.com> wrote:
>
>> I have an instance of KeycloakWebSecurityConfigurerAdapter that contains
>> the following configuration:
>>
>> protected void configure(HttpSecurity httpSecurity) throws Exception
>> {
>> super.configure(httpSecurity);
>>
>> httpSecurity
>> .antMatcher("/mobile/**")
>> .authorizeRequests()
>> .antMatchers("/mobile/api/login",
>> "/mobile/api/refresh").permitAll()
>> .antMatchers("/mobile/api/**").authenticated()
>>
>> ..........
>>
>> The Client is setup for bearer-only.
>>
>> It works fine, except when the access token expires.
>>
>> Some mobile clients send the expired token as a header in the call to
>> "/mobile/api/refresh".
>>
>> The problem is that even though "/mobile/api/refresh" is marked as
>> permitAll, the request is blocked.
>>
>> Its not possible to fix all the mobile clients. How could I configure
>> Spring to ignore the bearer token for the "permitAll" calls, or remove
>> the
>> header?
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user(a)lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>