Re: [keycloak-user] Noob question -- 'forbidden' on demo after redirect

Hi Bill, Full scope allowed: ON I changed this to off then add user and admin roles... same result I realise it's probably silly mistake on my part! but I just can't see it... If i click *customer admin interface* i get the following: Customer Admin Interface User *96cfdfd1-ba0d-480a-9a80-18ec830391fe *made this request. Admin REST To Get Role List of Realm There was a failure processing request. You either didn't configure Keycloak properly Status from database service invocation was: 404 /Brian On Sat, Feb 14, 2015 at 1:09 AM, Bill Burke <bburke(a)redhat.com <mailto:bburke@redhat.com>> wrote: Got to the admin console. Go to your application definition. Go to the scope tab. What does it say? On 2/13/2015 8:04 PM, Walter Rice wrote: Hi Bill, Thanks for the reply. I dunno! I followed the video to the letter.... below is my web.xml for customer-portal. Apologies for noob qn but how do i check application scope?... <?xml version="1.0" encoding="UTF-8"?> <web-app xmlns="http://java.sun.com/__xml/ns/javaee <http://java.sun.com/xml/ns/javaee>" xmlns:xsi="http://www.w3.org/__2001/XMLSchema-instance <http://www.w3.org/2001/XMLSchema-instance>" xsi:schemaLocation="http://__java.sun.com/xml/ns/javaee <http://java.sun.com/xml/ns/javaee> http://java.sun.com/xml/ns/__javaee/web-app_3_0.xsd <http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd>" version="3.0"> <module-name>customer-portal</__module-name> <security-constraint> <web-resource-collection> <web-resource-name>Admins</__web-resource-name> <url-pattern>/admin/*</url-__pattern> </web-resource-collection> <auth-constraint> <role-name>admin</role-name> </auth-constraint> </security-constraint> <security-constraint> <web-resource-collection> <web-resource-name>Customers</__web-resource-name> <url-pattern>/customers/*</__url-pattern> </web-resource-collection> <auth-constraint> <role-name>user</role-name> </auth-constraint> </security-constraint> <!-- <security-constraint> <web-resource-collection> <url-pattern>/*</url-pattern> </web-resource-collection> <user-data-constraint> <transport-guarantee>__CONFIDENTIAL</transport-__guarantee> </user-data-constraint> </security-constraint> --> <login-config> <auth-method>KEYCLOAK</auth-__method> <realm-name>cryo198</realm-__name> </login-config> <security-role> <role-name>admin</role-name> </security-role> <security-role> <role-name>user</role-name> </security-role> </web-app> On Sat, Feb 14, 2015 at 12:27 AM, Bill Burke <bburke(a)redhat.com <mailto:bburke@redhat.com> <mailto:bburke@redhat.com <mailto:bburke@redhat.com>>> wrote: You don't have constriants set up correctly in web.xml? You don't have the appropriate scope for the application set up? On 2/13/2015 4:47 PM, Walter Rice wrote: > Hi, > > I am trying to set up the demo as per the youtube videos (#1 and #2). I > am using keycloak 1.0.5. I have set up per the video (i think), however > things aren't working as expected. > > I browse tohttp://localhost:8080/__customer-portal/ and all is fine. I > click Customer Listing and I am redirected to login page as expected. I > enter my name/pw , this is successful and then I am redirected back to >http://localhost:8080/__customer-portal/customers/__view.jsp <http://localhost:8080/customer-portal/customers/view.jsp> but the page is > 'Forbidden' (redirect uri appears ok here?) > > I am using the 'full' version with bundled wildfly server. > > > > *customer app:* > keycloak file > > { > "realm": "cryo198", > "realm-public-key": > "__MIGfMA0GCSqGSIb3DQEBAQUAA4GNAD__CBiQKBgQCFnsEHg1o9UMBpMoHqLxYe__sXgDsTHnv1vF0AgrznxAcLfmYUdjvB__NdIXZNfB7I7tG9OMHvX21h9arHdcdg__2qqk9adLjHuImg/LhYHVOrosJ/__sybohrR/Im+k1fTsw/5p/__nwZKOF1DLL4/__4SZAY2h19FGCi0ZgIvE80psq98UvCN__QIDAQAB", > "auth-server-url": "http://localhost:8080/auth", > "ssl-required": "external", > "resource": "customer-portal", > "credentials": { > "secret": "a0872aa0-113d-435c-a9d6-__56cd9b270e22" > } > } > > *web.xml* > <login-config> > <auth-method>KEYCLOAK</auth-__method> > <realm-name>cryo198</realm-__name> > </login-config> > > *redirect URI:* > /customer-portal/* > > *database app:* > { > "realm": "cryo198", > "realm-public-key": > "__MIGfMA0GCSqGSIb3DQEBAQUAA4GNAD__CBiQKBgQCFnsEHg1o9UMBpMoHqLxYe__sXgDsTHnv1vF0AgrznxAcLfmYUdjvB__NdIXZNfB7I7tG9OMHvX21h9arHdcdg__2qqk9adLjHuImg/LhYHVOrosJ/__sybohrR/Im+k1fTsw/5p/__nwZKOF1DLL4/__4SZAY2h19FGCi0ZgIvE80psq98UvCN__QIDAQAB", > "auth-server-url": "http://localhost:8080/auth", > "ssl-required": "NONE", > "resource": "database", > "bearer-only": "true" > } > > > > *web.xml* > <login-config> > <auth-method>KEYCLOAK</auth-__method> > <realm-name>cryo198</realm-__name> > </login-config> > > *redirect URI:* > n./a ..set as bearer only > > *deployed apps:* > $ > /c/tools/keycloak-appliance-__dist-all-1.0.5.Final/keycloak-__appliance-dist-all-1.0.5.__Final/keycloak/bin/jboss-cli.__sh > -c --command="deploy -l" > NAME RUNTIME-NAME ENABLED STATUS > admin-access.war admin-access.war true OK > angular-product.war angular-product.war true OK > auth-server.war auth-server.war true OK > customer-portal-js.war customer-portal-js.war true OK > customer-portal.war customer-portal.war true OK > database.war database.war true OK > product-portal.war product-portal.war true OK > > > > > > > *Log:* > 2015-02-13 21:22:29,665 DEBUG > [org.keycloak.adapters.__PreAuthActionsHandler] (default task-41) > adminRequest http://localhost:8080/__customer-portal/custo <http://localhost:8080/customer-portal/custo> > mers/view.jsp > 2015-02-13 21:22:29,667 TRACE > [org.keycloak.adapters.__RequestAuthenticator] (default task-41) --> > authenticate() > 2015-02-13 21:22:29,668 TRACE > [org.keycloak.adapters.__RequestAuthenticator] (default task-41) try bearer > 2015-02-13 21:22:29,669 TRACE > [org.keycloak.adapters.__RequestAuthenticator] (default task-41) try oauth > 2015-02-13 21:22:29,669 DEBUG > [org.keycloak.adapters.__RequestAuthenticator] (default task-41) session > was null, returning null > 2015-02-13 21:22:29,670 DEBUG > [org.keycloak.adapters.__OAuthRequestAuthenticator] (default task-41) > there was no code > 2015-02-13 21:22:29,670 DEBUG > [org.keycloak.adapters.__OAuthRequestAuthenticator] (default task-41) > redirecting to auth server > 2015-02-13 21:22:29,671 DEBUG > [org.keycloak.adapters.__OAuthRequestAuthenticator] (default task-41) > callback uri: http://localhost:8080/__customer-portal/ <http://localhost:8080/customer-portal/> > customers/view.jsp > 2015-02-13 21:22:29,672 DEBUG > [org.keycloak.adapters.__OAuthRequestAuthenticator] (default task-41) > Sending redirect to login page: http://localhost:808 > 0/auth/realms/cryo198/tokens/__login?client_id=customer-__portal&redirect_uri=http%3A%__2F%2Flocalhost%3A8080%__2Fcustomer-portal%2Fcustomers%__2Fview.jsp&state > =2%2F8185a8ea-5a38-4a91-b990-__1b32ccabb2e8&login=true > 2015-02-13 21:22:29,701 DEBUG > [org.keycloak.services.__resources.TokenService] (default task-42) > replacing relative valid redirect with: http://localhos > t:8080/customer-portal/* > 2015-02-13 21:22:29,702 DEBUG > [org.keycloak.services.__managers.__AuthenticationManager] (default task-42) > Could not find cookie: KEYCLOAK_IDENTITY > 2015-02-13 21:22:46,300 DEBUG > [org.keycloak.services.__resources.TokenService] (default task-43) > replacing relative valid redirect with: http://localhos > t:8080/customer-portal/* > 2015-02-13 21:22:46,301 DEBUG > [org.keycloak.services.__managers.__AuthenticationManager] (default task-43) > validating password for user: walt > 2015-02-13 21:22:46,306 DEBUG > [org.keycloak.services.__managers.__AuthenticationManager] (default task-43) > Expiring remember me cookie > 2015-02-13 21:22:46,307 DEBUG > [org.keycloak.services.__managers.__AuthenticationManager] (default task-43) > Expiring cookie: KEYCLOAK_REMEMBER_ME path: /au > th/realms/cryo198 > 2015-02-13 21:22:46,308 DEBUG > [org.keycloak.services.__resources.flows.OAuthFlows] (default task-43) > processAccessCode: isResource: true > 2015-02-13 21:22:46,308 DEBUG > [org.keycloak.services.__resources.flows.OAuthFlows] (default task-43) > processAccessCode: go to oauth page?: false > 2015-02-13 21:22:46,329 DEBUG > [org.keycloak.services.__resources.flows.OAuthFlows] (default task-43) > redirectAccessCode: state: 2/8185a8ea-5a38-4a91-b99 > 0-1b32ccabb2e8 > 2015-02-13 21:22:46,340 DEBUG > [org.keycloak.services.__managers.__AuthenticationManager] (default task-43) > Create login cookie - name: KEYCLOAK_IDENTITY, > path: /auth/realms/cryo198, max-age: -1 > 2015-02-13 21:22:46,387 DEBUG > [org.keycloak.adapters.__PreAuthActionsHandler] (default task-44) > adminRequest http://localhost:8080/__customer-portal/custo <http://localhost:8080/customer-portal/custo> > mers/view.jsp?code=zf9VUvG6-__QkAWtF8xDFcJfnBnrY.__OTY1YjllMzMtZDdlNS00YWQwLWEwMz__gtZjIzMTJhODZjMTIx&state=2%__2F8185a8ea-5a38-4a91-b990-__1b32ccabb2e8 > 2015-02-13 21:22:46,388 TRACE > [org.keycloak.adapters.__RequestAuthenticator] (default task-44) --> > authenticate() > 2015-02-13 21:22:46,389 TRACE > [org.keycloak.adapters.__RequestAuthenticator] (default task-44) try bearer > 2015-02-13 21:22:46,389 TRACE > [org.keycloak.adapters.__RequestAuthenticator] (default task-44) try oauth > 2015-02-13 21:22:46,389 DEBUG > [org.keycloak.adapters.__RequestAuthenticator] (default task-44) session > was null, returning null > 2015-02-13 21:22:46,390 DEBUG > [org.keycloak.adapters.__OAuthRequestAuthenticator] (default task-44) > there was a code, resolving > 2015-02-13 21:22:46,390 DEBUG > [org.keycloak.adapters.__OAuthRequestAuthenticator] (default task-44) > checking state cookie for after code > 2015-02-13 21:22:46,390 DEBUG > [org.keycloak.adapters.__OAuthRequestAuthenticator] (default task-44) ** > reseting application state cookie > 2015-02-13 21:22:46,477 DEBUG > [org.keycloak.adapters.__OAuthRequestAuthenticator] (default task-44) > Token Verification succeeded! > 2015-02-13 21:22:46,478 DEBUG > [org.keycloak.adapters.__OAuthRequestAuthenticator] (default task-44) > successful authenticated > 2015-02-13 21:22:46,478 TRACE > [org.keycloak.adapters.__RefreshableKeycloakSecurityCon__text] (default > task-44) checking whether to refresh. > 2015-02-13 21:22:46,478 TRACE > [org.keycloak.adapters.__undertow.__KeycloakUndertowAccount] (default > task-44) use realm role mappings > 2015-02-13 21:22:46,479 DEBUG > [org.keycloak.adapters.__wildfly.__WildflyRequestAuthenticator] (default > task-44) propagate security context to wildfly > 2015-02-13 21:22:46,481 TRACE > [org.keycloak.adapters.__RefreshableKeycloakSecurityCon__text] (default > task-44) checking whether to refresh. > 2015-02-13 21:22:46,484 DEBUG > [org.keycloak.adapters.__RequestAuthenticator] (default task-44) AUTHENTICATED > 2015-02-13 21:22:46,502 DEBUG > [org.keycloak.adapters.__PreAuthActionsHandler] (default task-46) > adminRequest http://localhost:8080/__customer-portal/custo <http://localhost:8080/customer-portal/custo> > mers/view.jsp > 2015-02-13 21:22:46,505 TRACE > [org.keycloak.adapters.__RequestAuthenticator] (default task-46) --> > authenticate() > 2015-02-13 21:22:46,506 TRACE > [org.keycloak.adapters.__RequestAuthenticator] (default task-46) try bearer > 2015-02-13 21:22:46,506 TRACE > [org.keycloak.adapters.__RequestAuthenticator] (default task-46) try oauth > 2015-02-13 21:22:46,507 DEBUG > [org.keycloak.adapters.__undertow.__KeycloakUndertowAccount] (default > task-46) session is active > 2015-02-13 21:22:46,508 DEBUG > [org.keycloak.adapters.__RequestAuthenticator] (default task-46) Cached > account found > 2015-02-13 21:22:46,508 DEBUG > [org.keycloak.adapters.__wildfly.__WildflyRequestAuthenticator] (default > task-46) propagate security context to wildfly > 2015-02-13 21:22:46,509 DEBUG > [org.keycloak.adapters.__RequestAuthenticator] (default task-46) > AUTHENTICATED: was cached > 2015-02-13 21:22:46,510 DEBUG > [org.keycloak.adapters.__AuthenticatedActionsHandler] (default task-46) > AuthenticatedActionsValve.__invoke http://localhost: > 8080/customer-portal/__customers/view.jsp > > > Many thanks > W > > > > > _________________________________________________ > keycloak-user mailing list > keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org> <mailto:keycloak-user@lists.__jboss.org <mailto:keycloak-user@lists.jboss.org>> > https://lists.jboss.org/__mailman/listinfo/keycloak-user <https://lists.jboss.org/mailman/listinfo/keycloak-user> > -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com _________________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org> <mailto:keycloak-user@lists.__jboss.org <mailto:keycloak-user@lists.jboss.org>> https://lists.jboss.org/__mailman/listinfo/keycloak-user <https://lists.jboss.org/mailman/listinfo/keycloak-user> -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com