1:48 a.m.
Unfortunately that didn't work.
I've implemented a hack which is something like overriding the
KeycloakAuthenticationProcessingFilter and returning an
AnonymousAuthenticationToken if the particular path is requested.
Maybe there's a more elegant way.
protected KeycloakAuthenticationProcessingFilter
keycloakAuthenticationProcessingFilter() throws Exception {
KeycloakAuthenticationProcessingFilter filter = new
KeycloakAuthenticationProcessingFilter(this.authenticationManagerBean()) {
@Override
public Authentication attemptAuthentication(HttpServletRequest
request, HttpServletResponse response) throws AuthenticationException,
IOException, ServletException {
if (request.getServletPath().equals("/mobile/api/refresh")) {
logger.error("Mobile device sent expired bearer token for
/mobile/api/refresh request");
return new AnonymousAuthenticationToken("blah",
"blah",
Collections.singleton(new SimpleGrantedAuthority("blah")));
}
return super.attemptAuthentication(request, response);
}
};
filter.setSessionAuthenticationStrategy(this.sessionAuthenticationStrategy());
return filter;
}
On Fri, May 26, 2017 at 9:15 AM, Sebastien Blanc <sblanc(a)redhat.com> wrote:
I haven't tried it but you could try to override the
configure(WebSecurity
web) method as well :
@Override
public void configure(WebSecurity web) throws Exception {
web
.ignoring()
.antMatchers("/mobile/api/login",
"/mobile/api/refresh");
}
On Thu, May 25, 2017 at 9:50 PM, Hylton Peimer <
hylton.peimer(a)datos-health.com> wrote:
> I have an instance of KeycloakWebSecurityConfigurerAdapter that contains
> the following configuration:
>
> protected void configure(HttpSecurity httpSecurity) throws Exception {
> super.configure(httpSecurity);
>
> httpSecurity
> .antMatcher("/mobile/**")
> .authorizeRequests()
> .antMatchers("/mobile/api/login",
> "/mobile/api/refresh").permitAll()
> .antMatchers("/mobile/api/**").authenticated()
>
> ..........
>
> The Client is setup for bearer-only.
>
> It works fine, except when the access token expires.
>
> Some mobile clients send the expired token as a header in the call to
> "/mobile/api/refresh".
>
> The problem is that even though "/mobile/api/refresh" is marked as
> permitAll, the request is blocked.
>
> Its not possible to fix all the mobile clients. How could I configure
> Spring to ignore the bearer token for the "permitAll" calls, or remove the
> header?
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>