Hi Bill,

Full scope allowed: ON

I changed this to off then add user and admin roles... same result

I realise it's probably silly mistake on my part! but I just can't see it...

If i click customer admin interface i get the following:

Customer Admin Interface

User 96cfdfd1-ba0d-480a-9a80-18ec830391fe made this request.

Admin REST To Get Role List of Realm

There was a failure processing request. You either didn't configure Keycloak properly Status from database service invocation was: 404


/Brian



On Sat, Feb 14, 2015 at 1:09 AM, Bill Burke <bburke@redhat.com> wrote:
Got to the admin console.  Go to your application definition.  Go to the scope tab.  What does it say?


On 2/13/2015 8:04 PM, Walter Rice wrote:
Hi Bill,

Thanks for the reply. I dunno! I followed the video to the letter....
below is my web.xml for customer-portal. Apologies for noob qn but how
do i check application scope?...

<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://java.sun.com/xml/ns/javaee"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
       version="3.0">

<module-name>customer-portal</module-name>

     <security-constraint>
         <web-resource-collection>
             <web-resource-name>Admins</web-resource-name>
             <url-pattern>/admin/*</url-pattern>
         </web-resource-collection>
         <auth-constraint>
             <role-name>admin</role-name>
         </auth-constraint>
     </security-constraint>
     <security-constraint>
         <web-resource-collection>
             <web-resource-name>Customers</web-resource-name>
             <url-pattern>/customers/*</url-pattern>
         </web-resource-collection>
         <auth-constraint>
             <role-name>user</role-name>
         </auth-constraint>
     </security-constraint>

     <!--
     <security-constraint>
         <web-resource-collection>
             <url-pattern>/*</url-pattern>
         </web-resource-collection>
         <user-data-constraint>
             <transport-guarantee>CONFIDENTIAL</transport-guarantee>
         </user-data-constraint>
     </security-constraint> -->

     <login-config>
         <auth-method>KEYCLOAK</auth-method>
         <realm-name>cryo198</realm-name>
     </login-config>

     <security-role>
         <role-name>admin</role-name>
     </security-role>
     <security-role>
         <role-name>user</role-name>
     </security-role>
</web-app>


On Sat, Feb 14, 2015 at 12:27 AM, Bill Burke <bburke@redhat.com
<mailto:bburke@redhat.com>> wrote:

    You don't have constriants set up correctly in web.xml?  You don't have
    the appropriate scope for the application set up?

    On 2/13/2015 4:47 PM, Walter Rice wrote:
    > Hi,
    >
    > I am trying to set up the demo as per the youtube videos (#1 and #2). I
    > am using keycloak 1.0.5. I have set up per the video (i think), however
    > things aren't working as expected.
    >
     > I browse tohttp://localhost:8080/customer-portal/ and all is fine. I

    > click Customer Listing and I am redirected to login page as expected. I
    > enter my name/pw , this is successful and then I am redirected back to
    >http://localhost:8080/customer-portal/customers/view.jsp but the page is
    > 'Forbidden' (redirect uri appears ok here?)
    >
    > I am using the 'full' version with bundled wildfly server.
    >
    >
    >
     > *customer app:*
    > keycloak file
    >
    > {
    > "realm": "cryo198",
    > "realm-public-key":
    > "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCFnsEHg1o9UMBpMoHqLxYesXgDsTHnv1vF0AgrznxAcLfmYUdjvBNdIXZNfB7I7tG9OMHvX21h9arHdcdg2qqk9adLjHuImg/LhYHVOrosJ/sybohrR/Im+k1fTsw/5p/nwZKOF1DLL4/4SZAY2h19FGCi0ZgIvE80psq98UvCNQIDAQAB",
    > "auth-server-url": "http://localhost:8080/auth",
    > "ssl-required": "external",
    > "resource": "customer-portal",
    > "credentials": {
    > "secret": "a0872aa0-113d-435c-a9d6-56cd9b270e22"
    > }
    > }
    >
     > *web.xml*
    >      <login-config>
    >          <auth-method>KEYCLOAK</auth-method>
    >          <realm-name>cryo198</realm-name>
    >      </login-config>
    >
     > *redirect URI:*
     > /customer-portal/*
     >
     > *database app:*
    > {
    >      "realm": "cryo198",
    >      "realm-public-key":
    > "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCFnsEHg1o9UMBpMoHqLxYesXgDsTHnv1vF0AgrznxAcLfmYUdjvBNdIXZNfB7I7tG9OMHvX21h9arHdcdg2qqk9adLjHuImg/LhYHVOrosJ/sybohrR/Im+k1fTsw/5p/nwZKOF1DLL4/4SZAY2h19FGCi0ZgIvE80psq98UvCNQIDAQAB",
    >      "auth-server-url": "http://localhost:8080/auth",
    >      "ssl-required": "NONE",
    >      "resource": "database",
    >      "bearer-only": "true"
    > }
    >
    >
    >
     > *web.xml*
    >      <login-config>
    >          <auth-method>KEYCLOAK</auth-method>
    >          <realm-name>cryo198</realm-name>
    >      </login-config>
    >
     > *redirect URI:*
    > n./a ..set as bearer only
    >
     > *deployed apps:*
    > $
    > /c/tools/keycloak-appliance-dist-all-1.0.5.Final/keycloak-appliance-dist-all-1.0.5.Final/keycloak/bin/jboss-cli.sh
    > -c --command="deploy -l"
    > NAME                   RUNTIME-NAME           ENABLED STATUS
    > admin-access.war       admin-access.war       true    OK
    > angular-product.war    angular-product.war    true    OK
    > auth-server.war        auth-server.war        true    OK
    > customer-portal-js.war customer-portal-js.war true    OK
    > customer-portal.war    customer-portal.war    true    OK
    > database.war           database.war           true    OK
    > product-portal.war     product-portal.war     true    OK
    >
    >
    >
    >
    >
    >
     > *Log:*
     > 2015-02-13 21:22:29,665 DEBUG
     > [org.keycloak.adapters.PreAuthActionsHandler] (default task-41)
     > adminRequest http://localhost:8080/customer-portal/custo
     > mers/view.jsp
     > 2015-02-13 21:22:29,667 TRACE
     > [org.keycloak.adapters.RequestAuthenticator] (default task-41) -->
     > authenticate()
     > 2015-02-13 21:22:29,668 TRACE
     > [org.keycloak.adapters.RequestAuthenticator] (default task-41)
    try bearer
     > 2015-02-13 21:22:29,669 TRACE
     > [org.keycloak.adapters.RequestAuthenticator] (default task-41)
    try oauth
     > 2015-02-13 21:22:29,669 DEBUG
     > [org.keycloak.adapters.RequestAuthenticator] (default task-41)
    session
     > was null, returning null
     > 2015-02-13 21:22:29,670 DEBUG
     > [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-41)
     > there was no code
     > 2015-02-13 21:22:29,670 DEBUG
     > [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-41)
     > redirecting to auth server
     > 2015-02-13 21:22:29,671 DEBUG
     > [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-41)
     > callback uri: http://localhost:8080/customer-portal/
     > customers/view.jsp
     > 2015-02-13 21:22:29,672 DEBUG
     > [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-41)
     > Sending redirect to login page: http://localhost:808
     >
    0/auth/realms/cryo198/tokens/login?client_id=customer-portal&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fcustomer-portal%2Fcustomers%2Fview.jsp&state
     > =2%2F8185a8ea-5a38-4a91-b990-1b32ccabb2e8&login=true
     > 2015-02-13 21:22:29,701 DEBUG
     > [org.keycloak.services.resources.TokenService] (default task-42)
     > replacing relative valid redirect with: http://localhos
     > t:8080/customer-portal/*
     > 2015-02-13 21:22:29,702 DEBUG
     > [org.keycloak.services.managers.AuthenticationManager] (default
    task-42)
     > Could not find cookie: KEYCLOAK_IDENTITY
     > 2015-02-13 21:22:46,300 DEBUG
     > [org.keycloak.services.resources.TokenService] (default task-43)
     > replacing relative valid redirect with: http://localhos
     > t:8080/customer-portal/*
     > 2015-02-13 21:22:46,301 DEBUG
     > [org.keycloak.services.managers.AuthenticationManager] (default
    task-43)
     > validating password for user: walt
     > 2015-02-13 21:22:46,306 DEBUG
     > [org.keycloak.services.managers.AuthenticationManager] (default
    task-43)
     > Expiring remember me cookie
     > 2015-02-13 21:22:46,307 DEBUG
     > [org.keycloak.services.managers.AuthenticationManager] (default
    task-43)
     > Expiring cookie: KEYCLOAK_REMEMBER_ME path: /au
     > th/realms/cryo198
     > 2015-02-13 21:22:46,308 DEBUG
     > [org.keycloak.services.resources.flows.OAuthFlows] (default task-43)
     > processAccessCode: isResource: true
     > 2015-02-13 21:22:46,308 DEBUG
     > [org.keycloak.services.resources.flows.OAuthFlows] (default task-43)
     > processAccessCode: go to oauth page?: false
     > 2015-02-13 21:22:46,329 DEBUG
     > [org.keycloak.services.resources.flows.OAuthFlows] (default task-43)
     > redirectAccessCode: state: 2/8185a8ea-5a38-4a91-b99
     > 0-1b32ccabb2e8
     > 2015-02-13 21:22:46,340 DEBUG
     > [org.keycloak.services.managers.AuthenticationManager] (default
    task-43)
     > Create login cookie - name: KEYCLOAK_IDENTITY,
     > path: /auth/realms/cryo198, max-age: -1
     > 2015-02-13 21:22:46,387 DEBUG
     > [org.keycloak.adapters.PreAuthActionsHandler] (default task-44)
     > adminRequest http://localhost:8080/customer-portal/custo
     >
    mers/view.jsp?code=zf9VUvG6-QkAWtF8xDFcJfnBnrY.OTY1YjllMzMtZDdlNS00YWQwLWEwMzgtZjIzMTJhODZjMTIx&state=2%2F8185a8ea-5a38-4a91-b990-1b32ccabb2e8
     > 2015-02-13 21:22:46,388 TRACE
     > [org.keycloak.adapters.RequestAuthenticator] (default task-44) -->
     > authenticate()
     > 2015-02-13 21:22:46,389 TRACE
     > [org.keycloak.adapters.RequestAuthenticator] (default task-44)
    try bearer
     > 2015-02-13 21:22:46,389 TRACE
     > [org.keycloak.adapters.RequestAuthenticator] (default task-44)
    try oauth
     > 2015-02-13 21:22:46,389 DEBUG
     > [org.keycloak.adapters.RequestAuthenticator] (default task-44)
    session
     > was null, returning null
     > 2015-02-13 21:22:46,390 DEBUG
     > [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-44)
     > there was a code, resolving
     > 2015-02-13 21:22:46,390 DEBUG
     > [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-44)
     > checking state cookie for after code
     > 2015-02-13 21:22:46,390 DEBUG
     > [org.keycloak.adapters.OAuthRequestAuthenticator] (default
    task-44) **
     > reseting application state cookie
     > 2015-02-13 21:22:46,477 DEBUG
     > [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-44)
     > Token Verification succeeded!
     > 2015-02-13 21:22:46,478 DEBUG
     > [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-44)
     > successful authenticated
     > 2015-02-13 21:22:46,478 TRACE
     > [org.keycloak.adapters.RefreshableKeycloakSecurityContext] (default
     > task-44) checking whether to refresh.
     > 2015-02-13 21:22:46,478 TRACE
     > [org.keycloak.adapters.undertow.KeycloakUndertowAccount] (default
     > task-44) use realm role mappings
     > 2015-02-13 21:22:46,479 DEBUG
     > [org.keycloak.adapters.wildfly.WildflyRequestAuthenticator] (default
     > task-44) propagate security context to wildfly
     > 2015-02-13 21:22:46,481 TRACE
     > [org.keycloak.adapters.RefreshableKeycloakSecurityContext] (default
     > task-44) checking whether to refresh.
     > 2015-02-13 21:22:46,484 DEBUG
     > [org.keycloak.adapters.RequestAuthenticator] (default task-44)
    AUTHENTICATED
     > 2015-02-13 21:22:46,502 DEBUG
     > [org.keycloak.adapters.PreAuthActionsHandler] (default task-46)
     > adminRequest http://localhost:8080/customer-portal/custo
     > mers/view.jsp
     > 2015-02-13 21:22:46,505 TRACE
     > [org.keycloak.adapters.RequestAuthenticator] (default task-46) -->
     > authenticate()
     > 2015-02-13 21:22:46,506 TRACE
     > [org.keycloak.adapters.RequestAuthenticator] (default task-46)
    try bearer
     > 2015-02-13 21:22:46,506 TRACE
     > [org.keycloak.adapters.RequestAuthenticator] (default task-46)
    try oauth
     > 2015-02-13 21:22:46,507 DEBUG
     > [org.keycloak.adapters.undertow.KeycloakUndertowAccount] (default
     > task-46) session is active
     > 2015-02-13 21:22:46,508 DEBUG
     > [org.keycloak.adapters.RequestAuthenticator] (default task-46) Cached
     > account found
     > 2015-02-13 21:22:46,508 DEBUG
     > [org.keycloak.adapters.wildfly.WildflyRequestAuthenticator] (default
     > task-46) propagate security context to wildfly
     > 2015-02-13 21:22:46,509 DEBUG
     > [org.keycloak.adapters.RequestAuthenticator] (default task-46)
     > AUTHENTICATED: was cached
     > 2015-02-13 21:22:46,510 DEBUG
     > [org.keycloak.adapters.AuthenticatedActionsHandler] (default task-46)
     > AuthenticatedActionsValve.invoke http://localhost:
     > 8080/customer-portal/customers/view.jsp
     >
     >
     > Many thanks
     > W
     >
     >
     >
     >
     > _______________________________________________
     > keycloak-user mailing list
     > keycloak-user@lists.jboss.org <mailto:keycloak-user@lists.jboss.org>
     > https://lists.jboss.org/mailman/listinfo/keycloak-user
     >

    --
    Bill Burke
    JBoss, a division of Red Hat
    http://bill.burkecentral.com
    _______________________________________________
    keycloak-user mailing list
     keycloak-user@lists.jboss.org <mailto:keycloak-user@lists.jboss.org>
    https://lists.jboss.org/mailman/listinfo/keycloak-user



--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com