7:25 a.m.
Hi Keycloak Users,
I tried to configure a dead simple Spring Boot CXF REST endpoint with
Keycloak Spring Boot Adapter in Bearer Only mode without any luck. It
appears the Keycloak Tomcat Valve fails authorization even before the
keycloak adapter ever gets a chance to parse the Bearer token and setup the
session. I would have thought that with AutoConfig it would just be that
... auto config. I added the below keycloak adapter configuration to the
application.yml file and made sure all required jars are on the classpath.
Does anyone have any suggestions or a link to a working example that shows
how to use Spring Boot with Keycloak *AND* CXF ?
Many thanks, Niels
Example:
https://github.com/bertramn/keycloak-secured-rest-endpoint
application.yml configuration:
keycloak:
realm: demo
authServerUrl: 'http://localhost:8080/auth'
realmKey: 'MIIBIjANBgDAQAB'
sslRequired: external
resource: test-client
bearerOnly: true
securityConstraints:
- authRoles: [ '*' ]
securityCollections:
- name: authed
patterns: [ '/v1/secured' ]
9:15 a.m.
Niels,
I've tried the example below and it works fine.
http://blog.keycloak.org/2017/05/easily-secure-your-spring-boot.html
Although it's not using CXF.
Meissa
On Tue, Oct 31, 2017 at 1:25 PM, Niels Bertram <nielsbne(a)gmail.com> wrote:
Hi Keycloak Users,
I tried to configure a dead simple Spring Boot CXF REST endpoint with
Keycloak Spring Boot Adapter in Bearer Only mode without any luck. It
appears the Keycloak Tomcat Valve fails authorization even before the
keycloak adapter ever gets a chance to parse the Bearer token and setup the
session. I would have thought that with AutoConfig it would just be that
... auto config. I added the below keycloak adapter configuration to the
application.yml file and made sure all required jars are on the classpath.
Does anyone have any suggestions or a link to a working example that shows
how to use Spring Boot with Keycloak *AND* CXF ?
Many thanks, Niels
Example:
https://github.com/bertramn/keycloak-secured-rest-endpoint
application.yml configuration:
keycloak:
realm: demo
authServerUrl: 'http://localhost:8080/auth'
realmKey: 'MIIBIjANBgDAQAB'
sslRequired: external
resource: test-client
bearerOnly: true
securityConstraints:
- authRoles: [ '*' ]
securityCollections:
- name: authed
patterns: [ '/v1/secured' ]
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
9:27 a.m.
Hi Meissa, in deed this one would probably work. It is not using bearer
only mode (like a REST based micro service would) and it does only use
fixed role names. My example uses the wildcard role restriction which in
the olden days of JSPs meant any role as long as authenticated. Strange
that there are no examples out there. Thanks for taking notice. Kind
Regards, Niels
On Wed, Nov 1, 2017 at 12:15 AM, Meissa M'baye Sakho <msakho(a)redhat.com>
wrote:
Niels,
I've tried the example below and it works fine.
http://blog.keycloak.org/2017/05/easily-secure-your-spring-boot.html
Although it's not using CXF.
Meissa
On Tue, Oct 31, 2017 at 1:25 PM, Niels Bertram <nielsbne(a)gmail.com> wrote:
> Hi Keycloak Users,
>
> I tried to configure a dead simple Spring Boot CXF REST endpoint with
> Keycloak Spring Boot Adapter in Bearer Only mode without any luck. It
> appears the Keycloak Tomcat Valve fails authorization even before the
> keycloak adapter ever gets a chance to parse the Bearer token and setup
> the
> session. I would have thought that with AutoConfig it would just be that
> ... auto config. I added the below keycloak adapter configuration to the
> application.yml file and made sure all required jars are on the classpath.
>
> Does anyone have any suggestions or a link to a working example that shows
> how to use Spring Boot with Keycloak *AND* CXF ?
>
> Many thanks, Niels
>
> Example:
>
> https://github.com/bertramn/keycloak-secured-rest-endpoint
>
>
> application.yml configuration:
>
>
> keycloak:
> realm: demo
> authServerUrl: 'http://localhost:8080/auth'
> realmKey: 'MIIBIjANBgDAQAB'
> sslRequired: external
> resource: test-client
> bearerOnly: true
> securityConstraints:
> - authRoles: [ '*' ]
> securityCollections:
> - name: authed
> patterns: [ '/v1/secured' ]
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
12:03 p.m.
It's probably not working because of the wildcard roles and you spotted a
bug on our side. We have a shortcut in the Spring Boot config where we
collect the auth-constraints roles for each security constraint to generate
the <security-role/> "list". In auth-constraints wildcard is allowed but
not in security-role.
Could you open a ticket for this ?
Sebi
On Tue, Oct 31, 2017 at 3:27 PM, Niels Bertram <nielsbne(a)gmail.com> wrote:
Hi Meissa, in deed this one would probably work. It is not using
bearer
only mode (like a REST based micro service would) and it does only use
fixed role names. My example uses the wildcard role restriction which in
the olden days of JSPs meant any role as long as authenticated. Strange
that there are no examples out there. Thanks for taking notice. Kind
Regards, Niels
On Wed, Nov 1, 2017 at 12:15 AM, Meissa M'baye Sakho <msakho(a)redhat.com>
wrote:
> Niels,
> I've tried the example below and it works fine.
> http://blog.keycloak.org/2017/05/easily-secure-your-spring-boot.html
> Although it's not using CXF.
> Meissa
>
> On Tue, Oct 31, 2017 at 1:25 PM, Niels Bertram <nielsbne(a)gmail.com>
wrote:
>
>> Hi Keycloak Users,
>>
>> I tried to configure a dead simple Spring Boot CXF REST endpoint with
>> Keycloak Spring Boot Adapter in Bearer Only mode without any luck. It
>> appears the Keycloak Tomcat Valve fails authorization even before the
>> keycloak adapter ever gets a chance to parse the Bearer token and setup
>> the
>> session. I would have thought that with AutoConfig it would just be that
>> ... auto config. I added the below keycloak adapter configuration to the
>> application.yml file and made sure all required jars are on the
classpath.
>>
>> Does anyone have any suggestions or a link to a working example that
shows
>> how to use Spring Boot with Keycloak *AND* CXF ?
>>
>> Many thanks, Niels
>>
>> Example:
>>
>> https://github.com/bertramn/keycloak-secured-rest-endpoint
>>
>>
>> application.yml configuration:
>>
>>
>> keycloak:
>> realm: demo
>> authServerUrl: 'http://localhost:8080/auth'
>> realmKey: 'MIIBIjANBgDAQAB'
>> sslRequired: external
>> resource: test-client
>> bearerOnly: true
>> securityConstraints:
>> - authRoles: [ '*' ]
>> securityCollections:
>> - name: authed
>> patterns: [ '/v1/secured' ]
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user(a)lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
8:59 p.m.
Thanks Sebastien, I raised KEYCLOAK-5775
<https://issues.jboss.org/browse/KEYCLOAK-5775> with the example project
link. I recall when tracing the code that there is no provision for
wildcard checks BUT at the same token the Tomcat Valve does not seem to
have parsed the token either when the roles check executes. Niels
On Wed, Nov 1, 2017 at 3:03 AM, Sebastien Blanc <sblanc(a)redhat.com> wrote:
It's probably not working because of the wildcard roles and you
spotted a
bug on our side. We have a shortcut in the Spring Boot config where we
collect the auth-constraints roles for each security constraint to generate
the <security-role/> "list". In auth-constraints wildcard is allowed but
not in security-role.
Could you open a ticket for this ?
Sebi
On Tue, Oct 31, 2017 at 3:27 PM, Niels Bertram <nielsbne(a)gmail.com> wrote:
> Hi Meissa, in deed this one would probably work. It is not using bearer
>
> only mode (like a REST based micro service would) and it does only use
> fixed role names. My example uses the wildcard role restriction which in
> the olden days of JSPs meant any role as long as authenticated. Strange
> that there are no examples out there. Thanks for taking notice. Kind
> Regards, Niels
>
> On Wed, Nov 1, 2017 at 12:15 AM, Meissa M'baye Sakho <msakho(a)redhat.com>
> wrote:
>
> > Niels,
> > I've tried the example below and it works fine.
> > http://blog.keycloak.org/2017/05/easily-secure-your-spring-boot.html
> > Although it's not using CXF.
> > Meissa
> >
> > On Tue, Oct 31, 2017 at 1:25 PM, Niels Bertram <nielsbne(a)gmail.com>
> wrote:
> >
> >> Hi Keycloak Users,
> >>
> >> I tried to configure a dead simple Spring Boot CXF REST endpoint with
> >> Keycloak Spring Boot Adapter in Bearer Only mode without any luck. It
> >> appears the Keycloak Tomcat Valve fails authorization even before the
> >> keycloak adapter ever gets a chance to parse the Bearer token and setup
> >> the
> >> session. I would have thought that with AutoConfig it would just be
> that
> >> ... auto config. I added the below keycloak adapter configuration to
> the
> >> application.yml file and made sure all required jars are on the
> classpath.
> >>
> >> Does anyone have any suggestions or a link to a working example that
> shows
> >> how to use Spring Boot with Keycloak *AND* CXF ?
> >>
> >> Many thanks, Niels
> >>
> >> Example:
> >>
> >> https://github.com/bertramn/keycloak-secured-rest-endpoint
> >>
> >>
> >> application.yml configuration:
> >>
> >>
> >> keycloak:
> >> realm: demo
> >> authServerUrl: 'http://localhost:8080/auth'
> >> realmKey: 'MIIBIjANBgDAQAB'
> >> sslRequired: external
> >> resource: test-client
> >> bearerOnly: true
> >> securityConstraints:
> >> - authRoles: [ '*' ]
> >> securityCollections:
> >> - name: authed
> >> patterns: [ '/v1/secured' ]
> >> _______________________________________________
> >> keycloak-user mailing list
> >> keycloak-user(a)lists.jboss.org
> >> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >>
> >
> >
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
2612
days inactive
2613
days old
4 comments
3 participants
participants (3)
-
Meissa M'baye Sakho -
Niels Bertram -
Sebastien Blanc