Sebastien, The pull requests looks good. In the meantime I thought of providing a custom request matcher via extending KeycloakWebSecurityConfigurerAdapter and overwriting authenticationEntryPoint() like this: @Override protected AuthenticationEntryPoint authenticationEntryPoint() throws Exception { return new KeycloakAuthenticationEntryPoint(new RequestMatcher() { @Override public boolean matches(HttpServletRequest request) { return false; } }); } I think I found an issue as this one results in a NullPointerException. java.lang.NullPointerException: null at org.keycloak.adapters.springsecurity.authentication.KeycloakAuthenticationEntryPoint.commence(KeycloakAuthenticationEntryPoint.java:92) at org.springframework.security.web.access.ExceptionTranslationFilter.sendStartAuthentication(ExceptionTranslationFilter.java:203) Reason: adapterDeploymentContext in KeycloakAuthenticationEntryPoint is null when using the KeycloakAuthenticationEntryPoint(RequestMatcher) constructor. So either the constructor is not meant to be public or it requires a two-args constructor. What do you think? -- Thomas From: Sebastien Blanc [mailto:sblanc@redhat.com] Sent: Donnerstag, 26. Oktober 2017 10:36 To: Kuestermann, Thomas <Thomas.Kuestermann(a)sabre.com&gt; Cc: keycloak-user(a)lists.jboss.org Subject: Re: [keycloak-user] Spring Boot/Keycloak IE11 compatibility Hi, Looks like a ticket as been opened yesterday for the same problem with a Pull Request as well :) https://issues.jboss.org/browse/KEYCLOAK-5679 and https://github.com/keycloak/keycloak/pull/4587 Please, feel free to comment on the PR as well Seb On Thu, Oct 26, 2017 at 10:28 AM, Kuestermann, Thomas <Thomas.Kuestermann@sabre.com<mailto:Thomas.Kuestermann@sabre.com>> wrote: Folks, We're currently developing a Spring Boot [1] application that uses Keycloak & Spring Security [2] for authentication and authorization. Everything fine so far, the Keycloak login page is displayed when the user accesses the application. I feel a bit ashamed, but it had to happen at some point: We need to support the beloved IE11, yay! What happens with IE is that the login page is not displayed as a HTTP 401 is returned to the browser instead of a HTTP 302. I tracked it down to "org.keycloak.adapters.springsecurity.authentication.HttpHeaderInspectingApiRequestMatcher" checking for the MIME type "text/html" in the HTTP Accept header. Unfortunately, my IE sends something like this in the request: Accept: application/x-ms-application, image/jpeg, application/xaml+xml, image/gif, image/pjpeg, application/x-ms-xbap,*/* According to the Mozilla Docs [3], MIME type "*/*" matches everything including "text/html" required by the request matcher. My question is the following as it is easy to work around and fix: Is it worth filing an issue with Keycloak? I also feel confident enough to provide a pull request. Regards, -- Thomas [1] http://www.keycloak.org/docs/latest/securing_apps/topics/oidc/java/spring... [2] http://www.keycloak.org/docs/latest/securing_apps/topics/oidc/java/spring... [3] https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Accept _______________________________________________ keycloak-user mailing list keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org> https://lists.jboss.org/mailman/listinfo/keycloak-user

Opened https://issues.jboss.org/browse/KEYCLOAK-5753 and provided a pull request via https://github.com/keycloak/keycloak/pull/4617. --Thomas From: Sebastien Blanc [mailto:sblanc@redhat.com] Sent: Donnerstag, 26. Oktober 2017 11:34 To: Kuestermann, Thomas <Thomas.Kuestermann(a)sabre.com&gt; Cc: keycloak-user(a)lists.jboss.org Subject: Re: [keycloak-user] Spring Boot/Keycloak IE11 compatibility Indeed, I think this should be a 2 args constructor, could you open a separate ticket for this ? On Thu, Oct 26, 2017 at 11:22 AM, Kuestermann, Thomas <mailto:Thomas.Kuestermann@sabre.com> wrote: Sebastien,   The pull requests looks good. In the meantime I thought of providing a custom request matcher via extending KeycloakWebSecurityConfigurerAdapter and overwriting authenticationEntryPoint() like this:       @Override     protected AuthenticationEntryPoint authenticationEntryPoint() throws Exception {         return new KeycloakAuthenticationEntryPoint(new RequestMatcher() {             @Override             public boolean matches(HttpServletRequest request) {                 return false;             }         });     }   I think I found an issue as this one results in a NullPointerException.       java.lang.NullPointerException: null         at org.keycloak.adapters.springsecurity.authentication.KeycloakAuthenticationEntryPoint.commence(KeycloakAuthenticationEntryPoint.java:92)         at org.springframework.security.web.access.ExceptionTranslationFilter.sendStartAuthentication(ExceptionTranslationFilter.java:203)   Reason: adapterDeploymentContext in KeycloakAuthenticationEntryPoint is null when using the KeycloakAuthenticationEntryPoint(RequestMatcher) constructor. So either the constructor is not meant to be public or it requires a two-args constructor.   What do you think?   -- Thomas   From: Sebastien Blanc [mailto:mailto:sblanc@redhat.com] Sent: Donnerstag, 26. Oktober 2017 10:36 To: Kuestermann, Thomas <mailto:Thomas.Kuestermann@sabre.com> Cc: mailto:keycloak-user@lists.jboss.org Subject: Re: [keycloak-user] Spring Boot/Keycloak IE11 compatibility   Hi,   Looks like a ticket as been opened yesterday for the same problem with a Pull Request as well :) https://issues.jboss.org/browse/KEYCLOAK-5679 and https://github.com/keycloak/keycloak/pull/4587 Please, feel free to comment on the PR as well Seb     On Thu, Oct 26, 2017 at 10:28 AM, Kuestermann, Thomas <mailto:Thomas.Kuestermann@sabre.com> wrote: Folks, We're currently developing a Spring Boot [1] application that uses Keycloak & Spring Security [2] for authentication and authorization. Everything fine so far, the Keycloak login page is displayed when the user accesses the application. I feel a bit ashamed, but it had to happen at some point: We need to support the beloved IE11, yay! What happens with IE is that the login page is not displayed as a HTTP 401 is returned to the browser instead of a HTTP 302. I tracked it down to "org.keycloak.adapters.springsecurity.authentication.HttpHeaderInspectingApiRequestMatcher" checking for the MIME type "text/html" in the HTTP Accept header. Unfortunately, my IE sends something like this in the request:     Accept: application/x-ms-application, image/jpeg, application/xaml+xml, image/gif, image/pjpeg, application/x-ms-xbap,*/* According to the Mozilla Docs [3], MIME type "*/*" matches everything including "text/html" required by the request matcher. My question is the following as it is easy to work around and fix: Is it worth filing an issue with Keycloak? I also feel confident enough to provide a pull request. Regards, -- Thomas [1] http://www.keycloak.org/docs/latest/securing_apps/topics/oidc/java/spring... [2] http://www.keycloak.org/docs/latest/securing_apps/topics/oidc/java/spring... [3] https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Accept _______________________________________________ keycloak-user mailing list mailto:keycloak-user@lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user