Hey all,
While implementing a Keycloak based secure application set (3 internal web applications)
with Spring-Security, I’ve come upon some details that I can’t seem to find an adequate
answer to.
Our environment and implementations:
The security layer is implemented on the front-end only (for now).
JBoss EAP 6.4, JSF 2.1 Mojarra with RichFaces 4, Spring 3.2.18, Spring-security 3.2.10,
Keycloak-spring-security-adapter 3.4.1 (same as the Keycloak server being used).
What we’ve got working:
2 applications with SSL and SSO. Both redirect to the Keycloak login page. When we log
in to app1 we’re also logged in in app2, so that’s good.
What we want but can’t seem to achieve:
· Log out of app1 --> refresh of app2 should redirect to the Keycloak login
page.
At this point it seems that the user credentials remain active as long as the browser
session remains active.
· After successful login from the Keycloak login page always redirect to the
application welcome page (index.xhtml for instance).
Use case: A user is working in one of our secured applications, has its browser session
ended and clicks on some kind of link. The application correctly redirects this user to
the Keycloak login page. The user correctly logs in and gets taken back to where he/she
was. However, when this is an AJAX kind-of request the user sees plain XML when taken
back the application. To avoid this I would like to always redirect to the welcome page
of the application when the user logs in through the Keycloak login page. I can’t seem to
find a way to do this.
· Logout doesn’t always work well. Sometimes the Spring AntPathRequestMatcher
doesn’t correctly match our logout pattern (/sso/logout**). Therefore we’ve provided an
alternative that we’ve found in the documentation in the form of:
“https://<keycloak-url-with-port>/auth/realms/<realmName>/protocol/openid-connect/logout?redirect_uri=<Application-base-URL>
However this doesn’t always work either. There are situations, depending on
invalid rights for certain application parts where this never logs out a user.
We’ve got a Spring-security application context in XML that is roughly the same as the one
found in the documentation. And a keycloak.json file that looks like this:
{
"realm": "<realmName>",
"auth-server-url": "<keycloak-url-with-port>/auth",
"ssl-required": "all",
"truststore": "<working-truststore>",
"truststore-password":"<a-working-pwd>",
"resource": "<App1-name>",
"public-client": true,
"always-refresh-token": true
}
Due to the large number of Keycloak releases and accompanied configuration changes it’s
really hard for us to find relevant information. When we first started by creating a POC
we used the most recent Keycloak version (3.4.1-Final). A lot of information that is not
old appears to be outdated. Just an observation.
Thanks for reading.
Klik hier<https://www.hvw.fgov.be/nl/mail-disclaimer> voor onze disclaimer
Cliquez ici<https://www.hvw.fgov.be/fr/mail-disclaimer> pour notre disclaimer
Klicken Sie hier<https://www.hvw.fgov.be/de/mail-disclaimer> für unseren
Disclaimer
Show replies by date