I have a web app secured by KC. It authenticates against out Active Directory and that
appears to be working.
I'm developing using Tomcat as my web app server.
When on a Windows client of a machine that is a member of my Active Directory, and Windows
Internet options are set, Both Chrome and Internet Explorer do not put up the Browser
challenge or forward to the KC login page.
I have a requirement that a browser on a client that is not in my Active Directory log in
with the users Active Directory user id and password.
After a successful login, everything is great.
My issue is that when running from a browser on a client that is not a member of the
Active Directory domain, First the browser presents a Basic Challenge. Then regardless of
what is entered or if the challenge is dismissed, the browser forwards as expected to the
KC login page.
How can the Basic Challenge Be suppressed?
My web.xml
<?xml version="1.0" encoding="UTF-8"?>
<web-app
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://xmlns.jcp.org/xml/ns/javaee"
xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee
http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd"
id="WebApp_ID" version="3.1">
<display-name>SSO-Example</display-name>
<welcome-file-list>
<welcome-file>index.html</welcome-file>
<welcome-file>index.htm</welcome-file>
<welcome-file>index.jsp</welcome-file>
<welcome-file>default.html</welcome-file>
<welcome-file>default.htm</welcome-file>
<welcome-file>default.jsp</welcome-file>
</welcome-file-list>
<login-config>
<auth-method>KEYCLOAK</auth-method>
<realm-name> MYREALM </realm-name>
</login-config>
<security-constraint>
<web-resource-collection>
<web-resource-name>SSO-Example</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>user</role-name>
</auth-constraint>
</security-constraint>
<security-role>
<role-name>user</role-name>
</security-role>
</web-app>
My keycloak.json
{
"realm": "MYREALM",
"auth-server-url": "https://my.keycloak:8443/auth",
"ssl-required": "external",
"resource": "MYCLIENT",
"verify-token-audience": true,
"credentials": {
"secret": "my secret"
},
"disable-trust-manager": true,
"allow-any-hostname" : true,
"use-resource-role-mappings": true,
"confidential-port": 0
}