[keycloak-dev] resource excludes in web.xml not working in latest master build

[Bill Burke]

Ok, I set up a JIRA.

https://issues.jboss.org/browse/KEYCLOAK-901

I need to look at Jetty/Tomcat to see if authenticate() is called.  BTW, 
I'm not sure why Undertow is calling the authentication mechanism for 
unsecure resources.

On 12/19/2014 11:03 AM, Michael Gerber wrote:
> I created today a build from the latest master branch and struggled with
> the following problem.
> I've got some REST services which are excluded from keycloak, so I can
> access them without a logged in user. (see detail from web.xml)
> The request body in these post rest services were always empty. I found
> out that my wildfly tried to authenticate all requests.
> The tokenStore.saveRequest() method in the OAuthRequestAuthenticator
> class read the inputStream and so it was empty later on.
>
> I dont understand why all my requests are authenticated, even when they
> are excluded through the web.xml file.
> So, I added the following lines in the ServletKeycloakAuthMech class in
> the authenticate method: (see
> https://github.com/gerbermichi/keycloak/commit/1eaafcd3d9ad4082429ab500a4512c87d47ed75c)
> if (!deployment.isConfigured() ||
> !securityContext.isAuthenticationRequired()) {
>              return AuthenticationMechanismOutcome.NOT_ATTEMPTED;
> }
>
> This hack solved all my problems. Is this a bug and should i create a
> pull request? Or are there some problems in my project configuration?
>
> Detail from my web.xml file:
>    <security-constraint>
>          <web-resource-collection>
>              <web-resource-name>Client WS</web-resource-name>
>              <url-pattern>/clientws/*</url-pattern>
>          </web-resource-collection>
>          <web-resource-collection>
>              <web-resource-name>Client Exchange WS</web-resource-name>
>              <url-pattern>/services/exchange/*</url-pattern>
>          </web-resource-collection>
>          <user-data-constraint>
>              <transport-guarantee>CONFIDENTIAL</transport-guarantee>
>          </user-data-constraint>
>      </security-constraint>
>
>      <security-constraint>
>          <web-resource-collection>
>              <web-resource-name>All</web-resource-name>
>              <url-pattern>/*</url-pattern>
>          </web-resource-collection>
>          <auth-constraint>
>              <role-name>myRole</role-name>
>          </auth-constraint>
>          <user-data-constraint>
>              <transport-guarantee>CONFIDENTIAL</transport-guarantee>
>          </user-data-constraint>
>      </security-constraint>
>
>      <login-config>
>          <auth-method>KEYCLOAK</auth-method>
>          <realm-name>myRealm</realm-name>
>      </login-config>
>
>      <security-role>
>          <role-name>myRole</role-name>
>      </security-role>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com