[keycloak-dev] resource excludes in web.xml not working in latest master build

Bill Burke bburke at redhat.com
Mon Dec 22 10:41:45 EST 2014 

I've pinged Undertow list on why auth mechanisms is invoked for 
unsecured resources.

On 12/22/2014 10:32 AM, Bill Burke wrote:
> Ok, I set up a JIRA.
>
> https://issues.jboss.org/browse/KEYCLOAK-901
>
> I need to look at Jetty/Tomcat to see if authenticate() is called.  BTW,
> I'm not sure why Undertow is calling the authentication mechanism for
> unsecure resources.
>
> On 12/19/2014 11:03 AM, Michael Gerber wrote:
>> I created today a build from the latest master branch and struggled with
>> the following problem.
>> I've got some REST services which are excluded from keycloak, so I can
>> access them without a logged in user. (see detail from web.xml)
>> The request body in these post rest services were always empty. I found
>> out that my wildfly tried to authenticate all requests.
>> The tokenStore.saveRequest() method in the OAuthRequestAuthenticator
>> class read the inputStream and so it was empty later on.
>>
>> I dont understand why all my requests are authenticated, even when they
>> are excluded through the web.xml file.
>> So, I added the following lines in the ServletKeycloakAuthMech class in
>> the authenticate method: (see
>> https://github.com/gerbermichi/keycloak/commit/1eaafcd3d9ad4082429ab500a4512c87d47ed75c)
>> if (!deployment.isConfigured() ||
>> !securityContext.isAuthenticationRequired()) {
>>               return AuthenticationMechanismOutcome.NOT_ATTEMPTED;
>> }
>>
>> This hack solved all my problems. Is this a bug and should i create a
>> pull request? Or are there some problems in my project configuration?
>>
>> Detail from my web.xml file:
>>     <security-constraint>
>>           <web-resource-collection>
>>               <web-resource-name>Client WS</web-resource-name>
>>               <url-pattern>/clientws/*</url-pattern>
>>           </web-resource-collection>
>>           <web-resource-collection>
>>               <web-resource-name>Client Exchange WS</web-resource-name>
>>               <url-pattern>/services/exchange/*</url-pattern>
>>           </web-resource-collection>
>>           <user-data-constraint>
>>               <transport-guarantee>CONFIDENTIAL</transport-guarantee>
>>           </user-data-constraint>
>>       </security-constraint>
>>
>>       <security-constraint>
>>           <web-resource-collection>
>>               <web-resource-name>All</web-resource-name>
>>               <url-pattern>/*</url-pattern>
>>           </web-resource-collection>
>>           <auth-constraint>
>>               <role-name>myRole</role-name>
>>           </auth-constraint>
>>           <user-data-constraint>
>>               <transport-guarantee>CONFIDENTIAL</transport-guarantee>
>>           </user-data-constraint>
>>       </security-constraint>
>>
>>       <login-config>
>>           <auth-method>KEYCLOAK</auth-method>
>>           <realm-name>myRealm</realm-name>
>>       </login-config>
>>
>>       <security-role>
>>           <role-name>myRole</role-name>
>>       </security-role>
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

More information about the keycloak-dev mailing list