[keycloak-dev] resource excludes in web.xml not working in latest master build
Bill Burke
bburke at redhat.com
Mon Dec 22 10:41:45 EST 2014
I've pinged Undertow list on why auth mechanisms is invoked for
unsecured resources.
On 12/22/2014 10:32 AM, Bill Burke wrote:
> Ok, I set up a JIRA.
>
> https://issues.jboss.org/browse/KEYCLOAK-901
>
> I need to look at Jetty/Tomcat to see if authenticate() is called. BTW,
> I'm not sure why Undertow is calling the authentication mechanism for
> unsecure resources.
>
> On 12/19/2014 11:03 AM, Michael Gerber wrote:
>> I created today a build from the latest master branch and struggled with
>> the following problem.
>> I've got some REST services which are excluded from keycloak, so I can
>> access them without a logged in user. (see detail from web.xml)
>> The request body in these post rest services were always empty. I found
>> out that my wildfly tried to authenticate all requests.
>> The tokenStore.saveRequest() method in the OAuthRequestAuthenticator
>> class read the inputStream and so it was empty later on.
>>
>> I dont understand why all my requests are authenticated, even when they
>> are excluded through the web.xml file.
>> So, I added the following lines in the ServletKeycloakAuthMech class in
>> the authenticate method: (see
>> https://github.com/gerbermichi/keycloak/commit/1eaafcd3d9ad4082429ab500a4512c87d47ed75c)
>> if (!deployment.isConfigured() ||
>> !securityContext.isAuthenticationRequired()) {
>> return AuthenticationMechanismOutcome.NOT_ATTEMPTED;
>> }
>>
>> This hack solved all my problems. Is this a bug and should i create a
>> pull request? Or are there some problems in my project configuration?
>>
>> Detail from my web.xml file:
>> <security-constraint>
>> <web-resource-collection>
>> <web-resource-name>Client WS</web-resource-name>
>> <url-pattern>/clientws/*</url-pattern>
>> </web-resource-collection>
>> <web-resource-collection>
>> <web-resource-name>Client Exchange WS</web-resource-name>
>> <url-pattern>/services/exchange/*</url-pattern>
>> </web-resource-collection>
>> <user-data-constraint>
>> <transport-guarantee>CONFIDENTIAL</transport-guarantee>
>> </user-data-constraint>
>> </security-constraint>
>>
>> <security-constraint>
>> <web-resource-collection>
>> <web-resource-name>All</web-resource-name>
>> <url-pattern>/*</url-pattern>
>> </web-resource-collection>
>> <auth-constraint>
>> <role-name>myRole</role-name>
>> </auth-constraint>
>> <user-data-constraint>
>> <transport-guarantee>CONFIDENTIAL</transport-guarantee>
>> </user-data-constraint>
>> </security-constraint>
>>
>> <login-config>
>> <auth-method>KEYCLOAK</auth-method>
>> <realm-name>myRealm</realm-name>
>> </login-config>
>>
>> <security-role>
>> <role-name>myRole</role-name>
>> </security-role>
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
More information about the keycloak-dev
mailing list