[keycloak-dev] Keycloak 6.0.1 and Spring(boot-starter-security) 2.1.7.RELEASE on WildFly not working
Carsten Rudat
Carsten.Rudat at faktorzehn.de
Fri Aug 23 11:10:02 EDT 2019
Hi Keycloak-Dev,
first of all: awesome product, I like it very much; it’s really feature rich!
My current goal/challenge: I have a vaadin-8 application running on WildFly 17. It uses spring-security (old one..) and I successfully used Keycloak with JeePreAuthSecurityConfig.
Now, I’m a fan of Keycloak SSO and I want to use the KeycloakRestTemplate. Therefore I tried to change to Spring-Web-Security with Keycloak. I followed Sebis products-app (monkey-see-monkey-do) and picket spring-boot-starter-security:2.1.7.RELEASE and the newes Keycloak-spring-security-adapter:6.0.1.
Running my app on http://localhost:8081/myContentRoot/myVaadinView , Keycloak kicks in an redirects me to the Keycloak login. That redirects me to ../myVaadinView/sso/login with some state parameters. But here the success-story ends: I’m not redirected to “myVaadinView” as expected, but to “myContentRoot/”, where I am rejected with HTTP-Status 403 ☹
Debugging the whole thing twice (Sebis Spring-boot Tomcat- and my WildFly Undertow-container), I found org.springframework.security.web.authentication. SavedRequestAwareAuthenticationSuccessHandler#onAuthenticationSuccess where Spring-Web-Security tries to find the original request. On WildFly this *always* fails, because org.keycloak.adapters.OAuthRequestAuthenticator#resolveCode creates a new HTTP-Session (reqAuthenticator.changeHttpSessionId(true)).
On Tomcat that works (I think this is a bug in Tomcat) because request.getSession(true) returns the current session, if it exists and is valid (org.apache.catalina.connector.Request.doGetSession(boolean)).
How could I deal with that? It seems to be a bug or a design problem to get the old request from the session vs. creating a new one.
Carsten
----------------------------------------------------------------------------------
Faktor Zehn GmbH Sitz der Gesellschaft: Muenchen Registernummer: HRB 242535 Registergericht: Amtsgericht Muenchen
Geschaeftsfuehrung: Dr. Florian Schwandt, Joerg Renger
More information about the keycloak-dev
mailing list