[keycloak-user] TOMCAT exclude protection for endpoint

Bill Burke bburke at redhat.com
Fri Dec 4 11:08:41 EST 2015 

Keycloak authentication is only triggered if there is a security 
constraint for that particular URL.  We completely rely on web.xml/the 
server container for this and there is currently no additional metadata.

Keycloak 1.6 has a filter implementation.  You could possible override 
that to bypass authentication depending on the URL if standard web.xml 
security constraints are working as expected.

On 12/4/2015 9:15 AM, Christopher Wallace wrote:
> We are using Apache TOMCAT v. 8.0.18. We have a Javascript application
> that we would like to configure web.xml using KEYCLOAK to protect all
> root URI's '/' except '/tracking'. Is there a way to exclude '/tracking'
> from being protected either in the KEYCLOAK admin console or in the
> WEB.XML itself. Some additional information is for the tracking URL we
> will use both HTTP and WEBSOCKETS protocols. Our current approach was to
> specifically protect all URI except for '/tracking' but that doesn't
> seem to be working as a solution.
>
> We have attached our example WEB.XML attempting to specifically protect
> URLs:
>
> <?xml version="1.0" encoding="UTF-8"?>
> <web-app xmlns="http://java.sun.com/xml/ns/javaee"
>           xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>           xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
> http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
>           version="3.0">
>      <module-name>ROOT</module-name>
>      <security-constraint>
>          <web-resource-collection>
>              <web-resource-name>APP</web-resource-name>
>              <url-pattern>/app/*</url-pattern>
>          </web-resource-collection>
>          <!--API-->
>          <web-resource-collection>
>              <web-resource-name>API</web-resource-name>
>              <url-pattern>/api/*</url-pattern>
>          </web-resource-collection>
>          <!--HTML-->
>          <web-resource-collection>
>              <web-resource-name>HTML</web-resource-name>
>              <url-pattern>*.html</url-pattern>
>          </web-resource-collection>
> <auth-constraint>
>              <role-name>user</role-name>
>          </auth-constraint>
>      </security-constraint>
>   <login-config>
>          <auth-method>KEYCLOAK</auth-method>
>          <realm-name>worktrac</realm-name>
>      </login-config>
>      <security-role>
>          <role-name>user</role-name>
>      </security-role>
> </web-app>
>
> We appreciate your feedback and thoughts on a solution.
> - Chris
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

More information about the keycloak-user mailing list