[keycloak-user] Noob question -- 'forbidden' on demo after redirect

Bill Burke bburke at redhat.com
Fri Feb 13 20:09:15 EST 2015


Got to the admin console.  Go to your application definition.  Go to the 
scope tab.  What does it say?

On 2/13/2015 8:04 PM, Walter Rice wrote:
> Hi Bill,
>
> Thanks for the reply. I dunno! I followed the video to the letter....
> below is my web.xml for customer-portal. Apologies for noob qn but how
> do i check application scope?...
>
> <?xml version="1.0" encoding="UTF-8"?>
> <web-app xmlns="http://java.sun.com/xml/ns/javaee"
>        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>        xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
> http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
>        version="3.0">
>
> <module-name>customer-portal</module-name>
>
>      <security-constraint>
>          <web-resource-collection>
>              <web-resource-name>Admins</web-resource-name>
>              <url-pattern>/admin/*</url-pattern>
>          </web-resource-collection>
>          <auth-constraint>
>              <role-name>admin</role-name>
>          </auth-constraint>
>      </security-constraint>
>      <security-constraint>
>          <web-resource-collection>
>              <web-resource-name>Customers</web-resource-name>
>              <url-pattern>/customers/*</url-pattern>
>          </web-resource-collection>
>          <auth-constraint>
>              <role-name>user</role-name>
>          </auth-constraint>
>      </security-constraint>
>
>      <!--
>      <security-constraint>
>          <web-resource-collection>
>              <url-pattern>/*</url-pattern>
>          </web-resource-collection>
>          <user-data-constraint>
>              <transport-guarantee>CONFIDENTIAL</transport-guarantee>
>          </user-data-constraint>
>      </security-constraint> -->
>
>      <login-config>
>          <auth-method>KEYCLOAK</auth-method>
>          <realm-name>cryo198</realm-name>
>      </login-config>
>
>      <security-role>
>          <role-name>admin</role-name>
>      </security-role>
>      <security-role>
>          <role-name>user</role-name>
>      </security-role>
> </web-app>
>
>
> On Sat, Feb 14, 2015 at 12:27 AM, Bill Burke <bburke at redhat.com
> <mailto:bburke at redhat.com>> wrote:
>
>     You don't have constriants set up correctly in web.xml?  You don't have
>     the appropriate scope for the application set up?
>
>     On 2/13/2015 4:47 PM, Walter Rice wrote:
>     > Hi,
>     >
>     > I am trying to set up the demo as per the youtube videos (#1 and #2). I
>     > am using keycloak 1.0.5. I have set up per the video (i think), however
>     > things aren't working as expected.
>     >
>     > I browse tohttp://localhost:8080/customer-portal/ and all is fine. I
>     > click Customer Listing and I am redirected to login page as expected. I
>     > enter my name/pw , this is successful and then I am redirected back to
>     >http://localhost:8080/customer-portal/customers/view.jsp but the page is
>     > 'Forbidden' (redirect uri appears ok here?)
>     >
>     > I am using the 'full' version with bundled wildfly server.
>     >
>     >
>     >
>      > *customer app:*
>     > keycloak file
>     >
>     > {
>     > "realm": "cryo198",
>     > "realm-public-key":
>     > "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCFnsEHg1o9UMBpMoHqLxYesXgDsTHnv1vF0AgrznxAcLfmYUdjvBNdIXZNfB7I7tG9OMHvX21h9arHdcdg2qqk9adLjHuImg/LhYHVOrosJ/sybohrR/Im+k1fTsw/5p/nwZKOF1DLL4/4SZAY2h19FGCi0ZgIvE80psq98UvCNQIDAQAB",
>     > "auth-server-url": "http://localhost:8080/auth",
>     > "ssl-required": "external",
>     > "resource": "customer-portal",
>     > "credentials": {
>     > "secret": "a0872aa0-113d-435c-a9d6-56cd9b270e22"
>     > }
>     > }
>     >
>      > *web.xml*
>     >      <login-config>
>     >          <auth-method>KEYCLOAK</auth-method>
>     >          <realm-name>cryo198</realm-name>
>     >      </login-config>
>     >
>      > *redirect URI:*
>      > /customer-portal/*
>      >
>      > *database app:*
>     > {
>     >      "realm": "cryo198",
>     >      "realm-public-key":
>     > "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCFnsEHg1o9UMBpMoHqLxYesXgDsTHnv1vF0AgrznxAcLfmYUdjvBNdIXZNfB7I7tG9OMHvX21h9arHdcdg2qqk9adLjHuImg/LhYHVOrosJ/sybohrR/Im+k1fTsw/5p/nwZKOF1DLL4/4SZAY2h19FGCi0ZgIvE80psq98UvCNQIDAQAB",
>     >      "auth-server-url": "http://localhost:8080/auth",
>     >      "ssl-required": "NONE",
>     >      "resource": "database",
>     >      "bearer-only": "true"
>     > }
>     >
>     >
>     >
>      > *web.xml*
>     >      <login-config>
>     >          <auth-method>KEYCLOAK</auth-method>
>     >          <realm-name>cryo198</realm-name>
>     >      </login-config>
>     >
>      > *redirect URI:*
>     > n./a ..set as bearer only
>     >
>      > *deployed apps:*
>     > $
>     > /c/tools/keycloak-appliance-dist-all-1.0.5.Final/keycloak-appliance-dist-all-1.0.5.Final/keycloak/bin/jboss-cli.sh
>     > -c --command="deploy -l"
>     > NAME                   RUNTIME-NAME           ENABLED STATUS
>     > admin-access.war       admin-access.war       true    OK
>     > angular-product.war    angular-product.war    true    OK
>     > auth-server.war        auth-server.war        true    OK
>     > customer-portal-js.war customer-portal-js.war true    OK
>     > customer-portal.war    customer-portal.war    true    OK
>     > database.war           database.war           true    OK
>     > product-portal.war     product-portal.war     true    OK
>     >
>     >
>     >
>     >
>     >
>     >
>      > *Log:*
>      > 2015-02-13 21:22:29,665 DEBUG
>      > [org.keycloak.adapters.PreAuthActionsHandler] (default task-41)
>      > adminRequest http://localhost:8080/customer-portal/custo
>      > mers/view.jsp
>      > 2015-02-13 21:22:29,667 TRACE
>      > [org.keycloak.adapters.RequestAuthenticator] (default task-41) -->
>      > authenticate()
>      > 2015-02-13 21:22:29,668 TRACE
>      > [org.keycloak.adapters.RequestAuthenticator] (default task-41)
>     try bearer
>      > 2015-02-13 21:22:29,669 TRACE
>      > [org.keycloak.adapters.RequestAuthenticator] (default task-41)
>     try oauth
>      > 2015-02-13 21:22:29,669 DEBUG
>      > [org.keycloak.adapters.RequestAuthenticator] (default task-41)
>     session
>      > was null, returning null
>      > 2015-02-13 21:22:29,670 DEBUG
>      > [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-41)
>      > there was no code
>      > 2015-02-13 21:22:29,670 DEBUG
>      > [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-41)
>      > redirecting to auth server
>      > 2015-02-13 21:22:29,671 DEBUG
>      > [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-41)
>      > callback uri: http://localhost:8080/customer-portal/
>      > customers/view.jsp
>      > 2015-02-13 21:22:29,672 DEBUG
>      > [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-41)
>      > Sending redirect to login page: http://localhost:808
>      >
>     0/auth/realms/cryo198/tokens/login?client_id=customer-portal&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fcustomer-portal%2Fcustomers%2Fview.jsp&state
>      > =2%2F8185a8ea-5a38-4a91-b990-1b32ccabb2e8&login=true
>      > 2015-02-13 21:22:29,701 DEBUG
>      > [org.keycloak.services.resources.TokenService] (default task-42)
>      > replacing relative valid redirect with: http://localhos
>      > t:8080/customer-portal/*
>      > 2015-02-13 21:22:29,702 DEBUG
>      > [org.keycloak.services.managers.AuthenticationManager] (default
>     task-42)
>      > Could not find cookie: KEYCLOAK_IDENTITY
>      > 2015-02-13 21:22:46,300 DEBUG
>      > [org.keycloak.services.resources.TokenService] (default task-43)
>      > replacing relative valid redirect with: http://localhos
>      > t:8080/customer-portal/*
>      > 2015-02-13 21:22:46,301 DEBUG
>      > [org.keycloak.services.managers.AuthenticationManager] (default
>     task-43)
>      > validating password for user: walt
>      > 2015-02-13 21:22:46,306 DEBUG
>      > [org.keycloak.services.managers.AuthenticationManager] (default
>     task-43)
>      > Expiring remember me cookie
>      > 2015-02-13 21:22:46,307 DEBUG
>      > [org.keycloak.services.managers.AuthenticationManager] (default
>     task-43)
>      > Expiring cookie: KEYCLOAK_REMEMBER_ME path: /au
>      > th/realms/cryo198
>      > 2015-02-13 21:22:46,308 DEBUG
>      > [org.keycloak.services.resources.flows.OAuthFlows] (default task-43)
>      > processAccessCode: isResource: true
>      > 2015-02-13 21:22:46,308 DEBUG
>      > [org.keycloak.services.resources.flows.OAuthFlows] (default task-43)
>      > processAccessCode: go to oauth page?: false
>      > 2015-02-13 21:22:46,329 DEBUG
>      > [org.keycloak.services.resources.flows.OAuthFlows] (default task-43)
>      > redirectAccessCode: state: 2/8185a8ea-5a38-4a91-b99
>      > 0-1b32ccabb2e8
>      > 2015-02-13 21:22:46,340 DEBUG
>      > [org.keycloak.services.managers.AuthenticationManager] (default
>     task-43)
>      > Create login cookie - name: KEYCLOAK_IDENTITY,
>      > path: /auth/realms/cryo198, max-age: -1
>      > 2015-02-13 21:22:46,387 DEBUG
>      > [org.keycloak.adapters.PreAuthActionsHandler] (default task-44)
>      > adminRequest http://localhost:8080/customer-portal/custo
>      >
>     mers/view.jsp?code=zf9VUvG6-QkAWtF8xDFcJfnBnrY.OTY1YjllMzMtZDdlNS00YWQwLWEwMzgtZjIzMTJhODZjMTIx&state=2%2F8185a8ea-5a38-4a91-b990-1b32ccabb2e8
>      > 2015-02-13 21:22:46,388 TRACE
>      > [org.keycloak.adapters.RequestAuthenticator] (default task-44) -->
>      > authenticate()
>      > 2015-02-13 21:22:46,389 TRACE
>      > [org.keycloak.adapters.RequestAuthenticator] (default task-44)
>     try bearer
>      > 2015-02-13 21:22:46,389 TRACE
>      > [org.keycloak.adapters.RequestAuthenticator] (default task-44)
>     try oauth
>      > 2015-02-13 21:22:46,389 DEBUG
>      > [org.keycloak.adapters.RequestAuthenticator] (default task-44)
>     session
>      > was null, returning null
>      > 2015-02-13 21:22:46,390 DEBUG
>      > [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-44)
>      > there was a code, resolving
>      > 2015-02-13 21:22:46,390 DEBUG
>      > [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-44)
>      > checking state cookie for after code
>      > 2015-02-13 21:22:46,390 DEBUG
>      > [org.keycloak.adapters.OAuthRequestAuthenticator] (default
>     task-44) **
>      > reseting application state cookie
>      > 2015-02-13 21:22:46,477 DEBUG
>      > [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-44)
>      > Token Verification succeeded!
>      > 2015-02-13 21:22:46,478 DEBUG
>      > [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-44)
>      > successful authenticated
>      > 2015-02-13 21:22:46,478 TRACE
>      > [org.keycloak.adapters.RefreshableKeycloakSecurityContext] (default
>      > task-44) checking whether to refresh.
>      > 2015-02-13 21:22:46,478 TRACE
>      > [org.keycloak.adapters.undertow.KeycloakUndertowAccount] (default
>      > task-44) use realm role mappings
>      > 2015-02-13 21:22:46,479 DEBUG
>      > [org.keycloak.adapters.wildfly.WildflyRequestAuthenticator] (default
>      > task-44) propagate security context to wildfly
>      > 2015-02-13 21:22:46,481 TRACE
>      > [org.keycloak.adapters.RefreshableKeycloakSecurityContext] (default
>      > task-44) checking whether to refresh.
>      > 2015-02-13 21:22:46,484 DEBUG
>      > [org.keycloak.adapters.RequestAuthenticator] (default task-44)
>     AUTHENTICATED
>      > 2015-02-13 21:22:46,502 DEBUG
>      > [org.keycloak.adapters.PreAuthActionsHandler] (default task-46)
>      > adminRequest http://localhost:8080/customer-portal/custo
>      > mers/view.jsp
>      > 2015-02-13 21:22:46,505 TRACE
>      > [org.keycloak.adapters.RequestAuthenticator] (default task-46) -->
>      > authenticate()
>      > 2015-02-13 21:22:46,506 TRACE
>      > [org.keycloak.adapters.RequestAuthenticator] (default task-46)
>     try bearer
>      > 2015-02-13 21:22:46,506 TRACE
>      > [org.keycloak.adapters.RequestAuthenticator] (default task-46)
>     try oauth
>      > 2015-02-13 21:22:46,507 DEBUG
>      > [org.keycloak.adapters.undertow.KeycloakUndertowAccount] (default
>      > task-46) session is active
>      > 2015-02-13 21:22:46,508 DEBUG
>      > [org.keycloak.adapters.RequestAuthenticator] (default task-46) Cached
>      > account found
>      > 2015-02-13 21:22:46,508 DEBUG
>      > [org.keycloak.adapters.wildfly.WildflyRequestAuthenticator] (default
>      > task-46) propagate security context to wildfly
>      > 2015-02-13 21:22:46,509 DEBUG
>      > [org.keycloak.adapters.RequestAuthenticator] (default task-46)
>      > AUTHENTICATED: was cached
>      > 2015-02-13 21:22:46,510 DEBUG
>      > [org.keycloak.adapters.AuthenticatedActionsHandler] (default task-46)
>      > AuthenticatedActionsValve.invoke http://localhost:
>      > 8080/customer-portal/customers/view.jsp
>      >
>      >
>      > Many thanks
>      > W
>      >
>      >
>      >
>      >
>      > _______________________________________________
>      > keycloak-user mailing list
>      > keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>      > https://lists.jboss.org/mailman/listinfo/keycloak-user
>      >
>
>     --
>     Bill Burke
>     JBoss, a division of Red Hat
>     http://bill.burkecentral.com
>     _______________________________________________
>     keycloak-user mailing list
>     keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com


More information about the keycloak-user mailing list