[keycloak-user] Noob question -- 'forbidden' on demo after redirect
Bill Burke
bburke at redhat.com
Sat Feb 14 09:09:13 EST 2015
You are running all the demo examples? You didn't modify them? You
loaded the appropriate realm.json files, etc.?
On 2/14/2015 9:05 AM, Walter Rice wrote:
> I used everything in 1.0.5 .....
>
> On Sat, Feb 14, 2015 at 2:03 PM, Bill Burke <bburke at redhat.com
> <mailto:bburke at redhat.com>> wrote:
>
> Which demo did you build off of?
>
> On 2/14/2015 4:40 AM, Walter Rice wrote:
>
> Hi Bill,
>
> Full scope allowed: ON
>
> I changed this to off then add user and admin roles... same result
>
> I realise it's probably silly mistake on my part! but I just
> can't see it...
>
> If i click *customer admin interface* i get the following:
>
>
> Customer Admin Interface
>
> User *96cfdfd1-ba0d-480a-9a80-__18ec830391fe *made this request.
>
>
> Admin REST To Get Role List of Realm
>
> There was a failure processing request. You either didn't configure
> Keycloak properly Status from database service invocation was: 404
>
>
> /Brian
>
>
>
> On Sat, Feb 14, 2015 at 1:09 AM, Bill Burke <bburke at redhat.com
> <mailto:bburke at redhat.com>
> <mailto:bburke at redhat.com <mailto:bburke at redhat.com>>> wrote:
>
> Got to the admin console. Go to your application
> definition. Go to
> the scope tab. What does it say?
>
>
> On 2/13/2015 8:04 PM, Walter Rice wrote:
>
> Hi Bill,
>
> Thanks for the reply. I dunno! I followed the video to the
> letter....
> below is my web.xml for customer-portal. Apologies for
> noob qn
> but how
> do i check application scope?...
>
> <?xml version="1.0" encoding="UTF-8"?>
> <web-app xmlns="http://java.sun.com/____xml/ns/javaee
> <http://java.sun.com/__xml/ns/javaee>
> <http://java.sun.com/xml/ns/__javaee
> <http://java.sun.com/xml/ns/javaee>>"
>
> xmlns:xsi="http://www.w3.org/____2001/XMLSchema-instance
> <http://www.w3.org/__2001/XMLSchema-instance>
> <http://www.w3.org/2001/__XMLSchema-instance
> <http://www.w3.org/2001/XMLSchema-instance>>"
>
> xsi:schemaLocation="http://__j__ava.sun.com/xml/ns/javaee
> <http://java.sun.com/xml/ns/javaee>
> <http://java.sun.com/xml/ns/__javaee
> <http://java.sun.com/xml/ns/javaee>>
> http://java.sun.com/xml/ns/____javaee/web-app_3_0.xsd
> <http://java.sun.com/xml/ns/__javaee/web-app_3_0.xsd>
> <http://java.sun.com/xml/ns/__javaee/web-app_3_0.xsd
> <http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd>>"
> version="3.0">
>
> <module-name>customer-portal</____module-name>
>
> <security-constraint>
> <web-resource-collection>
>
> <web-resource-name>Admins</____web-resource-name>
> <url-pattern>/admin/*</url-____pattern>
> </web-resource-collection>
> <auth-constraint>
> <role-name>admin</role-name>
> </auth-constraint>
> </security-constraint>
> <security-constraint>
> <web-resource-collection>
>
> <web-resource-name>Customers</____web-resource-name>
> <url-pattern>/customers/*</____url-pattern>
> </web-resource-collection>
> <auth-constraint>
> <role-name>user</role-name>
> </auth-constraint>
> </security-constraint>
>
> <!--
> <security-constraint>
> <web-resource-collection>
> <url-pattern>/*</url-pattern>
> </web-resource-collection>
> <user-data-constraint>
>
>
> <transport-guarantee>____CONFIDENTIAL</transport-____guarantee>
> </user-data-constraint>
> </security-constraint> -->
>
> <login-config>
> <auth-method>KEYCLOAK</auth-____method>
> <realm-name>cryo198</realm-____name>
> </login-config>
>
> <security-role>
> <role-name>admin</role-name>
> </security-role>
> <security-role>
> <role-name>user</role-name>
> </security-role>
> </web-app>
>
>
> On Sat, Feb 14, 2015 at 12:27 AM, Bill Burke
> <bburke at redhat.com <mailto:bburke at redhat.com>
> <mailto:bburke at redhat.com <mailto:bburke at redhat.com>>
> <mailto:bburke at redhat.com <mailto:bburke at redhat.com>
> <mailto:bburke at redhat.com <mailto:bburke at redhat.com>>>> wrote:
>
> You don't have constriants set up correctly in
> web.xml?
> You don't have
> the appropriate scope for the application set up?
>
> On 2/13/2015 4:47 PM, Walter Rice wrote:
> > Hi,
> >
> > I am trying to set up the demo as per the
> youtube videos
> (#1 and #2). I
> > am using keycloak 1.0.5. I have set up per the
> video (i
> think), however
> > things aren't working as expected.
> >
> > I browse
> tohttp://localhost:8080/____customer-portal/ and
> all is fine. I
>
> > click Customer Listing and I am redirected to
> login page
> as expected. I
> > enter my name/pw , this is successful and then I am
> redirected back to
>
>
> >http://localhost:8080/____customer-portal/customers/____view.jsp <http://localhost:8080/__customer-portal/customers/__view.jsp>
>
> <http://localhost:8080/__customer-portal/customers/__view.jsp
> <http://localhost:8080/customer-portal/customers/view.jsp>> but
> the page is
> > 'Forbidden' (redirect uri appears ok here?)
> >
> > I am using the 'full' version with bundled
> wildfly server.
> >
> >
> >
> > *customer app:*
> > keycloak file
> >
> > {
> > "realm": "cryo198",
> > "realm-public-key":
> >
>
> "____MIGfMA0GCSqGSIb3DQEBAQUAA4GNAD______CBiQKBgQCFnsEHg1o9UMBpMoHqLxYe______sXgDsTHnv1vF0AgrznxAcLfmYUdjvB______NdIXZNfB7I7tG9OMHvX21h9arHdcdg____2qqk9adLjHuImg/LhYHVOrosJ/____sybohrR/Im+k1fTsw/5p/____nwZKOF1DLL4/____4SZAY2h19FGCi0ZgIvE80psq98UvCN____QIDAQAB",
> > "auth-server-url": "http://localhost:8080/auth",
> > "ssl-required": "external",
> > "resource": "customer-portal",
> > "credentials": {
> > "secret": "a0872aa0-113d-435c-a9d6-____56cd9b270e22"
> > }
> > }
> >
> > *web.xml*
> > <login-config>
> > <auth-method>KEYCLOAK</auth-____method>
> > <realm-name>cryo198</realm-____name>
> > </login-config>
> >
> > *redirect URI:*
> > /customer-portal/*
> >
> > *database app:*
> > {
> > "realm": "cryo198",
> > "realm-public-key":
> >
>
> "____MIGfMA0GCSqGSIb3DQEBAQUAA4GNAD______CBiQKBgQCFnsEHg1o9UMBpMoHqLxYe______sXgDsTHnv1vF0AgrznxAcLfmYUdjvB______NdIXZNfB7I7tG9OMHvX21h9arHdcdg____2qqk9adLjHuImg/LhYHVOrosJ/____sybohrR/Im+k1fTsw/5p/____nwZKOF1DLL4/____4SZAY2h19FGCi0ZgIvE80psq98UvCN____QIDAQAB",
> > "auth-server-url":
> "http://localhost:8080/auth",
> > "ssl-required": "NONE",
> > "resource": "database",
> > "bearer-only": "true"
> > }
> >
> >
> >
> > *web.xml*
> > <login-config>
> > <auth-method>KEYCLOAK</auth-____method>
> > <realm-name>cryo198</realm-____name>
> > </login-config>
> >
> > *redirect URI:*
> > n./a ..set as bearer only
> >
> > *deployed apps:*
> > $
> >
>
> /c/tools/keycloak-appliance-____dist-all-1.0.5.Final/keycloak-____appliance-dist-all-1.0.5.____Final/keycloak/bin/jboss-cli.____sh
> > -c --command="deploy -l"
> > NAME RUNTIME-NAME
> ENABLED STATUS
> > admin-access.war admin-access.war
> true OK
> > angular-product.war angular-product.war
> true OK
> > auth-server.war auth-server.war
> true OK
> > customer-portal-js.war customer-portal-js.war
> true OK
> > customer-portal.war customer-portal.war
> true OK
> > database.war database.war
> true OK
> > product-portal.war product-portal.war
> true OK
> >
> >
> >
> >
> >
> >
> > *Log:*
> > 2015-02-13 21:22:29,665 DEBUG
> >
> [org.keycloak.adapters.____PreAuthActionsHandler] (default
> task-41)
> > adminRequest
> http://localhost:8080/____customer-portal/custo
> <http://localhost:8080/__customer-portal/custo>
> <http://localhost:8080/__customer-portal/custo
> <http://localhost:8080/customer-portal/custo>>
> > mers/view.jsp
> > 2015-02-13 21:22:29,667 TRACE
> >
> [org.keycloak.adapters.____RequestAuthenticator] (default
> task-41) -->
> > authenticate()
> > 2015-02-13 21:22:29,668 TRACE
> >
> [org.keycloak.adapters.____RequestAuthenticator] (default
> task-41)
> try bearer
> > 2015-02-13 21:22:29,669 TRACE
> >
> [org.keycloak.adapters.____RequestAuthenticator] (default
> task-41)
> try oauth
> > 2015-02-13 21:22:29,669 DEBUG
> >
> [org.keycloak.adapters.____RequestAuthenticator] (default
> task-41)
> session
> > was null, returning null
> > 2015-02-13 21:22:29,670 DEBUG
> >
> [org.keycloak.adapters.____OAuthRequestAuthenticator]
> (default task-41)
> > there was no code
> > 2015-02-13 21:22:29,670 DEBUG
> >
> [org.keycloak.adapters.____OAuthRequestAuthenticator]
> (default task-41)
> > redirecting to auth server
> > 2015-02-13 21:22:29,671 DEBUG
> >
> [org.keycloak.adapters.____OAuthRequestAuthenticator]
> (default task-41)
> > callback uri:
> http://localhost:8080/____customer-portal/
> <http://localhost:8080/__customer-portal/>
> <http://localhost:8080/__customer-portal/
> <http://localhost:8080/customer-portal/>>
> > customers/view.jsp
> > 2015-02-13 21:22:29,672 DEBUG
> >
> [org.keycloak.adapters.____OAuthRequestAuthenticator]
> (default task-41)
> > Sending redirect to login page:
> http://localhost:808
> >
>
>
> 0/auth/realms/cryo198/tokens/____login?client_id=customer-____portal&redirect_uri=http%3A%____2F%2Flocalhost%3A8080%____2Fcustomer-portal%2Fcustomers%____2Fview.jsp&state
> >
> =2%2F8185a8ea-5a38-4a91-b990-____1b32ccabb2e8&login=true
> > 2015-02-13 21:22:29,701 DEBUG
> > [org.keycloak.services.____resources.TokenService]
> (default task-42)
> > replacing relative valid redirect with:
> http://localhos
> > t:8080/customer-portal/*
> > 2015-02-13 21:22:29,702 DEBUG
> >
>
> [org.keycloak.services.____managers.____AuthenticationManager]
> (default
> task-42)
> > Could not find cookie: KEYCLOAK_IDENTITY
> > 2015-02-13 21:22:46,300 DEBUG
> > [org.keycloak.services.____resources.TokenService]
> (default task-43)
> > replacing relative valid redirect with:
> http://localhos
> > t:8080/customer-portal/*
> > 2015-02-13 21:22:46,301 DEBUG
> >
>
> [org.keycloak.services.____managers.____AuthenticationManager]
> (default
> task-43)
> > validating password for user: walt
> > 2015-02-13 21:22:46,306 DEBUG
> >
>
> [org.keycloak.services.____managers.____AuthenticationManager]
> (default
> task-43)
> > Expiring remember me cookie
> > 2015-02-13 21:22:46,307 DEBUG
> >
>
> [org.keycloak.services.____managers.____AuthenticationManager]
> (default
> task-43)
> > Expiring cookie: KEYCLOAK_REMEMBER_ME path: /au
> > th/realms/cryo198
> > 2015-02-13 21:22:46,308 DEBUG
> >
> [org.keycloak.services.____resources.flows.OAuthFlows]
> (default task-43)
> > processAccessCode: isResource: true
> > 2015-02-13 21:22:46,308 DEBUG
> >
> [org.keycloak.services.____resources.flows.OAuthFlows]
> (default task-43)
> > processAccessCode: go to oauth page?: false
> > 2015-02-13 21:22:46,329 DEBUG
> >
> [org.keycloak.services.____resources.flows.OAuthFlows]
> (default task-43)
> > redirectAccessCode: state: 2/8185a8ea-5a38-4a91-b99
> > 0-1b32ccabb2e8
> > 2015-02-13 21:22:46,340 DEBUG
> >
>
> [org.keycloak.services.____managers.____AuthenticationManager]
> (default
> task-43)
> > Create login cookie - name: KEYCLOAK_IDENTITY,
> > path: /auth/realms/cryo198, max-age: -1
> > 2015-02-13 21:22:46,387 DEBUG
> >
> [org.keycloak.adapters.____PreAuthActionsHandler] (default
> task-44)
> > adminRequest
> http://localhost:8080/____customer-portal/custo
> <http://localhost:8080/__customer-portal/custo>
> <http://localhost:8080/__customer-portal/custo
> <http://localhost:8080/customer-portal/custo>>
> >
>
>
> mers/view.jsp?code=zf9VUvG6-____QkAWtF8xDFcJfnBnrY.____OTY1YjllMzMtZDdlNS00YWQwLWEwMz____gtZjIzMTJhODZjMTIx&state=2%____2F8185a8ea-5a38-4a91-b990-____1b32ccabb2e8
> > 2015-02-13 21:22:46,388 TRACE
> >
> [org.keycloak.adapters.____RequestAuthenticator] (default
> task-44) -->
> > authenticate()
> > 2015-02-13 21:22:46,389 TRACE
> >
> [org.keycloak.adapters.____RequestAuthenticator] (default
> task-44)
> try bearer
> > 2015-02-13 21:22:46,389 TRACE
> >
> [org.keycloak.adapters.____RequestAuthenticator] (default
> task-44)
> try oauth
> > 2015-02-13 21:22:46,389 DEBUG
> >
> [org.keycloak.adapters.____RequestAuthenticator] (default
> task-44)
> session
> > was null, returning null
> > 2015-02-13 21:22:46,390 DEBUG
> >
> [org.keycloak.adapters.____OAuthRequestAuthenticator]
> (default task-44)
> > there was a code, resolving
> > 2015-02-13 21:22:46,390 DEBUG
> >
> [org.keycloak.adapters.____OAuthRequestAuthenticator]
> (default task-44)
> > checking state cookie for after code
> > 2015-02-13 21:22:46,390 DEBUG
> >
> [org.keycloak.adapters.____OAuthRequestAuthenticator] (default
> task-44) **
> > reseting application state cookie
> > 2015-02-13 21:22:46,477 DEBUG
> >
> [org.keycloak.adapters.____OAuthRequestAuthenticator]
> (default task-44)
> > Token Verification succeeded!
> > 2015-02-13 21:22:46,478 DEBUG
> >
> [org.keycloak.adapters.____OAuthRequestAuthenticator]
> (default task-44)
> > successful authenticated
> > 2015-02-13 21:22:46,478 TRACE
> >
>
> [org.keycloak.adapters.____RefreshableKeycloakSecurityCon____text]
> (default
> > task-44) checking whether to refresh.
> > 2015-02-13 21:22:46,478 TRACE
> >
>
> [org.keycloak.adapters.____undertow.____KeycloakUndertowAccount]
> (default
> > task-44) use realm role mappings
> > 2015-02-13 21:22:46,479 DEBUG
> >
>
> [org.keycloak.adapters.____wildfly.____WildflyRequestAuthenticator]
> (default
> > task-44) propagate security context to wildfly
> > 2015-02-13 21:22:46,481 TRACE
> >
>
> [org.keycloak.adapters.____RefreshableKeycloakSecurityCon____text]
> (default
> > task-44) checking whether to refresh.
> > 2015-02-13 21:22:46,484 DEBUG
> >
> [org.keycloak.adapters.____RequestAuthenticator] (default
> task-44)
> AUTHENTICATED
> > 2015-02-13 21:22:46,502 DEBUG
> >
> [org.keycloak.adapters.____PreAuthActionsHandler] (default
> task-46)
> > adminRequest
> http://localhost:8080/____customer-portal/custo
> <http://localhost:8080/__customer-portal/custo>
> <http://localhost:8080/__customer-portal/custo
> <http://localhost:8080/customer-portal/custo>>
> > mers/view.jsp
> > 2015-02-13 21:22:46,505 TRACE
> >
> [org.keycloak.adapters.____RequestAuthenticator] (default
> task-46) -->
> > authenticate()
> > 2015-02-13 21:22:46,506 TRACE
> >
> [org.keycloak.adapters.____RequestAuthenticator] (default
> task-46)
> try bearer
> > 2015-02-13 21:22:46,506 TRACE
> >
> [org.keycloak.adapters.____RequestAuthenticator] (default
> task-46)
> try oauth
> > 2015-02-13 21:22:46,507 DEBUG
> >
>
> [org.keycloak.adapters.____undertow.____KeycloakUndertowAccount]
> (default
> > task-46) session is active
> > 2015-02-13 21:22:46,508 DEBUG
> >
> [org.keycloak.adapters.____RequestAuthenticator] (default
> task-46) Cached
> > account found
> > 2015-02-13 21:22:46,508 DEBUG
> >
>
> [org.keycloak.adapters.____wildfly.____WildflyRequestAuthenticator]
> (default
> > task-46) propagate security context to wildfly
> > 2015-02-13 21:22:46,509 DEBUG
> >
> [org.keycloak.adapters.____RequestAuthenticator] (default
> task-46)
> > AUTHENTICATED: was cached
> > 2015-02-13 21:22:46,510 DEBUG
> >
> [org.keycloak.adapters.____AuthenticatedActionsHandler]
> (default task-46)
> > AuthenticatedActionsValve.____invoke
> http://localhost:
> > 8080/customer-portal/____customers/view.jsp
> >
> >
> > Many thanks
> > W
> >
> >
> >
> >
> > ___________________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> <mailto:keycloak-user at lists.jboss.org>
> <mailto:keycloak-user at lists.__jboss.org
> <mailto:keycloak-user at lists.jboss.org>>
> <mailto:keycloak-user at lists.
> <mailto:keycloak-user at lists.>____jboss.org <http://jboss.org>
> <mailto:keycloak-user at lists.__jboss.org
> <mailto:keycloak-user at lists.jboss.org>>>
> >
> https://lists.jboss.org/____mailman/listinfo/keycloak-user
> <https://lists.jboss.org/__mailman/listinfo/keycloak-user>
>
> <https://lists.jboss.org/__mailman/listinfo/keycloak-user
> <https://lists.jboss.org/mailman/listinfo/keycloak-user>__>
> >
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> ___________________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
> <mailto:keycloak-user at lists.__jboss.org
> <mailto:keycloak-user at lists.jboss.org>>
> <mailto:keycloak-user at lists.
> <mailto:keycloak-user at lists.>____jboss.org <http://jboss.org>
> <mailto:keycloak-user at lists.__jboss.org
> <mailto:keycloak-user at lists.jboss.org>>>
> https://lists.jboss.org/____mailman/listinfo/keycloak-user
> <https://lists.jboss.org/__mailman/listinfo/keycloak-user>
>
> <https://lists.jboss.org/__mailman/listinfo/keycloak-user
> <https://lists.jboss.org/mailman/listinfo/keycloak-user>__>
>
>
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
>
>
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
>
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
More information about the keycloak-user
mailing list