[keycloak-user] RV: Keycloak security cuestion.

[Jose Carlos Moral Cuevas]

Hi!!

I'm a new Keycloak user. I have a question about security configuration in keycloak.

My keycloak server is on the Internet, it must authenticate to the users to access to my applications, which are on the Internet too. My problem is that keycloak server public by default the URL https://[domainserver]:8443/auth/version/ on the Internet without authentication, this fact could be an information loss for me and could be used for hackers to exploit vulnerabilities.

The same problem is with the URLs:

·       https://[domainserver]:8443/auth/realms/master/

·       https://[domainserver]:8443/auth/js/3.2.0.cr1

·       https://[domainserver]:8443/auth/js/3.2.0.cr1/keycloak.js

The question is: Could I configure keycloak to avoid this pages are publics by default? I need block the access to this pages.

On the other hand, I need to change the main page redirection: "/" or "/auth" --> Welcome-page. I need to change this main page, because I would like only access to "/auth/admin" interface, and block the others.

I hope you can help me.

Regards,

José Carlos Moral.

________________________________

AVISO DE CONFIDENCIALIDAD.
Este correo y la información contenida o adjunta al mismo es privada y confidencial y va dirigida exclusivamente a su destinatario. everis informa a quien pueda haber recibido este correo por error que contiene información confidencial cuyo uso, copia, reproducción o distribución está expresamente prohibida. Si no es Vd. el destinatario del mismo y recibe este correo por error, le rogamos lo ponga en conocimiento del emisor y proceda a su eliminación sin copiarlo, imprimirlo o utilizarlo de ningún modo.

CONFIDENTIALITY WARNING.
This message and the information contained in or attached to it are private and confidential and intended exclusively for the addressee. everis informs to whom it may receive it in error that it contains privileged information and its use, copy, reproduction or distribution is prohibited. If you are not an intended recipient of this E-mail, please notify the sender, delete it and do not read, act upon, print, disclose, copy, retain or redistribute any portion of this E-mail.