[keycloak-user] Spring checks Bearer token for permitted requests
Sebastien Blanc
sblanc at redhat.com
Fri May 26 06:02:12 EDT 2017
Hum interesting indeed I did the test , the ignoring stuff works as long no
token is added ... I wonder if this is working as designed or if it is
actually a bug.
On Fri, May 26, 2017 at 8:48 AM, Hylton Peimer <
hylton.peimer at datos-health.com> wrote:
> Unfortunately that didn't work.
>
> I've implemented a hack which is something like overriding the
> KeycloakAuthenticationProcessingFilter and returning an
> AnonymousAuthenticationToken if the particular path is requested.
>
> Maybe there's a more elegant way.
>
> protected KeycloakAuthenticationProcessingFilter
> keycloakAuthenticationProcessingFilter() throws Exception {
> KeycloakAuthenticationProcessingFilter filter = new
> KeycloakAuthenticationProcessingFilter(this.authenticationManagerBean()) {
> @Override
> public Authentication attemptAuthentication(HttpServletRequest
> request, HttpServletResponse response) throws AuthenticationException,
> IOException, ServletException {
> if (request.getServletPath().equals("/mobile/api/refresh")) {
> logger.error("Mobile device sent expired bearer token for
> /mobile/api/refresh request");
> return new AnonymousAuthenticationToken("blah", "blah",
> Collections.singleton(new SimpleGrantedAuthority("blah")));
> }
> return super.attemptAuthentication(request, response);
> }
> };
> filter.setSessionAuthenticationStrategy(this.
> sessionAuthenticationStrategy());
> return filter;
> }
>
> On Fri, May 26, 2017 at 9:15 AM, Sebastien Blanc <sblanc at redhat.com>
> wrote:
>
>> I haven't tried it but you could try to override the
>> configure(WebSecurity web) method as well :
>>
>> @Override
>> public void configure(WebSecurity web) throws Exception {
>> web
>> .ignoring()
>> .antMatchers("/mobile/api/login",
>>
>> "/mobile/api/refresh");
>> }
>>
>>
>> On Thu, May 25, 2017 at 9:50 PM, Hylton Peimer <
>> hylton.peimer at datos-health.com> wrote:
>>
>>> I have an instance of KeycloakWebSecurityConfigurerAdapter that contains
>>> the following configuration:
>>>
>>> protected void configure(HttpSecurity httpSecurity) throws Exception
>>> {
>>> super.configure(httpSecurity);
>>>
>>> httpSecurity
>>> .antMatcher("/mobile/**")
>>> .authorizeRequests()
>>> .antMatchers("/mobile/api/login",
>>> "/mobile/api/refresh").permitAll()
>>> .antMatchers("/mobile/api/**").authenticated()
>>>
>>> ..........
>>>
>>> The Client is setup for bearer-only.
>>>
>>> It works fine, except when the access token expires.
>>>
>>> Some mobile clients send the expired token as a header in the call to
>>> "/mobile/api/refresh".
>>>
>>> The problem is that even though "/mobile/api/refresh" is marked as
>>> permitAll, the request is blocked.
>>>
>>> Its not possible to fix all the mobile clients. How could I configure
>>> Spring to ignore the bearer token for the "permitAll" calls, or remove
>>> the
>>> header?
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
>
More information about the keycloak-user
mailing list