[keycloak-user] Cannot get Keycloak Tomcat 7 adapter to work (version 3.4.3.Final)

Oxy Oxy oxyoxy_240 at yahoo.fr
Tue Mar 20 14:22:21 EDT 2018 

Hi,
I have a Spring Boot 1.5.2 Web App packaged as a .war hosted on an Apache Tomcat 7.0.68.
I want to use the Keycloak Tomcat Adapter but I encounter HTTP 401 returns on every endpoints included in the configuration...I am using the 3.4.3.Final version.
I have read the doc @ http://www.keycloak.org/docs/2.5/securing_apps/topics/oidc/java/tomcat-adapter.html.
Done :
* Downloaded https://downloads.jboss.org/keycloak/3.4.3.Final/adapters/keycloak-oidc/keycloak-tomcat7-adapter-dist-3.4.3.Final.zip and extracted under <tomcat_folder>/lib/
* Created a META-INF/context.xml file with :<?xml version="1.0" encoding="UTF-8"?><Context path="/my-app"> <Valve className="org.keycloak.adapters.tomcat.KeycloakAuthenticatorValve"/></Context>
* Created a WEB-INF/keycloak.json file with :{    "realm" : "my_realm",    "resource" : "my_client",    "principal-attribute": "preferred_username",    "truststore" : "/my_path/keycloak-truststore.jks",    "ssl-required" : "external",
    "truststore-password" : "my_password",    "credentials" : {        "secret" : "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"    },    "auth-server-url" : "http://<keycloak_server>.fr:8443/auth"}
* Created a WEB-INF/web.xml file with :
<?xml version="1.0" encoding="UTF-8"?><web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:web="http://xmlns.jcp.org/xml/ns/javaee" xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" version="2.5"> <display-name>my-app</display-name>    <module-name>my-app</module-name>  <login-config>        <auth-method>BASIC</auth-method>        <realm-name>my_realm</realm-name>    </login-config>
 <security-constraint>        <web-resource-collection>            <url-pattern>/customer/*</url-pattern>        </web-resource-collection>        <auth-constraint>            <role-name>uma_authorization</role-name>        </auth-constraint>    </security-constraint>
 <security-role> <role-name>uma_authorization</role-name> </security-role></web-app>
(simple test with uma_authorization, role that every user has)

After that : HTTP 200 on every endpoints except /customer/* where I get HTTP 401.
In debug, I have detected that the variable "account" is always null on the line 61 from the CatalinaSessionTokenStore class (from Tomcat Keycloak Adapter dependency) :
    Session catalinaSession = request.getSessionInternal(false);    if (catalinaSession == null) return;    SerializableKeycloakAccount account = (SerializableKeycloakAccount) catalinaSession.getSession().getAttribute(SerializableKeycloakAccount.class.getName());    if (account == null) {        return;    }    (... next lines are to control the content of the Keycloak context)
Nothing in the Tomcat log even with TRACE level activated.
Have I forgot something to configure ? Is it a bug ?
Thanks

More information about the keycloak-user mailing list