问题
I have a Spring Boot 1.5.2 Web App packaged as a .war hosted on an Apache Tomcat 7.0.68.
I want to use the Keycloak Tomcat Adapter but I encounter HTTP 401 returns on every endpoints included in the configuration... I am using the 3.4.3.Final version.
I have read the doc @ http://www.keycloak.org/docs/2.5/securing_apps/topics/oidc/java/tomcat-adapter.html.
Facts:
The users, groups, roles, realm, client etc. exist in the main Keycloak configuration.
Downloaded https://downloads.jboss.org/keycloak/3.4.3.Final/adapters/keycloak-oidc/keycloak-tomcat7-adapter-dist-3.4.3.Final.zip and extracted under
<tomcat_folder>/lib/Created a
META-INF/context.xmlfile with :<?xml version="1.0" encoding="UTF-8"?> <Context path="/my-app"> <Valve className="org.keycloak.adapters.tomcat.KeycloakAuthenticatorValve"/> </Context>Created a
WEB-INF/keycloak.jsonfile with :{ "realm" : "my_realm", "resource" : "my_client", "principal-attribute": "preferred_username", "truststore" : "/my_path/keycloak-truststore.jks", "ssl-required" : "external", "truststore-password" : "my_password", "credentials" : { "secret" : "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" }, "auth-server-url" : "http://<keycloak_server>.fr:8443/auth" }Created a
WEB-INF/web.xmlfile with :<?xml version="1.0" encoding="UTF-8"?> <web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:web="http://xmlns.jcp.org/xml/ns/javaee" xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" version="2.5"> <display-name>my-app</display-name> <module-name>my-app</module-name> <login-config> <auth-method>BASIC</auth-method> <realm-name>my_realm</realm-name> </login-config> <security-constraint> <web-resource-collection> <url-pattern>/customer/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>uma_authorization</role-name> </auth-constraint> </security-constraint> <security-role> <role-name>uma_authorization</role-name> </security-role>
(simple test with uma_authorization, role that every user has)
Conclusion : HTTP 200 on every endpoints except /customer/* where I get HTTP 401.
Interesting thing, in debug, I have detected that the variable account is always null on the line 61 from the CatalinaSessionTokenStore class (from Tomcat Keycloak Adapter dependency) :
Session catalinaSession = request.getSessionInternal(false);
if (catalinaSession == null) return;
SerializableKeycloakAccount account = (SerializableKeycloakAccount) catalinaSession.getSession().getAttribute(SerializableKeycloakAccount.class.getName());
if (account == null) {
return;
}
(... next lines are to control the content of the Keycloak context)
Nothing in the Tomcat log even with TRACE level activated.
Did I forget something to configure ? Is it a bug ?
Thanks
回答1:
Found. In my keycloak.json, switch from :
"auth-server-url" : "http://<keycloak_server>.fr:8443/auth"
To :
"auth-server-url" : "https://<keycloak_server>.fr:8443/auth"
No log, no error... It's a pity that the Keycloak adapters configuration is so badly documented and logging almost non-existent...
来源:https://stackoverflow.com/questions/49391338/cannot-get-keycloak-tomcat-7-adapter-to-work-version-3-4-3-final