First, I using the adapters in a WildFly server.
I am using a web application configuration.
All works well, but for a possible “nuisance” I am seeing in the logging, that may just be because I have TRACE logging turned on.
My web.xml has two security constraints, but only one has a user role constraint, thus the “unprotected” resources should be entirely ignored by the Keycloak processing:
My issue is I simply had too many problems with the websocket paths (register*) and so exclude them until I can get more time to work them. I also have to exclude the features and plugins paths, as those are accessed by a Java Web Start JNLP application, that simply cannot pass any kind of OAuth credentials, I can only make it pass a JSESSIONID query parameter.
When that occurs, I get this output:
2019-09-25 05:49:05,656 DEBUG [org.keycloak.adapters.elytron.ElytronSessionTokenStore] (default task-8) Account was not in session, returning null
2019-09-25 05:49:05,656 DEBUG [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-8) there was no code
2019-09-25 05:49:05,656 DEBUG [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-8) redirecting to auth server
2019-09-25 05:49:05,656 DEBUG [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-8) callback uri: https://ispace.space.smil:8443/premiereclient/plugins/org.eclipse.equinox.bidi_0.10.0.v20130327-1442.jar?JSESSIONID=hSSQKI3rhbSZpBucCG9pgfSVJ3_boi6QBComJIzX
2019-09-25 05:49:05,656 DEBUG [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-8) Sending redirect to login page: https://iskeycloak:8443/auth/realms/ispace/protocol/openid-connect/auth?response_type=code&client_id=PremiereClient&redirect_uri=https%3A%2F%2Fispace.space.smil%3A8443%2Fpremiereclient%2Fplugins%2Forg.eclipse.equinox.bidi_0.10.0.v20130327-1442.jar?JSESSIONID%3DhSSQKI3rhbSZpBucCG9pgfSVJ3_boi6QBComJIzX&state=454fa0f9-9fc1-4f91-b3a5-a15a0d9499fe&login=true&scope=openid
2019-09-25 05:49:05,657 INFO [io.undertow.request.dump] (default task-8)
----------------------------REQUEST---------------------------
URI=/premiereclient/plugins/org.eclipse.equinox.bidi_0.10.0.v20130327-1442.jar
characterEncoding=null
contentLength=-1
contentType=[application/x-java-archive]
header=Accept=text/html, image/gif, image/jpeg, *; q=.2, /; q=.2
header=Cache-Control=no-cache
header=accept-encoding=pack200-gzip,gzip
header=UA-Java-Version=1.8.0_221
header=Pragma=no-cache
header=User-Agent=JNLP/1.7.0 javaws/11.221.2.11 () Java/1.8.0_221
header=If-Modified-Since=Tue, 24 Sep 2019 23:11:52 GMT
header=Connection=keep-alive
header=content-type=application/x-java-archive
header=Host=ispace.space.smil:8443
locale=[]
method=HEAD
parameter=JSESSIONID=hSSQKI3rhbSZpBucCG9pgfSVJ3_boi6QBComJIzX
protocol=HTTP/1.1
queryString=JSESSIONID=hSSQKI3rhbSZpBucCG9pgfSVJ3_boi6QBComJIzX
remoteAddr=tlsdorl9166lg3.us.lmco.com/172.22.1.138:2503
remoteHost=tlsdorl9166lg3.us.lmco.com
scheme=https
host=ispace.space.smil:8443
serverPort=8443
isSecure=true
--------------------------RESPONSE--------------------------
contentLength=0
contentType=null
header=Connection=keep-alive
header=Content-Length=0
header=Date=Wed, 25 Sep 2019 05:49:05 GMT
status=200
It “says”, it is sending a redirect, but there is no Location parameters in the RESPONSE, so it just downloads the jar and everything works fine, but it is “disconcerting” that it is “attempting”, even though that URL is excluded per the security constraints.
In the case of the websocket paths, something similar occurs:
2019-09-25 05:49:25,699 DEBUG [org.keycloak.adapters.elytron.KeycloakHttpServerAuthenticationMechanism] (default task-7) Evaluating request for path [https://ispace.space.smil:8443/premiereclient/registerForCallbacks/9c84cc61-45df-4c9b-8687-3da7b5d35773]
2019-09-25 05:49:25,699 DEBUG [org.keycloak.adapters.PreAuthActionsHandler] (default task-7) adminRequest https://ispace.space.smil:8443/premiereclient/registerForCallbacks/9c84cc61-45df-4c9b-8687-3da7b5d35773
2019-09-25 05:49:25,699 TRACE [org.keycloak.adapters.RequestAuthenticator] (default task-7) --> authenticate()
2019-09-25 05:49:25,699 TRACE [org.keycloak.adapters.RequestAuthenticator] (default task-7) try bearer
2019-09-25 05:49:25,699 TRACE [org.keycloak.adapters.RequestAuthenticator] (default task-7) try query paramter auth
2019-09-25 05:49:25,700 TRACE [org.keycloak.adapters.RequestAuthenticator] (default task-7) try basic auth
2019-09-25 05:49:25,700 DEBUG [org.keycloak.adapters.RequestAuthenticator] (default task-7) NOT_ATTEMPTED: Treating as bearer only
2019-09-25 05:49:25,702 INFO [io.undertow.request.dump] (default task-7)
----------------------------REQUEST---------------------------
URI=/premiereclient/registerForCallbacks/9c84cc61-45df-4c9b-8687-3da7b5d35773
characterEncoding=null
contentLength=-1
contentType=null
cookie=JSESSIONID=hSSQKI3rhbSZpBucCG9pgfSVJ3_boi6QBComJIzX
header=Connection=upgrade
header=Sec-WebSocket-Version=13
header=Sec-WebSocket-Key=06K18ImuBoSwY85ku2AtMA==
header=Origin=https://ispace.space.smil
header=Upgrade=websocket
header=Cookie=$Version=“1”
header=Cookie=JSESSIONID=“hSSQKI3rhbSZpBucCG9pgfSVJ3_boi6QBComJIzX”;$Path="/premiereclient";$Domain=".ispace.space.smil"
header=Cookie=JSESSIONID=hSSQKI3rhbSZpBucCG9pgfSVJ3_boi6QBComJIzX.db
header=Cookie=JSESSIONID=“hSSQKI3rhbSZpBucCG9pgfSVJ3_boi6QBComJIzX”;$Path="/premiereclient";$Domain=".ispace.space.smil"
header=Host=ispace.space.smil:8443
locale=[]
method=GET
protocol=HTTP/1.1
queryString=
remoteAddr=/172.22.1.138:2525
remoteHost=tlsdorl9166lg3.us.lmco.com
scheme=https
host=ispace.space.smil:8443
serverPort=8443
isSecure=true
--------------------------RESPONSE--------------------------
contentLength=-1
contentType=null
cookie=JSESSIONID=hSSQKI3rhbSZpBucCG9pgfSVJ3_boi6QBComJIzX.db; domain=null; path=/premiereclient
header=Connection=Upgrade
header=Set-Cookie=JSESSIONID=hSSQKI3rhbSZpBucCG9pgfSVJ3_boi6QBComJIzX.db; path=/premiereclient
header=Sec-WebSocket-Location=wss://ispace.space.smil:8443/premiereclient/registerForCallbacks/9c84cc61-45df-4c9b-8687-3da7b5d35773
header=Origin=https://ispace.space.smil
header=Upgrade=WebSocket
header=Sec-WebSocket-Accept=J5354J166p8qV08GoBhXAN6ZRjY=
header=Date=Wed, 25 Sep 2019 05:49:25 GMT
status=101
You can notice, the status is 101, so the upgrade succeeded, and all works fine, but once again, it is “disconcerting” that the adapters are doing anything at all, in an excluded URL.
I get the same logging if I do not exclude the paths, but then I get a 401 and the upgrade fails.
Please advise if you can give me something to try.
I would like to not have to exclude either of these resources, but unfortunately there is zero ability for me to integrate Web Start in any way that I can find, so I can only hope to fix the websocket resources.
Thanks
Gene