使用Keycloak保护Tomcat应用程序时出现HTTP 403禁止错误 [英] HTTP 403 forbidden error when Use Keycloak to protect a Tomcat App

查看:710
本文介绍了使用Keycloak保护Tomcat应用程序时出现HTTP 403禁止错误的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我整天都在为这个错误而苦苦挣扎.我一次又一次地检查tomcat中Keycloak和APP的配置,但未发现错误.

I struggled with this error for a whole day. I check my configuration of Keycloak and APP in tomcat again and again and not found a bug.

APP的配置:

1.Keycloak.json是从Keycloak控制台复制的

1.Keycloak.json was copied from Keycloak console

2.context.xml也可以,因为它在本地主机"情况下可以正常工作

2.context.xml also right due to it work fine under "localhost" scenario

3.web.xml:

3.web.xml :

<web-app xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
  version="3.0">

    <module-name>Keycloak-Tomcat-App</module-name>

<!--
<security-constraint>
    <web-resource-collection>
        <web-resource-name>init pages</web-resource-name>
        <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <role-name>user</role-name>
    </auth-constraint>
</security-constraint>
-->

<security-constraint>
    <web-resource-collection>
        <web-resource-name>All roles pages</web-resource-name>
        <url-pattern>/roles/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <role-name>admin</role-name>
    </auth-constraint>
</security-constraint>

<login-config>
    <auth-method>BASIC</auth-method>
    <realm-name>this is ignored currently</realm-name>
</login-config>

<security-role>
    <role-name>admin</role-name>
</security-role>
<security-role>
    <role-name>user</role-name>
</security-role>

我创建了一个名为csf-admin的用户,并将角色"admin"和"user"分配给csf-admin

i create a user named csf-admin, and assign the roles "admin" and "user" to csf-admin

1)在linux.1上使用浏览器访问在linux.3上的TOMCAT中部署的APP(用户https)

1)Use broswer on linux.1 to access the APP deployed in TOMCAT on linux.3 (user https)

2)我的浏览器可以打开Keycloak Auth页面(用户https,在Linux.2上为keycloak)

2)My broswer can open the Keycloak Auth page (user https , keycloak on linux.2)

3)以csf-admin身份登录密钥斗篷

3) login keycloak as csf-admin

4)Keycloak将我重定向到APP网址(使用https)

4)Keycloak redirect me to the APP url (use https)

5)HTTP 403已禁止访问指定的资源."出现

5)HTTP 403 "Access to the specified resource has been forbidden." turn up

我真的不知道根本原因.....需要您的帮助.....

I really don't know the root cause..... need your help.....

推荐答案

由于问题是在提交登录页面和来自Keycloak IDP的重定向之后,因此问题应该出在客户端应用程序(APP)试图连接到IDP以获得访问令牌.

As the issue is after submitting the login page and the redirect from the Keycloak IDP, the problem should be at a point when the client application (APP) tries to connect to the IDP for the access token.

  1. 从客户端应用程序到IDP可能存在连接问题.可以使用telnet命令(使用您的IDP的https端口)对其进行测试.

  1. There can be a connectivity issue from client app to IDP. Can test it with telnet command (use your IDP's https port).

可能存在IDP SSL证书验证问题.检查是否使用了正确的域名.或者,如果您的客户端应用程序信任它是CA.

There can be IDP SSL certificate verification issue. Check, if the right domain name is being used. Or, if it's CA is trusted by your client app.

另请参阅链接的帖子与idcloak 403禁止融合的野生蝇

这篇关于使用Keycloak保护Tomcat应用程序时出现HTTP 403禁止错误的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆