无法使Keycloak Tomcat 7适配器正常工作(版本3.4.3) [英] Cannot get Keycloak Tomcat 7 adapter to work (version 3.4.3.Final)
问题描述
我有一个打包为.war的Spring Boot 1.5.2 Web App托管在Apache Tomcat 7.0.68上.
I have a Spring Boot 1.5.2 Web App packaged as a .war hosted on an Apache Tomcat 7.0.68.
我想使用Keycloak Tomcat适配器,但是在配置中包括的每个端点上遇到HTTP 401返回... 我正在使用3.4.3.最终版本.
I want to use the Keycloak Tomcat Adapter but I encounter HTTP 401 returns on every endpoints included in the configuration... I am using the 3.4.3.Final version.
我已阅读文档@ http ://www.keycloak.org/docs/2.5/securing_apps/topics/oidc/java/tomcat-adapter.html .
事实:
-
Keycloak主配置中存在用户,组,角色,领域,客户端等.
The users, groups, roles, realm, client etc. exist in the main Keycloak configuration.
已下载 https://downloads.jboss.org/keycloak/3.4.3.Final/adapters/keycloak-oidc/keycloak-tomcat7-adapter-dist-3.4.3.Final.zip 并在<tomcat_folder>/lib/
使用以下命令创建了META-INF/context.xml文件:
Created a META-INF/context.xml file with :
<?xml version="1.0" encoding="UTF-8"?>
<Context path="/my-app">
<Valve className="org.keycloak.adapters.tomcat.KeycloakAuthenticatorValve"/>
</Context>
使用
创建了WEB-INF/keycloak.json文件:
{
"realm" : "my_realm",
"resource" : "my_client",
"principal-attribute": "preferred_username",
"truststore" : "/my_path/keycloak-truststore.jks",
"ssl-required" : "external",
"truststore-password" : "my_password",
"credentials" : {
"secret" : "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
},
"auth-server-url" : "http://<keycloak_server>.fr:8443/auth"
}
使用以下命令创建了WEB-INF/web.xml文件:
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:web="http://xmlns.jcp.org/xml/ns/javaee"
xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
version="2.5">
<display-name>my-app</display-name>
<module-name>my-app</module-name>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>my_realm</realm-name>
</login-config>
<security-constraint>
<web-resource-collection>
<url-pattern>/customer/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>uma_authorization</role-name>
</auth-constraint>
</security-constraint>
<security-role>
<role-name>uma_authorization</role-name>
</security-role>
(带有uma_authorization的简单测试,每个用户都具有的角色)
(simple test with uma_authorization, role that every user has)
结论::除/customer/*以外的所有终结点上的HTTP 200,我获得HTTP 401.
Conclusion : HTTP 200 on every endpoints except /customer/* where I get HTTP 401.
有趣的事情,在调试中,我从CatalinaSessionTokenStore类(根据Tomcat Keycloak Adapter依赖项)检测到,变量account始终位于行61上的null:
Interesting thing, in debug, I have detected that the variable account is always null on the line 61 from the CatalinaSessionTokenStore class (from Tomcat Keycloak Adapter dependency) :
Session catalinaSession = request.getSessionInternal(false);
if (catalinaSession == null) return;
SerializableKeycloakAccount account = (SerializableKeycloakAccount) catalinaSession.getSession().getAttribute(SerializableKeycloakAccount.class.getName());
if (account == null) {
return;
}
(... next lines are to control the content of the Keycloak context)
即使已激活TRACE级别,Tomcat日志中也没有任何内容.
Nothing in the Tomcat log even with TRACE level activated.
我是否忘记了要配置的内容?这是一个错误吗?
Did I forget something to configure ? Is it a bug ?
谢谢
推荐答案
找到了.在我的keycloak.json中,从:
Found. In my keycloak.json, switch from :
"auth-server-url" : "http://<keycloak_server>.fr:8443/auth"
收件人:
"auth-server-url" : "https://<keycloak_server>.fr:8443/auth"
没有日志,没有错误... 遗憾的是,Keycloak适配器的配置如此糟糕,并且几乎不存在日志记录...
No log, no error... It's a pity that the Keycloak adapters configuration is so badly documented and logging almost non-existent...
这篇关于无法使Keycloak Tomcat 7适配器正常工作(版本3.4.3)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
