I'm trying to plug in Keycloak authentication in my web application on Springboot with KeycloakAdapter. But when i trying to login from application homepage, i get 401 error. Logfile contains this error:
2021-10-05 18:34:39,839 [http-nio-0.0.0.0-9090-exec-3] DEBUG o.k.a.s.f.KeycloakAuthenticationProcessingFilter - Request is to process authentication
2021-10-05 18:34:39,839 [http-nio-0.0.0.0-9090-exec-3] DEBUG o.k.a.s.f.KeycloakAuthenticationProcessingFilter - Attempting Keycloak authentication
2021-10-05 18:34:39,839 [http-nio-0.0.0.0-9090-exec-3] DEBUG o.apache.tomcat.util.http.Parameters - Set encoding to UTF-8
2021-10-05 18:34:39,839 [http-nio-0.0.0.0-9090-exec-3] DEBUG o.k.adapters.RequestAuthenticator - NOT_ATTEMPTED: bearer only
2021-10-05 18:34:39,839 [http-nio-0.0.0.0-9090-exec-3] DEBUG o.k.a.s.f.KeycloakAuthenticationProcessingFilter - Auth outcome: NOT_ATTEMPTED
2021-10-05 18:34:39,839 [http-nio-0.0.0.0-9090-exec-3] DEBUG o.k.a.s.f.KeycloakAuthenticationProcessingFilter - Authentication request failed: org.keycloak.adapters.springsecurity.KeycloakAuthenticationException: Authorization header not found, see WWW-Authenticate header
org.keycloak.adapters.springsecurity.KeycloakAuthenticationException: Authorization header not found, see WWW-Authenticate header
at org.keycloak.adapters.springsecurity.filter.KeycloakAuthenticationProcessingFilter.attemptAuthentication(KeycloakAuthenticationProcessingFilter.java:168)
at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:212)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:116)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
at org.keycloak.adapters.springsecurity.filter.KeycloakPreAuthActionsFilter.doFilter(KeycloakPreAuthActionsFilter.java:86)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
at org.springframework.security.web.header.HeaderWriterFilter.doHeadersAfter(HeaderWriterFilter.java:92)
at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:77)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
I think i need to get authorization token from Keycloak and call login endpoint with it, but i cant understand where and how to do this. And its starange, that i need authenticate before authenticate... Seems like I do something wrong. Colleagues, who integarates Keycloak with Springboot, give me a hand with this please.
My config:
#KeycloakConfiguration
#ComponentScan(
basePackageClasses = {KeycloakSecurityComponents.class},
excludeFilters = #ComponentScan.Filter(type = FilterType.REGEX, pattern = "org.keycloak.adapters.springsecurity.management.HttpSessionManager"))
public class SecurityConfiguration extends KeycloakWebSecurityConfigurerAdapter {
#Override
protected void configure(HttpSecurity http) throws Exception {
// #formatter:off
super.configure(http);
http
.csrf().disable()
.authorizeRequests()
.antMatchers(WEBJARS_ENTRY_POINT).permitAll()
.antMatchers(DEVICE_API_ENTRY_POINT).permitAll()
.antMatchers(FORM_BASED_LOGIN_ENTRY_POINT).permitAll()
.antMatchers(PUBLIC_LOGIN_ENTRY_POINT).permitAll()
.antMatchers(TOKEN_REFRESH_ENTRY_POINT).permitAll()
.antMatchers(NON_TOKEN_BASED_AUTH_ENTRY_POINTS).permitAll()
.and()
.authorizeRequests()
.antMatchers(WS_TOKEN_BASED_AUTH_ENTRY_POINT).authenticated()
.antMatchers(TOKEN_BASED_AUTH_ENTRY_POINT).authenticated();
// #formatter:on
}
#Bean
#Override
protected SessionAuthenticationStrategy sessionAuthenticationStrategy() {
return new RegisterSessionAuthenticationStrategy(new SessionRegistryImpl());
}
#Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) {
auth.authenticationProvider(keycloakAuthenticationProvider());
}
}
And .yml
keycloak:
realm: "myRealm"
auth-server-url: "http://localhost:18080/auth"
ssl-required: "external"
resource: "myResource"
credentials:
secret: "xxxxxxxxxxxxxxxxxxxxxxxxx"
use-resource-role-mappings: "true"
bearer-only: "true"
I found the problem. It works if change parameter bearer-only to false in .yml
keycloak:
realm: "myRealm"
auth-server-url: "http://localhost:18080/auth"
ssl-required: "external"
resource: "myResource"
credentials:
secret: "xxxxxxxxxxxxxxxxxxxxxxxxx"
use-resource-role-mappings: "true"
bearer-only: "false"
Related
I want to implement OAuth2 in my Spring Boot App.
I added
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-oauth2-client</artifactId>
<version>2.3.7.RELEASE</version>
</dependency>
Basic config for GitHub (for example):
spring:
security:
oauth2:
client:
registration:
github:
client-id: xxx
client-secret: xxx
And basic WebSecurity config allowing all endpoints:
#Configuration
public class OAuth2SecurityConfig extends WebSecurityConfigurerAdapter {
#Override
protected void configure(HttpSecurity httpSecurity) throws Exception {
httpSecurity
.csrf().disable()
.antMatcher("/**").authorizeRequests()
.antMatchers("/**").permitAll()
.and()
.oauth2Login();
}
}
When client-id/secret is not provided, an exception occurs so the config is picked up properly.
But I can't access the oauth login page which should be http://localhost:8080/oauth2/authorization/github, I have an 404 instead.
I have a web-app running with SSL only (no http allowed) on port 8080:
server:
ssl:
key-store-type: PKCS12
key-store: file:${SERVER_KEYSTORE_PATH}
key-store-password: ${SERVER_CERT_PASSWORD}
port: 8080
When I launch the app, I see in the logs:
2020-03-17 17:32:29.836 INFO 90960 --- [main] o.s.b.w.embedded.tomcat.TomcatWebServer : Tomcat initialized with port(s): 8080 (https)
One of my endpoints (the root one, actually) is protected by Spring Security, OAuth2:
#Override
protected void configure(HttpSecurity http) throws Exception {
String baseURI = redirectURI.substring(redirectURI.lastIndexOf("/"));
http.csrf().disable()
.authorizeRequests()
.antMatchers("/").authenticated()
.antMatchers("/**").permitAll()
.and()
.oauth2Login()
.defaultSuccessUrl("/")
.redirectionEndpoint().baseUri(baseURI);
}
The problem is that when I go to https://localhost:8080 - it redirects me to https://localhost:8443/oauth2/authorization/oauth So, for some reason the port 8080 is overriden with 8443.
As far as I understood from similar questions, this is happening because Tomcat is trying to redirect the user to the SSL-enabled endpoint (https) from the plain endpoint (http). But my endpoint is already SSL-enabled, so I don't really understand why is it happening. If I go to any other endpoint, it works with https and 8080 port - so only protected endpoint is problematic.
I tried to customize TomcatServletWebServerFactory with ConnectorCustomizers and set there redirect port to 8080, but it didn't help.
Any ideas on how to disable this useless redirect?
As per https://github.com/spring-projects/spring-security/issues/8140#issuecomment-600980028 :
#Override
protected void configure(HttpSecurity http) throws Exception {
PortMapperImpl portMapper = new PortMapperImpl();
portMapper.setPortMappings(Collections.singletonMap("8080","8080"));
PortResolverImpl portResolver = new PortResolverImpl();
portResolver.setPortMapper(portMapper);
LoginUrlAuthenticationEntryPoint entryPoint = new LoginUrlAuthenticationEntryPoint(
"/login");
entryPoint.setPortMapper(portMapper);
entryPoint.setPortResolver(portResolver);
http
.exceptionHandling()
.authenticationEntryPoint(entryPoint)
.and()
//...
;
}
I've integrated SBA to the project. Without any authentication all clients register for SBA server and I can see all actuator endpoints, which I've opened.
I wish to have login page at SBA admin page and wish open registration only for SBA clients with proper permissions. I've added user/password properties at both sides, according to SBA documentation.
If I just add at SBA server user and password, and the same user and password I also configure for all SBA clients, all clients got responses 403 FORBIDDEN Failed to register application as Application()
SBA server part:
application.properties
spring.security.user.name=admin
spring.security.user.password=admin
spring.boot.admin.client.instance.metadata.user.name=admin
spring.boot.admin.client.instance.metadata.user.password=admin
server.port=8090
management.endpoints.web.exposure.include=
management.endpoints.web.base-path=/_manage
management.endpoints.jmx.exposure.include=
management.endpoint.shutdown.enabled=true
management.server.port=8090
security configuration with opened permissions to /instances
#Configuration
#ConditionalOnProperty(value = "spring.security.enabled", havingValue = "true")
#EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
#Override
protected void configure(HttpSecurity http) throws Exception {
http
.formLogin()
.loginPage("/login.html")
.loginProcessingUrl("/login")
.permitAll();
http
.logout().logoutUrl("/logout");
http
.csrf().disable();
http
.authorizeRequests()
.antMatchers("/login.html", "/** ** /** .css", "/img/** ** ", "/third-party/** ** ")
.permitAll();
http
.authorizeRequests()
.antMatchers("/instances")
.permitAll();
//.authenticated();
http.httpBasic();
}
}
SBA client has the same user and password, to be able to register at SBA server:
application.properties
instance.name=clientdemo
feed.generation.type=CLIENTDEMO
spring.boot.admin.url=http://localhost:8090
spring.boot.admin.client.url=http://localhost:8090
spring.boot.admin.client.username=admin
spring.boot.admin.client.password=admin
spring.security.user.name=admin
spring.security.user.password=admin
server.port=8091
# ACTUATOR
management.endpoints.web.exposure.include=*
#management.endpoints.web.base-path=/_manage
management.endpoint.shutdown.enabled=true
management.server.port=8091
As result at SBA client side I see from the logs an error :
: Writing [Application(name=demo-worker, managementUrl=http://http://localhost:8091/actuator, healthUrl=http://localhost:8091/actuator/health, serviceUrl=http://localhost:8091/)] as "application/json"
: sun.net.www.MessageHeader#4089d6fd8 pairs: {POST /instances HTTP/1.1: null}{Accept: application/json}{Content-Type: application/json}{Authorization: Basic YWRtaW46YWRtaW4=}{User-Agent: Java/1.8.0_211}{Host: localhost:8090}{Connection: keep-alive}{Content-Length: 267}
: sun.net.www.MessageHeader#50cf05ff11 pairs: {null: HTTP/1.1 403}{Content-Type: text/plain}{Cache-Control: no-cache, no-store, max-age=0, must-revalidate}{Pragma: no-cache}{Expires: 0}{X-Content-Type-Options: nosniff}{X-Frame-Options: DENY}{X-XSS-Protection: 1 ; mode=block}{Referrer-Policy: no-referrer}{Transfer-Encoding: chunked}{Date: Wed, 13 Nov 2019 12:48:32 GMT}
: Response 403 FORBIDDEN
: Failed to register application as Application(name=demo-worker, managementUrl=http://localhost:8091/actuator, healthUrl=http://localhost:8091/actuator/health, serviceUrl=http://localhost:8091/) at spring-boot-admin ([http://localhost:8090/instances]): 403 null
: HTTP POST http://localhost:8090/instances
: Accept=[application/json, application/*+json]
And from SBA server side I see at the logs :
{"name":"demo-worker","managementUrl":"http://localhost:8091/actuator","healthUrl":"http://localhost:8091/actuator/health","serviceUrl":"http://localhost:8091/","metadata":o.a.c.a.AuthenticatorBase: Security checking request POST /instances
My SBA server is registered at port 8090 and SBA client is registered at port 8091.
you should add this:
.antMatchers(HttpMethod.POST, "/actuator/**")
.permitAll()
I'm new with Spring Security and trying to develop Spring Boot app with Google login using OAuth2 which runs under hostname:8080. This app is behind Apache reverse proxy server https://url.com.
Spring Boot version 2.1.0
Spring Security version 5.1.1
build.gradle:
dependencies {
implementation("org.springframework.boot:spring-boot-starter-web")
implementation("org.springframework.boot:spring-boot-starter-security")
implementation("org.springframework.security:spring-security-oauth2-client")
implementation("org.springframework.security:spring-security-oauth2-jose")
}
application.yml:
oauth2:
client:
registration:
google:
clientId: <clientId>
clientSecret: <clientSecret>
scope: profile, email, openid
server:
use-forward-headers: true
servlet:
session:
cookie:
http-only: false
Spring Security config:
#Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {
#Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf()
.disable()
.authorizeRequests()
.anyRequest()
.authenticated()
.and()
.oauth2Login();
}
}
I request https://url.com
Get redirected to https://accounts.google.com/signin/oauth/
When authenticated get redirected back to
https://url.com/login/oauth2/code/google?state={state}&code={code}&scope=openid+email+profile+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.profile+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fplus.me&authuser=0&session_state={session_state}&prompt=none which timed out with error:
[invalid_token_response] An error occurred while attempting to
retrieve the OAuth 2.0 Access Token Response: I/O error on POST
request for "https://www.googleapis.com/oauth2/v4/token": Connection
timed out (Connection timed out); nested exception is
java.net.ConnectException: Connection timed out (Connection timed out)
Is this error caused by the proxy server settings or boot app? Thanks for help.
Solved. I had to set the JVM parameters:
https.proxyHost=[host]
https.proxyPort=[port]
http.proxyHost=[host]
http.proxyPort=[port]
We are implementing the service using Spring Boot (1.2.2) with WSO2 IS (5.x) as OAuth2 Identity provider.
As part of logout we wanted to run some cleaning activities and then redirect to login page. Following is the Spring Security Configuration class
#Configuration
#EnableWebMvcSecurity
public class SecurityConfiguration extends OAuth2SsoConfigurerAdapter {
private final Logger log = LoggerFactory.getLogger(this.getClass());
#Autowired
private OAuth2ClientContext oAuth2ClientContext;
#Autowired
private MmaLogoutHandler logoutHandler;
#Override
public void match(RequestMatchers matchers) {
matchers.anyRequest();
}
#Override
public void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.anyRequest().authenticated()
.and()
.logout()
.logoutRequestMatcher(new AntPathRequestMatcher("/logoff", "GET"))
.logoutSuccessUrl("/#/home")
.invalidateHttpSession(true)
.deleteCookies("JSESSIONID","remember-me")
.permitAll()
.and()
.addFilterAfter(csrfHeaderFilter(), CsrfFilter.class)
.addFilterBefore(customerAuthorizationFilter(), AbstractPreAuthenticatedProcessingFilter.class);
}
When the logout is called, the log shows that spring security has cleared the session, but it fails to redirect -
2015-09-01 14:23:05.983 DEBUG 12936 --- [nio-8443-exec-8] o.s.s.w.a.logout.LogoutFilter : Logging out user 'org.springframework.security.oauth2.provider.OAuth2Authentication#e6269aa6: Principal: mrpink_bd3d5b71-b212-11e4-ac24-22000b4791d2; Credentials: [PROTECTED]; Authenticated: true; Details: remoteAddress=127.0.0.1, sessionId=<SESSION>, tokenType=bearertokenValue=<TOKEN>; Granted Authorities: ROLE_USER' and transferring to logout destination
2015-09-01 14:23:05.984 DEBUG 12936 --- [nio-8443-exec-8] o.s.s.w.a.l.SecurityContextLogoutHandler : Invalidating session: B7B50DC106F50EDA84ACFEF229DE167B
2015-09-01 14:23:05.984 DEBUG 12936 --- [nio-8443-exec-8] .s.s.w.a.l.SimpleUrlLogoutSuccessHandler : Using default Url: /#/home
2015-09-01 14:23:05.984 DEBUG 12936 --- [nio-8443-exec-8] .s.s.w.a.l.SimpleUrlLogoutSuccessHandler : Response has already been committed. Unable to redirect to /#/home
2015-09-01 14:23:05.984 DEBUG 12936 --- [nio-8443-exec-8] s.s.w.c.SecurityContextPersistenceFilter : SecurityContextHolder now cleared, as request processing completed
As per log the redirection fails and the page is not actually redirected.
Is this due to OAuth2 or there is already default log out handler with Spring boot that is needed to be overridden?