0

I have a docker-keycloak running on my localhost:8080 and I have a tomcat server running on localhost:8081 where a servlet is running /dummy and I get a Hello World back.

Now I've created a filter for the Keycloak and added to the war and redployed the servlet. And as expected I get a 403 - Forbidden

Type Status Report
Description The server understood the request but refuses to authorize it.

In Keycloak Admin-Console I have a Client dummy and a user demo (realm also demo).

Here is the keycloak.json in the app:

{
  "realm": "demo",
  "auth-server-url": "http://localhost:8080/auth",
  "ssl-required": "external",
  "resource": "dummy",
  "public-client": true
}

So first I do: 

POST http://localhost:8080/auth/realms/demo/protocol/openid-connect
/token?client_id=dummy&username=demo&password=demodemo&grant_type=password
Accept: */*
Cache-Control: no-cache

and then I receive something like this:

{
  "access_token": "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJPcHNsOVltbmdEbmlCWGZheUsxNy1lbEJkZVNqTHlWdjI3QXpLMmVNYTRzIn0.eyJqdGkiOiJlYTc5ZjUzZC0zM2IzLTQ2OGYtOTkzMS03NmFjMGFiOWNmMTUiLCJleHAiOjE1MjY0NjkxMzQsIm5iZiI6MCwiaWF0IjoxNTI2NDY4ODM0LCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvYXV0aC9yZWFsbXMvZGVtbyIsImF1ZCI6ImR1bW15Iiwic3ViIjoiOTUyZjAxNjYtODg4Zi00ZTE0LWFiOTYtZTRmMDcxNmViOTMxIiwidHlwIjoiQmVhcmVyIiwiYXpwIjoiZHVtbXkiLCJhdXRoX3RpbWUiOjAsInNlc3Npb25fc3RhdGUiOiJmYWNkNGM2Yi0wMmYzLTQ0NGMtODMxYy1kNjk4ZmVhMzc5YTciLCJhY3IiOiIxIiwiY2xpZW50X3Nlc3Npb24iOiJiNGU0MGEyMS1lMTA1LTRmMTgtOTc2My00Mzk4YzI5NDg3MWEiLCJhbGxvd2VkLW9yaWdpbnMiOlsiZHVtbXkvKiJdLCJyZWFsbV9hY2Nlc3MiOnsicm9sZXMiOlsib2ZmbGluZV9hY2Nlc3MiLCJ1bWFfYXV0aG9yaXphdGlvbiJdfSwicmVzb3VyY2VfYWNjZXNzIjp7ImFjY291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJ2aWV3LXByb2ZpbGUiXX19LCJuYW1lIjoiZGVtbyBkZW1vbnN0cmF0aW9uIiwicHJlZmVycmVkX3VzZXJuYW1lIjoiZGVtbyIsImdpdmVuX25hbWUiOiJkZW1vIiwiZmFtaWx5X25hbWUiOiJkZW1vbnN0cmF0aW9uIiwiZW1haWwiOiJkZW1vQGRlbW8uZGUifQ.jLGZV3N40Tl8IVPy1jWiC2tNJsRZ4MQQNL2cl6qgAarzh5HDSQIlbWkcAQZ1zM2SOA3QBs1kXYEBAtPzDP1hClc8j_tAKqVBjUJTQQsb_IloYSOrAXGiubiqsjF_lcjLQXaKrYuDPDjMUGi6mgHNeWNoAePH8RPdl0G6DXhIoRvrycoj1iQ1KD07VX-5QDWaUo-T-MVRjy6EKAQsg4xSdHRXDuYTz1in4Kx7oSQMruWjwS0AbcMhFq7B-u8o_Z5KXZAhzvZ7fnUv-hU4Bn-6gg-j_Xuq1591kcB7iRoINtLMfH_2poKoyj-sbVxqc1NBG32_brgdaGk00kwB6joQsQ",
  "expires_in": 300,
  "refresh_expires_in": 1800,
  "refresh_token": "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJPcHNsOVltbmdEbmlCWGZheUsxNy1lbEJkZVNqTHlWdjI3QXpLMmVNYTRzIn0.eyJqdGkiOiJkODhiNDdiNi1mNDhjLTQyNmUtYTQwMi00NGQ2MDEyYmY0YjEiLCJleHAiOjE1MjY0NzA2MzQsIm5iZiI6MCwiaWF0IjoxNTI2NDY4ODM0LCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvYXV0aC9yZWFsbXMvZGVtbyIsImF1ZCI6ImR1bW15Iiwic3ViIjoiOTUyZjAxNjYtODg4Zi00ZTE0LWFiOTYtZTRmMDcxNmViOTMxIiwidHlwIjoiUmVmcmVzaCIsImF6cCI6ImR1bW15IiwiYXV0aF90aW1lIjowLCJzZXNzaW9uX3N0YXRlIjoiZmFjZDRjNmItMDJmMy00NDRjLTgzMWMtZDY5OGZlYTM3OWE3IiwiY2xpZW50X3Nlc3Npb24iOiJiNGU0MGEyMS1lMTA1LTRmMTgtOTc2My00Mzk4YzI5NDg3MWEiLCJyZWFsbV9hY2Nlc3MiOnsicm9sZXMiOlsib2ZmbGluZV9hY2Nlc3MiLCJ1bWFfYXV0aG9yaXphdGlvbiJdfSwicmVzb3VyY2VfYWNjZXNzIjp7ImFjY291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJ2aWV3LXByb2ZpbGUiXX19fQ.GpHscNZem8-VpOBBBhxeY2ZUkz7YQ6ID--YkZI5tcJAf7BnyJ9gGpI2LMNhfD84qLrP9SeLNqJSWDsXkcSxKjyzb8XT9PJVVKnY_Bz7b-sJ0UVx9FXnI1_bnAEcU7Rvyl0EdVGJXZOSbLCRS7xXXn_GqnnZtoG2sQXPtz4fgIIBROCWkbnKZvHpeBqauuhvORwoB-lqpfdLkmhnomYIfZr6o2GfovkCHYC5-revnzLx7wygczri09sxFOXmNB_VdTU20OA7hmnhi_uE7BGewxuTBspeZ2ieZBLUzka-yFUSzxW2UQPTGvJEj2Czc7iBrw7eTmO_x6VTma--QcNP0ZA",
  "token_type": "bearer",
  "id_token": "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJPcHNsOVltbmdEbmlCWGZheUsxNy1lbEJkZVNqTHlWdjI3QXpLMmVNYTRzIn0.eyJqdGkiOiIxYzlmZWE1ZS1hZmE0LTRjNDktYjRhOS1lNDM2NjE2NDMxZDkiLCJleHAiOjE1MjY0NjkxMzQsIm5iZiI6MCwiaWF0IjoxNTI2NDY4ODM0LCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvYXV0aC9yZWFsbXMvZGVtbyIsImF1ZCI6ImR1bW15Iiwic3ViIjoiOTUyZjAxNjYtODg4Zi00ZTE0LWFiOTYtZTRmMDcxNmViOTMxIiwidHlwIjoiSUQiLCJhenAiOiJkdW1teSIsImF1dGhfdGltZSI6MCwic2Vzc2lvbl9zdGF0ZSI6ImZhY2Q0YzZiLTAyZjMtNDQ0Yy04MzFjLWQ2OThmZWEzNzlhNyIsImFjciI6IjEiLCJuYW1lIjoiZGVtbyBkZW1vbnN0cmF0aW9uIiwicHJlZmVycmVkX3VzZXJuYW1lIjoiZGVtbyIsImdpdmVuX25hbWUiOiJkZW1vIiwiZmFtaWx5X25hbWUiOiJkZW1vbnN0cmF0aW9uIiwiZW1haWwiOiJkZW1vQGRlbW8uZGUifQ.ahjp3mrEf8aKSK7Du9xv17Nh47HvxuhfPj--eg5cx9scXpPwi0fSJ9vOvMGisWj1fkfV8A7-bmRqU6_gDVdnAoO3rs6YLx-qP3JHwu21lKhk8EfBEUNIqzNTYc-u0kNtlFpxdlTd0QKQ4wtljxQGSTQgOjBs-04DlYT7DxhG5sjO1PPy20Y51R-pe-UKTMLjAFlb5q4FAEtwXfJxT4bhEmAGDsGmWKLGoo9s3hUoB-etQkyctoV2ZMwO8acVhrX5lmEZp9zqkrRVFqpenvO2Jn1iGR54UrK9AQ5Gq9slJmKGSOIYKfJK_MOO1NycSaph13QlpQ9hy1txqRUTykyNvw",
  "not-before-policy": 0,
  "session_state": "facd4c6b-02f3-444c-831c-d698fea379a7"
}

again this works smooth, but when I do the following request:

GET http://localhost:8081/dummy
Accept: */*
Cache-Control: no-cache
Authorization: bearer eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJPcHNsOVltbmdEbmlCWGZheUsxNy1lbEJkZVNqTHlWdjI3QXpLMmVNYTRzIn0.eyJqdGkiOiJlYTc5ZjUzZC0zM2IzLTQ2OGYtOTkzMS03NmFjMGFiOWNmMTUiLCJleHAiOjE1MjY0NjkxMzQsIm5iZiI6MCwiaWF0IjoxNTI2NDY4ODM0LCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvYXV0aC9yZWFsbXMvZGVtbyIsImF1ZCI6ImR1bW15Iiwic3ViIjoiOTUyZjAxNjYtODg4Zi00ZTE0LWFiOTYtZTRmMDcxNmViOTMxIiwidHlwIjoiQmVhcmVyIiwiYXpwIjoiZHVtbXkiLCJhdXRoX3RpbWUiOjAsInNlc3Npb25fc3RhdGUiOiJmYWNkNGM2Yi0wMmYzLTQ0NGMtODMxYy1kNjk4ZmVhMzc5YTciLCJhY3IiOiIxIiwiY2xpZW50X3Nlc3Npb24iOiJiNGU0MGEyMS1lMTA1LTRmMTgtOTc2My00Mzk4YzI5NDg3MWEiLCJhbGxvd2VkLW9yaWdpbnMiOlsiZHVtbXkvKiJdLCJyZWFsbV9hY2Nlc3MiOnsicm9sZXMiOlsib2ZmbGluZV9hY2Nlc3MiLCJ1bWFfYXV0aG9yaXphdGlvbiJdfSwicmVzb3VyY2VfYWNjZXNzIjp7ImFjY291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJ2aWV3LXByb2ZpbGUiXX19LCJuYW1lIjoiZGVtbyBkZW1vbnN0cmF0aW9uIiwicHJlZmVycmVkX3VzZXJuYW1lIjoiZGVtbyIsImdpdmVuX25hbWUiOiJkZW1vIiwiZmFtaWx5X25hbWUiOiJkZW1vbnN0cmF0aW9uIiwiZW1haWwiOiJkZW1vQGRlbW8uZGUifQ.jLGZV3N40Tl8IVPy1jWiC2tNJsRZ4MQQNL2cl6qgAarzh5HDSQIlbWkcAQZ1zM2SOA3QBs1kXYEBAtPzDP1hClc8j_tAKqVBjUJTQQsb_IloYSOrAXGiubiqsjF_lcjLQXaKrYuDPDjMUGi6mgHNeWNoAePH8RPdl0G6DXhIoRvrycoj1iQ1KD07VX-5QDWaUo-T-MVRjy6EKAQsg4xSdHRXDuYTz1in4Kx7oSQMruWjwS0AbcMhFq7B-u8o_Z5KXZAhzvZ7fnUv-hU4Bn-6gg-j_Xuq1591kcB7iRoINtLMfH_2poKoyj-sbVxqc1NBG32_brgdaGk00kwB6joQsQ

I still get a 403.

What do I do wrong here?

I expect to see again the Hello World Text from the start.

Edit: add web.xml:

<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://java.sun.com/xml/ns/javaee"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
         version="3.0"
>
    <!-- This is only here because Maven requires it to make a war. -->
    <module-name>dummy</module-name>

    <servlet>
        <servlet-name>dummy</servlet-name>
        <servlet-class>com.dummy.HelloWorld</servlet-class>
    </servlet>

    <servlet-mapping>
        <servlet-name>dummy</servlet-name>
        <url-pattern>/dummy</url-pattern>
    </servlet-mapping>

    <filter>
        <filter-name>Keycloak Filter</filter-name>
        <filter-class>com.dummy.security.keycloak.OIDCFilter</filter-class>
    </filter>
    <filter-mapping>
        <filter-name>Keycloak Filter</filter-name>
        <url-pattern>/keycloak/*</url-pattern>
        <url-pattern>/dummy/*</url-pattern>
        <url-pattern>/protected/*</url-pattern>
    </filter-mapping>
</web-app>

As for Keycloak Version I use 2.5.5-Final

chiranjeevigk
  • 1,636
  • 1
  • 23
  • 43
Edwin
  • 2,146
  • 20
  • 26
  • 1
    Please, post your filter configuration and your client configuration too (which adapter do you use? which version?). Also 403 means you're forbidden to access the resource, no that you're not authenticated: https://stackoverflow.com/a/6937030/1199132 – Aritz May 16 '18 at 11:55
  • I updated the answer and filter I use the Java Servlet Filter Adapter: https://www.keycloak.org/docs/2.5/securing_apps/topics/oidc/java/servlet-filter-adapter.html and I will updated the authentication to authorization – Edwin May 16 '18 at 12:00
  • `Bearer` goes with first letter uppercased, but that might not be causing you that issue. Why do you have `com.dummy.security.keycloak.OIDCFilter` instead of `org.keycloak.adapters.servlet.KeycloakOIDCFilter`? – Aritz May 16 '18 at 12:07
  • I've tried also with `Bearer` still no changes and the filter is just an extension of the `org.keycloak.adapters.servlet.KeycloakOIDCFilter` which now just checks some things, hmm I will take a look into that if something odd happens. For now thanks for the tip. – Edwin May 16 '18 at 12:14
  • @XtremeBiker in the end the extended filter was the problem, the filter must access some resource that is not available on my localhost so it would send back the `403` (I know that here a `404` is better - but now it's just for testing). Now that I removed that part (for test purposes) I get to see the page always even if I don't give the access_token. Is that normal? shouldn't I get a `401`? – Edwin May 16 '18 at 13:33
  • Did you find a solution to this? – tryingToLearn Sep 10 '18 at 04:09
  • @tryingToLearn as far as I remember my solution was to set some keycloak cookies ( if your run that from browser). But the real problem is that the filter needs you to be logged in from the keycloak mask and that's why it received the `403`. – Edwin Sep 10 '18 at 10:10
  • Could you post your solution as an answer or by edition question details? – tryingToLearn Sep 10 '18 at 10:26
  • If you found the solution,please post here – Jatin Bodarya Sep 21 '18 at 05:46

0 Answers0