Version: Keycloak 18.0.1
Following use case is Working Fine for me: (When i access swagger URL, which is ignored in web.xml, then it successfully bypass authentication)
Case 1: Success Use Case: Client API with No Authorization Scope & Resources
Role Name:
In Code: Keycloak.json
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://xmlns.jcp.org/xml/ns/javaee" xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd" version="3.1">
<security-constraint>
<web-resource-collection>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>t**puser</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>swagger</web-resource-name>
<url-pattern>/api/apiee/*</url-pattern>
<url-pattern>/webjars/*</url-pattern>
<url-pattern>/logonew.png</url-pattern>
</web-resource-collection>
</security-constraint>
<login-config>
<auth-method>KEYCLOAK</auth-method>
<realm-name>this is ignored currently</realm-name>
</login-config>
<security-role>
<role-name>t**puser</role-name>
</security-role>
Case 2: Failure Use Case: (When i access swagger URL, which is ignored in web.xml, then it does not bypass authentication and say Forbidden) The difference is Resources & Authorization Scope added
<security-constraint>
<web-resource-collection>
<web-resource-name>Employees Resource</web-resource-name>
<url-pattern>/v1/employees/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>employees_api_access</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>swagger</web-resource-name>
<url-pattern>/masterdata/apiee/*</url-pattern>
<url-pattern>/webjars/*</url-pattern>
<url-pattern>/logonew.png</url-pattern>
</web-resource-collection>
</security-constraint>
<security-role>
<role-name>employees_api_access</role-name>
</security-role>
<login-config>
<auth-method>KEYCLOAK</auth-method>
<realm-name>this is ignored currently</realm-name>
</login-config>
keycloak.json & Related Java file for authscopes
{
"realm": "integrator",
"auth-server-url": "${keycloak.authserver.url}",
"ssl-required": "all",
"enable-basic-auth": true,
"resource": "generic-rest-api",
"credentials": {
"secret": "${keycloak.generic-rest-api.clientSecret}"
},
"use-resource-role-mappings": true,
"policy-enforcer": {}
}
@RequestScoped
public class KeycloakSecurityContextProducer {
@Context
private HttpServletRequest request;
@Produces
public KeycloakSecurityContext getContext(Class<?> type) {
return (KeycloakSecurityContext) request.getAttribute(KeycloakSecurityContext.class.getName());
}
}
@RequestScoped
public class KeycloakAuthorizationContextProducer {
@Context
private KeycloakSecurityContext security;
@Produces
public AuthorizationContext getContext() {
return security.getAuthorizationContext();
}
}
Question: How to fix Case 2 in such a way that it bypass authentication of swagger URL like in Case 1? The only difference is resources/authorization scope is added.
(I have created new client and then also same issue when I add resource and authorization. Anything to do in keycloak.json?)
