I have embedded Jetty running on port 7000. Also, I have a keycloak server running on same machine on port 8100.
My all clients access goes via Jetty i.e. localhost:7000. So, I have put keycloak as reverse proxy on Jetty i.e localhost:7000/keycloak/auth will redirect to localhost:8100/auth. It is hitting correctly.
Now, there is KeycloakInstalled client to authenticate the user. I have provided auth-url as http://localhost:7000/keycloak/auth. When I run this client, it correctly authenticate the user, but when retruning the token, it gives out the exception that auth-url (localhost:7000/keycloak/auth) given to it does not match the url from keycloak sever (localhost:8100/auth).
I tried out doing following also:
https://www.keycloak.org/docs/1.9/server_installation_guide/topics/clustering/load-balancer.html
But, I am unable to generate X-Forward headers from Jetty.
Am I doing any basic thing wrong here?
Any pointers here would be very helpful.
Thanks.
I workaround it by mapping http://localhost:7000/auth (not localhost:7000/keycloak/auth) to http://localhost:8100/auth via Jetty reverse proxy. It worked perfectly.
P.S. I also need to add proxy-address-forwarding="true" in keycloak standalone.xml
Related
We have a Java web application at http://ourapp.com hosted at Heroku and the frontend of the app cannot connect to the WebSocket endpoint (endpoint) running in a Heroku dyno. We have tried these URIs:
ws://ourapp.com/endpoint
ws://ourapp.com:80/endpoint
ws://ourapp.com:8080/endpoint
ws://ourapp.com:8084/endpoint
ws://ourapp.com:443/endpoint
wss://ourapp.com/endpoint
wss://ourapp.com:80/endpoint
wss://ourapp.com:8080/endpoint
wss://ourapp.com:8084/endpoint
wss://ourapp.com:443/endpoint
None of the above open a connection. What are we missing here?
PS: I have set up a test ground: http://vakuutustiedot-dev.herokuapp.com/websocket.test.html (the URI is PROTOCOL:vakuutustiedot-dev.herokuapp.com:PORT/trial)
The target app runs in a Heroku Apache Tomcat 8.5.38.
What comes to the port number, I am not sure how to get one.
Perhaps you have missed adding the support of WebSockets to Heroku, like in this answer (https://stackoverflow.com/a/50002416/11197115)?
Maybe you should try configuring the proxy attribute of devServer. This attribute is used when the frontend app and backend api are not running on the same host. Perhaps the below setting might solve your problem.
module.exports = {
devServer: {
proxy: 'ws://ourapp.com:8080/endpoint'
}
}
For more info see the docs: https://cli.vuejs.org/config/#devserver
I created a soap client with wsimport and a given wsdl. I also used SoapUI to test the service. Using SoapUI I had no problem but when using my Java client I get
java.net.ConnectException: Connection timed out: connect
The default values I have in the requestContext are as follows
com.sun.xml.internal.ws.connect.timeout=100000
javax.xml.ws.service.endpoint.address=[fully qualified domain name endpoint]
com.sun.xml.internal.ws.request.timeout=100000
javax.xml.ws.soap.http.soapaction.use=null
com.sun.xml.internal.ws.client.ContentNegotiation=none
javax.xml.ws.soap.http.soapaction.uri=null
I've tried increasing the timeout but it still doesn't connect.
Has anyone else had a similar problem?
As you mentioned the problem is of proxy, it has been answered in below links.
How to use an HTTP proxy in java
Proxy settings in a java program
If you are using proxy with authentication then you have set authenticator along with the proxy. This is answered here.
Authenticated HTTP proxy with Java
EDIT:
As correctly mentioned by William Burnham, you have set to set the properties before calling them.
Morever, I recommend you to clear the property soon after getting response using System.clearProperty(key) as the property is set for complete instance of jvm till it is restarted and hence can cause problems for other outgoing connections.
The problem was I was behind a proxy. I did different tests and found that using a web browser (or SoapUI) I was able to access the resource but from the command line it wasn't working.
After much searching, it was a simple fix: either passing the property as a jvm argument or manually setting it in the code with System.setProperty("java.net.useSystemProxies", "true"). The JVM wasn't using the proxy on its own.
EDIT
As I used wsimport I have a jax-ws client. It's important that proxy settings be configured prior to instantiantion.
ANOTHER EDIT
If by chance you're having problems and you're using an application server to make the soap request through the proxy, you may have to specify java.net.useSystemProxies=true (or similar) in the server's configuration--for example catalina.properties if using tomcat.
I followed this guide and cloned the authserver. The project has an authserver and a client (as test). Example works fine but if I remove context-path property (I just want my app to work on /), it fails after redirect back to the client. Example:
Go to the client (localhost:9999);
Redirected to the authserver (localhost:8080);
Login through GitHub;
Redirected to the authserver and immediatly to the client with next url:
http://localhost:9999/login?code=dqoxz4&state=79qtJ5
Whitelabel error page responds:
There was an unexpected error (type=Unauthorized, status=401).
Authentication Failed: Could not obtain access token
As I mentioned above, it fails only if context-path is / (or removed at all). Otherwise, all works.
From your link:
The context path has to be explicit if you are running both the client
and the auth server on localhost, otherwise the cookie paths clash and
the two apps cannot agree on a session identifier.
We run successfully an app on / and AuthServer on /uaa. Try to set Context-Path on your AuthServer. Look at cookies from your app and AuthServer: they should not have same path.
EDIT:
Different domains should be fine. They don't share cookies. On same host, like localhost, you must use context path, because cookies are not port specific. See: https://stackoverflow.com/a/16328399/926620
Alternatively, you put domains in /etc/hosts (linux) or c:\windos\system32\drivers\etc\hosts. Just add line like:
127.0.0.1 website authserver
And then you can use http://website:9999 and http://authserver:8080 on same machine for development.
Or you can also set different names for cookies. See http://docs.spring.io/spring-boot/docs/current/reference/html/common-application-properties.html:
server.session.cookie.name=auth
server.session.cookie.name=web
You can set RedirecURI in your client application:
security: oauth2:
client:
client-id: acme
client-secret: acmesecret
access-token-uri: http://localhost:8080/oauth/token
user-authorization-uri: http://localhost:8080/oauth/authorize
pre-established-redirect-uri: http://localhost:9999/client
and you can set it on oauth2 server while registering the clients.
but I think it return to your ROOT context pass, Somthing like it have not enough persmission on Root pass or another application uses this context pass...
I am new to Windows authentication and am facing a weird issue.
I have setup an application with SPNEGO filter library for Java.
All settings as per the documentations have been set.
Now when i open the URL of my application from another machine in the same domain, using any browser, i get a negotiation header as
TlRMTVNTUAABAAAAl4II...
This means that it is an NTLM negotiation request.
if i start fiddler and then try to run the same request for testing, i am getting a kerberos authentication request.
YIIGgwYGKwYBBQUCoIIGdzCCBnOgMDAuBg...
This means that when I am calling using fiddler, the browser is assuming that the system is on same network.
I am unable to figure out why this is happening..??
I need the kerberos ticket even in normal execution.
Server: JBoss 4.3.2 GA
anybody has any idea...??
thanks in advance
I'm new with this authentication through kerberos protocol so I tried to read a lot of howto on it but seems like I can't find any specifics with my constraints. Here is what I have :
An Active Directory Server on which users authenticate to log into their workstations
Each end user uses IE 7 to connect to my intranet application
An Apache server with load balancing
Some Tomcats servers acting as workers for the Apache server.
on each tomcat, I have 2 jakarta servlet running, users connect only on one servlet (further i will call it the servlet as if there is only one)
my tomcats need to run under jdk5. not jdk6 or jdk4. it's jdk5 period.
Now I want one to automatically get logged on my servlet. Basically I just need my servlet to retrieve the client's principal then I can manage the rest.
Based on what I understood, my client has a ticket, he ask the KDC for a special ticket for accessing the apache server, then he tries to connect to the Apache server. Based on his keytab, the apache server then decode the auth data and grant/refuse the access to specified resource.
Am I right? please guide me through this, I've been reading pages for 4 days and still no clue on which solution is the more appropriate. I tried mod_auth_kerberos for Apache but instead of grabbing the user's ticket he ask it like a basic auth. Apparently spgneo
Thanks
Ok I got this working :
Install Kerberos 5 + apache 2 + mod_auth_kerb.
On your AD, generate a keytab with only the principal you will use for Apache, I use HTTP/apache.mydom.com#MYDOM.COM
Put this keytab file on your apache server and make it readable only
by your Apache user.
Then edit your apache conf with these directive for your secure
location
apache.conf:
[…]
ServerName apache.mydom.com:80
[…]
LoadModule auth_kerb_module modules/mod_auth_kerb.so
[…]
<LocationMatch /secure)>
[… some other stuff …]
Order allow,deny
Allow from all
AuthType Kerberos
AuthName "Authentification requise"
KrbAuthRealms MYDOM.COM
#this allows user to be saved in the request
KrbSaveCredentials on
#this one force Negotiate AuthType instead of basic fallback
KrbMethodNegotiate on
#this trim the realm from username saved in the request (request.getRemoteUser() will give you "user" instead of "user#MYDOM.COM"
KrbLocalUserMapping on
KrbAuthoritative on
KrbVerifyKDC on
Krb5Keytab /install/binaries/httpd/apache.keytab
KrbServiceName HTTP
require valid-user
</LocationMatch>
And the one thing I almost failed to find on the web, you have to modify your tomcat server config (tomcat/conf/server.xml) :
<Connector [... AJP connector configuration ...] request.tomcatAuthentication="false"/>
This is really important because without it you tomcat won't retrieve any info from tomcat auth.
Don't forget too, DNS is really really really really important for a Kerberos install. If you have any issue try checking your DNS for all of your servers.