HTTP 403 forbidden error when Use Keycloak to protect a Tomcat App

问题

I struggled with this error for a whole day. I check my configuration of Keycloak and APP in tomcat again and again and not found a bug.

The picture below shows the testing Scenario:

The configuration of APP :

1.Keycloak.json was copied from Keycloak console

2.context.xml also right due to it work fine under "localhost" scenario

3.web.xml :

<web-app xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
  version="3.0">

    <module-name>Keycloak-Tomcat-App</module-name>

<!--
<security-constraint>
    <web-resource-collection>
        <web-resource-name>init pages</web-resource-name>
        <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <role-name>user</role-name>
    </auth-constraint>
</security-constraint>
-->

<security-constraint>
    <web-resource-collection>
        <web-resource-name>All roles pages</web-resource-name>
        <url-pattern>/roles/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <role-name>admin</role-name>
    </auth-constraint>
</security-constraint>

<login-config>
    <auth-method>BASIC</auth-method>
    <realm-name>this is ignored currently</realm-name>
</login-config>

<security-role>
    <role-name>admin</role-name>
</security-role>
<security-role>
    <role-name>user</role-name>
</security-role>

Keycloak console configuration:

i create a user named csf-admin, and assign the roles "admin" and "user" to csf-admin

then

1)Use broswer on linux.1 to access the APP deployed in TOMCAT on linux.3 (user https)

2)My broswer can open the Keycloak Auth page (user https , keycloak on linux.2)

3) login keycloak as csf-admin

4)Keycloak redirect me to the APP url (use https)

5)HTTP 403 "Access to the specified resource has been forbidden." turn up

I really don't know the root cause..... need your help.....

回答1:

As the issue is after submitting the login page and the redirect from the Keycloak IDP, the problem should be at a point when the client application (APP) tries to connect to the IDP for the access token.

There can be a connectivity issue from client app to IDP. Can test it with telnet command (use your IDP's https port).
There can be IDP SSL certificate verification issue. Check, if the right domain name is being used. Or, if it's CA is trusted by your client app.

Also refer the linked post wildfly integration with keycloak 403 forbidden error

来源：https://stackoverflow.com/questions/38764312/http-403-forbidden-error-when-use-keycloak-to-protect-a-tomcat-app

标签

java

Tomcat

jboss

single-sign-on

keycloak