Prepare KeyCloak:
download and unzip keycloak-22.0.1
cd to $keycloak_dir/bin
start keycloak:
./kc.sh start-dev --http-port=9080
open http://localhost:9080/
create admin user/password
open the Administration Console and sign in
create a new realm s4p_azure
click on the paginator and select "100 per page"
click on Client scopes and select roles
click on Mappers / Add mapper / From predefined mappers
select groups
create a client in that realm and name it s4p_azure_client . Under Valid redirect URIs enter http://localhost/*
create a realm role AUTHENTICATED_USER
create a user testuser
click on Credentials and set password_123 as password. Disable the Temporary switch
click on Role mapping and assign the AUTHENTICATED_USER role
open the realm settings and click on Keys
find the line with Use SIG
copy the SIG Kid
copy the SIG Public Key
Prepare the reproducer:
download and unzip the attached reproducer
copy the Kid and Public Key into $reproducer_dir/configure-wildfly.cli
Test server with enabled security-domain:
cd to $reproducer_dir/ in a new terminal (here called "server terminal")
start the application server with
mvn -Prun-server
verify that the server started correctly. there should be no errors or exceptions in the output
keep the "server terminal" running and open your webbrowser to http://localhost:8080/sso-app/index.xhtml
click on "Access Secured Area" and log on with testuser / password_123
test with the two buttons: the first performs a direct call to an EJB annotated with @PermitAll; the second tests an EJB call via @RunAs
both calls will fail
keep the terminal open and running
Test client with enabled security-domain:
cd to $reproducer_dir/ in a new terminal (here called "client terminal")
start the client with
mvn -Prun-client
verify that the client started correctly. there should be no errors or exceptions in the output
verify that the remote EJB invocation works (marked with ****** in the output)
Test server with disabled security-domain:
stop the server with CTRL-C in the server-terminal
comment the marked line in configure-wildfly.cli
in the server-tarminal: start the application server with
mvn -Prun-server
verify that the server started correctly. there should be no errors or exceptions in the output
keep the "server terminal" running and open your webbrowser to http://localhost:8080/sso-app/index.xhtml
click on "Access Secured Area" and log on with testuser/password_123
test with the two buttons: the first performs a direct call to an EJB annotated with @PermitAll; the second tests an EJB call via @RunAs
both calls work now
keep the terminal open and running
Test client with disabled security-domain
in the server-terminal: start the client with
mvn -Prun-client
verify that the client started correctly. there should be no errors or exceptions in the output
verify that the remote EJB invocation no longer works
---
---
Description
When a WAR inside an EAR is secured with OIDC, ejb calls from a remote sasl client application are not possible.