Problem logging to APS with Keycloak

zafkir — Fri, 06 Nov 2020 13:05:21 GMT

Hello,
I configure APS to authenticate via Keycloak, below my activiti-identity-service.properties:

keycloak.enabled=true
keycloak.realm=MyRealm
keycloak.auth-server-url=http://keycloak-url/auth
keycloak.resource=activiti
keycloak.credentials.secret=secret-value
keycloak.autodetect-bearer-only=true
keycloak.token-store=session
keycloak.enable-basic-auth=true

When accessing to APS, it redirects me to keycloak login page, after submitting authentication, Keycloak redirects me to this link

http://activiti-url/sso/login?state=xxx&session_state=xxx&code=xxx

and reproduce the tomcat error below:

java.lang.IllegalStateException: Cannot call sendRedirect() after the response has been committed
	org.apache.catalina.connector.ResponseFacade.sendRedirect(ResponseFacade.java:488)
	javax.servlet.http.HttpServletResponseWrapper.sendRedirect(HttpServletResponseWrapper.java:138)
	org.springframework.security.web.firewall.FirewalledResponse.sendRedirect(FirewalledResponse.java:44)
	javax.servlet.http.HttpServletResponseWrapper.sendRedirect(HttpServletResponseWrapper.java:138)
	org.springframework.security.web.util.OnCommittedResponseWrapper.sendRedirect(OnCommittedResponseWrapper.java:129)
	javax.servlet.http.HttpServletResponseWrapper.sendRedirect(HttpServletResponseWrapper.java:138)
	org.springframework.security.web.util.OnCommittedResponseWrapper.sendRedirect(OnCommittedResponseWrapper.java:129)
	com.activiti.security.identity.service.authorization.IdentityServiceAuthenticationFailureHandler.onAuthenticationFailure(IdentityServiceAuthenticationFailureHandler.java:58)
	org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.unsuccessfulAuthentication(AbstractAuthenticationProcessingFilter.java:352)
	org.keycloak.adapters.springsecurity.filter.KeycloakAuthenticationProcessingFilter.unsuccessfulAuthentication(KeycloakAuthenticationProcessingFilter.java:219)
	org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:230)
	org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
	org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:116)
	org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
	org.keycloak.adapters.springsecurity.filter.KeycloakPreAuthActionsFilter.doFilter(KeycloakPreAuthActionsFilter.java:86)
	org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
	com.activiti.security.CustomStatelessCSRFFilter.doFilterInternal(CustomStatelessCSRFFilter.java:68)
	org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
	org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
	org.springframework.web.filter.CorsFilter.doFilterInternal(CorsFilter.java:96)
	org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
	org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
	org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:66)
	org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
	org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
	org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:105)
	org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
	org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:56)
	org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
	org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
	org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:214)
	org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:177)
	org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:347)
	org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:263)
	org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:99)
	org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
	org.springframework.web.filter.HttpPutFormContentFilter.doFilterInternal(HttpPutFormContentFilter.java:109)
	org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
	org.springframework.web.filter.HiddenHttpMethodFilter.doFilterInternal(HiddenHttpMethodFilter.java:93)
	org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
	org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:197)
	org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)

Do you have any idea?
Thanks

Re: Problem logging to APS with Keycloak

hmirheydari — Sat, 07 Aug 2021 14:48:02 GMT

You must make your keycloak client as confidential like below:

Make keycloak client confidential

then add the secret of your client in

activiti-identity-service.properties

and also add following line:

keycloak.public-client=false

topic Re: Problem logging to APS with Keycloak in Alfresco Forum

Problem logging to APS with Keycloak

Re: Problem logging to APS with Keycloak