Uploaded image for project: 'Keycloak'
  1. Keycloak
  2. KEYCLOAK-13994

Request body not preserved when using CIP in Fuse 7.4

    Details

    • Steps to Reproduce:
      Hide

      Use

      {request.body}

      placeholder in an Undertow security adapter on Fuse 7 providing CIP resolution and check the request body reaches the next handler.

      Show
      Use {request.body} placeholder in an Undertow security adapter on Fuse 7 providing CIP resolution and check the request body reaches the next handler.
    • Docs QE Status:
      NEW
    • QE Status:
      NEW

      Description

      Our application encountered several issues with keycloak adapter while upgrading from Fuse 6.3 to Fuse 7.4.
      Previous configuration was set up as described in "Apache CXF Endpoint on a Separate Jetty Engine" in securing apps guide, so to minimize the application impact it was changed to one in "Apache CXF Endpoint on a Separate Undertow Engine"

      The first issue was that org.keycloak.adapters.osgi.undertow.CxfKeycloakAuthHandler does not implement policy enforcement/claim information point, just token validation.
      To have back the full functionality of previous Jetty adapter we implemented our own handler(attached) based on other Undertow adapters provided by Keycloak.

      That enabled the full previous authorization functionality but brought the second issue to light. We found that

      {request.body}

      in configuration still consumes the request body before it reaches the application(we had our own fix for Jetty adapter in the old version), and the fix given in https://issues.redhat.com/browse/KEYCLOAK-11712 only results in a null pointer exception in our case.

      The attached UndertowHttpFacade has the change we made that allows CIP to read the request body without consuming it, although it may contain some other bugs yet.

      We would like Keycloak to have the official fix for this issue going forward.
      Update to CxfKeycloakAuthHandler so it has the full functionality of other Fuse adapters would be great too.

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  hmlnarik Hynek Mlnařík
                  Reporter:
                  anenno Alexei Nenno
                  Involved:
                  Alexei Nenno, Hynek Mlnařík, Panagiotis Christodoulou, Pedro Igor Silva, Stian Thorgersen
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  3 Start watching this issue

                  Dates

                  • Created:
                    Updated: