1 Reply Latest reply on Aug 11, 2017 9:17 AM by William Faria (WMFarinha)

    JBPM 6.5.0 and Keycloak SSO

    Ahmet Coşkun Newbie

      Hello there,

       

      I am trying to integrate Keycloak 3.1.0 and JBPM 6.5.0. From docs here, Chapter 10. Workbench Integration , I have done everything even this doc is for 6.4.0. When I enter jbpm-console It redirects me to Keycloak login page and I login with my username, password. I have created this username with Keycloak Admin Panel. So, It is not defined in JBPM. After I enter username, password, It logins and redirects me to jbpm-console path. However, It gives me Login failed: Not Authorized error in Jbpm-console page. I expect it will pass authorization in jbpm-console but no chance. How can I solve this?

        • 1. Re: JBPM 6.5.0 and Keycloak SSO
          William Faria (WMFarinha) Newbie

          Hello, did you install KC adapt, changed the standalone / configuration / standalone-full.xml xml?

          Make a change to the Wildfly standalone.xml file.

          Comment or remove this tag <single-sign-on path = "/" />

          Then go to the WAR file (jbpm-console.WAR) and change the web.xml

          Change the tag content to <auth-method> KEYCLOAK </ auth-method>

           

           

          If you are making calls via REST please comment on this item as well.

           

           

          <!-- Basic Auth Filter for REST and Maven2 repo -->

            <!-- <filter>

            <filter-name>HTTP Basic Auth Filter</filter-name>

            <filter-class>org.uberfire.ext.security.server.BasicAuthSecurityFilter</filter-class>

            <init-param>

            <param-name>realmName</param-name>

            <param-value>KIE Workbench Realm</param-value>

            </init-param>

            </filter>

           

            <filter-mapping>

            <filter-name>HTTP Basic Auth Filter</filter-name>

            <url-pattern>/rest/*</url-pattern>

            <url-pattern>/maven2/*</url-pattern>

            <url-pattern>/ws/*</url-pattern>

            </filter-mapping> -->

           

           

          Add the following section to protect the accesses rest and ws by Keycloak.

           

          <security-constraint>

          <web-resource-collection>

          <web-resource-name>remote-services</web-resource-name>

          <url-pattern>/rest/*</url-pattern>

          <url-pattern>/maven2/*</url-pattern>

          <url-pattern>/ws/*</url-pattern>

          </web-resource-collection>

          <auth-constraint>

          <role-name>rest-all</role-name>

          </auth-constraint>

          </security-constraint>

           

          Copy the keycloak.json file (into the WAR) generated by the Realm installation of Keycloak. An example of this file is:

           

          {

            "realm": "REALM_NAME",

            "auth-server-url": "http://localhost:8180/auth",

            "enable-cors" : true,

            "cors-max-age" : 1000,

            "cors-allowed-methods" : "POST, PUT, DELETE, GET",

            "ssl-required": "external",

            "resource": "RESOURCE_NAME",

            "principal-attribute": "preferred_username",

            "credentials": {

              "secret": "360f4bda-603e-4594-8cc9-13397c0c7d1d"

            },

            "use-resource-role-mappings": true

          }