Tomcat 正在使用 FormAuthentication 而不是 KeyCloak Tomcat Valve SAML 身份验证
Tomcat is using FormAuthentication instead of the KeyCloak Tomcat Valve SAML Authentication
我已经 Tomcat 设置了 KeyCloak SAML Valve。
我在日志中看到 Valve 从 keycloak-saml.xml 加载并读取其配置。当我访问我的应用程序时,我还在日志中看到会话未通过身份验证。
在我的日志中,我看到它继续调用 FormAuthenticator 而不是 KeyCloak 验证器:
15-Jun-2020 11:07:33.281 DEBUG [https-jsse-nio-8443-exec-9] org.keycloak.adapters.saml.SamlUtil.validateSamlSession SamlSession was not found in the session
15-Jun-2020 11:07:33.282 FINE [https-jsse-nio-8443-exec-9] org.apache.catalina.authenticator.AuthenticatorBase.invoke Security checking request GET /orbeon/fr
15-Jun-2020 11:07:33.282 FINE [https-jsse-nio-8443-exec-9] org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking constraint 'SecurityConstraint[Form Runner services and public pages and resources]' against GET /fr --> true
15-Jun-2020 11:07:33.282 FINE [https-jsse-nio-8443-exec-9] org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking constraint 'SecurityConstraint[Form Runner services and public pages and resources]' against GET /fr --> true
15-Jun-2020 11:07:33.282 FINE [https-jsse-nio-8443-exec-9] org.apache.catalina.authenticator.AuthenticatorBase.invoke Calling hasUserDataPermission()
15-Jun-2020 11:07:33.282 FINE [https-jsse-nio-8443-exec-9] org.apache.catalina.realm.RealmBase.hasUserDataPermission User data constraint already satisfied
15-Jun-2020 11:07:33.282 FINE [https-jsse-nio-8443-exec-9] org.apache.catalina.authenticator.AuthenticatorBase.invoke Calling authenticate()
15-Jun-2020 11:07:33.282 FINE [https-jsse-nio-8443-exec-9] org.apache.catalina.authenticator.FormAuthenticator.doAuthenticate Checking for reauthenticate in session StandardSession[B4143AFBD9BB4D6D1E208687CF9F5581]
15-Jun-2020 11:07:33.282 FINE [https-jsse-nio-8443-exec-9] org.apache.catalina.authenticator.FormAuthenticator.doAuthenticate Save request in session 'B4143AFBD9BB4D6D1E208687CF9F5581'
15-Jun-2020 11:07:33.283 FINE [https-jsse-nio-8443-exec-9] org.apache.catalina.authenticator.FormAuthenticator.forwardToLoginPage Forwarding request for [/orbeon/fr] made with method [GET] to login page [null] of context [/orbeon] using request method GET
15-Jun-2020 11:07:33.283 WARNING [https-jsse-nio-8443-exec-9] org.apache.catalina.authenticator.FormAuthenticator.forwardToLoginPage No login page was defined for FORM authentication in context [/orbeon]
15-Jun-2020 11:07:33.283 FINE [https-jsse-nio-8443-exec-9] org.apache.catalina.authenticator.AuthenticatorBase.invoke Failed authenticate() test
将它与 Valve 工作的不同环境进行比较,我看到:
12-Jun-2020 14:21:43.644 FINE [ContainerBackgroundProcessor[StandardEngine[Catalina]]] org.apache.catalina.session.ManagerBase.processExpires Start expire sessions StandardManager at 1591989703644 sessioncount 0
12-Jun-2020 14:21:43.645 FINE [ContainerBackgroundProcessor[StandardEngine[Catalina]]] org.apache.catalina.session.ManagerBase.processExpires End expire sessions StandardManager processingTime 1 expired sessions: 0
12-Jun-2020 14:21:43.646 FINE [ContainerBackgroundProcessor[StandardEngine[Catalina]]] org.apache.catalina.session.ManagerBase.processExpires Start expire sessions StandardManager at 1591989703646 sessioncount 0
12-Jun-2020 14:21:43.646 FINE [ContainerBackgroundProcessor[StandardEngine[Catalina]]] org.apache.catalina.session.ManagerBase.processExpires End expire sessions StandardManager processingTime 0 expired sessions: 0
12-Jun-2020 14:21:54.746 DEBUG [https-jsse-nio-8443-exec-4] org.keycloak.adapters.saml.CatalinaSamlSessionStore.isLoggedIn session was null, returning null
12-Jun-2020 14:21:54.747 FINE [https-jsse-nio-8443-exec-4] org.apache.catalina.authenticator.AuthenticatorBase.invoke Security checking request GET /the-app/
12-Jun-2020 14:21:54.747 FINE [https-jsse-nio-8443-exec-4] org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking constraint 'SecurityConstraint[Form Runner services and public pages and resources]' against GET / --> true
12-Jun-2020 14:21:54.748 FINE [https-jsse-nio-8443-exec-4] org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking constraint 'SecurityConstraint[Form Runner services and public pages and resources]' against GET / --> true
12-Jun-2020 14:21:54.750 FINE [https-jsse-nio-8443-exec-4] org.apache.catalina.authenticator.jaspic.AuthConfigFactoryImpl.loadPersistentRegistrations Loading persistent provider registrations from [/opt/tomcat/conf/jaspic-providers.xml]
12-Jun-2020 14:21:54.765 FINE [https-jsse-nio-8443-exec-4] org.apache.catalina.authenticator.AuthenticatorBase.invoke Calling hasUserDataPermission()
12-Jun-2020 14:21:54.765 FINE [https-jsse-nio-8443-exec-4] org.apache.catalina.realm.RealmBase.hasUserDataPermission User data constraint already satisfied
12-Jun-2020 14:21:54.765 FINE [https-jsse-nio-8443-exec-4] org.apache.catalina.authenticator.AuthenticatorBase.invoke Calling authenticate()
12-Jun-2020 14:21:54.776 DEBUG [https-jsse-nio-8443-exec-4] org.keycloak.adapters.saml.SamlAuthenticator.authenticate SamlAuthenticator is using handler [org.keycloak.adapters.saml.profile.webbrowsersso.BrowserHandler@68df1d6a]
12-Jun-2020 14:21:54.776 DEBUG [https-jsse-nio-8443-exec-4] org.keycloak.adapters.saml.CatalinaSamlSessionStore.isLoggedIn session was null, returning null
12-Jun-2020 14:21:54.783 DEBUG [https-jsse-nio-8443-exec-4] org.keycloak.saml.common.DefaultPicketLinkLogger.debug org.keycloak.saml.processing.core.saml.v2.util.XMLTimeUtil issueInstant: 2020-06-12T19:21:54.781Z
12-Jun-2020 14:21:54.832 DEBUG [https-jsse-nio-8443-exec-4] org.keycloak.saml.common.DefaultPicketLinkLogger.debug The provider ApacheXMLDSig - 2.14 was added at position: 2
SLF4J: Failed to load class "org.slf4j.impl.StaticLoggerBinder".
SLF4J: Defaulting to no-operation (NOP) logger implementation
SLF4J: See http://www.slf4j.org/codes.html#StaticLoggerBinder for further details.
12-Jun-2020 14:21:54.911 FINE [https-jsse-nio-8443-exec-4] org.apache.catalina.authenticator.AuthenticatorBase.invoke Failed authenticate() test
我可以设置哪些记录器选项来确定为什么 Tomcat 正在加载表单身份验证而不是使用阀门?
有趣的是,我可以看到两种环境的 KeyCloak 日志记录 org.keycloak.adapters.saml.SamlUtil.validateSamlSession SamlSession was not found in the session。之后失败的环境似乎调用 FormAuthenticator 而工作环境调用 SamlAuthenticator
BOTH 环境显示 KeyCloak 正在初始化并读取其配置:
15-Jun-2020 11:40:56.921 DEBUG [localhost-startStop-1] org.keycloak.saml.common.DefaultPicketLinkLogger.usingLoggerImplementation Using logger implementation: org.keycloak.saml.common.DefaultPicketLinkLogger
15-Jun-2020 11:40:56.947 DEBUG [localhost-startStop-1] org.keycloak.saml.common.DefaultPicketLinkLogger.debug Element {urn:keycloak:saml:adapter}PrivateKey bypassed
15-Jun-2020 11:40:56.947 DEBUG [localhost-startStop-1] org.keycloak.saml.common.DefaultPicketLinkLogger.debug Element {urn:keycloak:saml:adapter}Certificate bypassed
15-Jun-2020 11:40:56.949 DEBUG [localhost-startStop-1] org.keycloak.saml.common.DefaultPicketLinkLogger.debug Element {urn:keycloak:saml:adapter}Attribute bypassed
15-Jun-2020 11:40:56.949 DEBUG [localhost-startStop-1] org.keycloak.saml.common.DefaultPicketLinkLogger.debug Element {urn:keycloak:saml:adapter}Attribute bypassed
15-Jun-2020 11:40:56.950 DEBUG [localhost-startStop-1] org.keycloak.saml.common.DefaultPicketLinkLogger.debug Element {urn:keycloak:saml:adapter}Property bypassed
15-Jun-2020 11:40:56.955 DEBUG [localhost-startStop-1] org.keycloak.saml.common.DefaultPicketLinkLogger.debug Element {urn:keycloak:saml:adapter}Certificate bypassed
15-Jun-2020 11:40:56.957 DEBUG [localhost-startStop-1] org.keycloak.adapters.saml.config.parsers.DeploymentBuilder.build Try to load key [mykey]
15-Jun-2020 11:40:57.320 DEBUG [localhost-startStop-1] org.keycloak.adapters.saml.RoleMappingsProviderUtils.loadProviders Loaded RoleMappingsProvider properties-based-role-mapper
15-Jun-2020 11:40:57.321 DEBUG [localhost-startStop-1] org.keycloak.adapters.saml.RoleMappingsProviderUtils.loadProviders Loaded RoleMappingsProvider properties-based-role-mapper
15-Jun-2020 11:40:57.321 DEBUG [localhost-startStop-1] org.keycloak.adapters.saml.PropertiesBasedRoleMapper.init Resource loader successfully loaded role mappings from /WEB-INF/role-mappings.properties
15-Jun-2020 11:40:57.322 DEBUG [localhost-startStop-1] org.keycloak.adapters.saml.AbstractSamlAuthenticatorValve.keycloakInit Keycloak is using a per-deployment configuration.
两个环境都有 META-INF/context.xml 作为:
<Context path="/orbeon">
<Valve className="org.keycloak.adapters.saml.tomcat.SamlAuthenticatorValve"/>
<Resource ... DATABASE RESOURCE INFO HERE ... />
</Context>
Web.xml 很长,但我认为安全配置的相关部分是:
<security-constraint>
<web-resource-collection>
<web-resource-name>Form Runner services and public pages and resources</web-resource-name>
<url-pattern>/*</url-pattern>
<url-pattern>/fr/service/*</url-pattern>
<url-pattern>/fr/style/*</url-pattern>
<url-pattern>/fr/not-found</url-pattern>
<url-pattern>/fr/unauthorized</url-pattern>
<url-pattern>/fr/error</url-pattern>
<url-pattern>/fr/login</url-pattern>
<url-pattern>/fr/login-error</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
<auth-constraint>
<role-name>orbeon-user</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/fr/login</form-login-page>
<form-error-page>/fr/login-error</form-error-page>
</form-login-config>
</login-config>
<security-role>
<role-name>orbeon-user</role-name>
</security-role>
<!-- End Form Runner authentication -->
<session-config>
<session-timeout>60</session-timeout>
</session-config>
我尝试将 login-config 更改为 BASIC 每 WAR Configuration and Tomcat SAML Adapters 。这不会改变任一环境中的行为。
我能够 POST 将 SAML 对象签名到 /orbeon/saml 并且我看到 KeyCloak 试图验证签名等等。这应该证明 KeyCloak 正在监听,并且我的问题出在应用程序中或 web.xml 用于身份验证重定向。
请检查您使用的KeyCloak适配器的版本。 Tomcat 版本 7 的适配器不同于 Tomcat 版本 8 和 9 的适配器。
如果我们比较来自 Tomcat 8,9 against the ones for Tomcat 7 的 KeyCloak 的两个适配器模块,我们会发现来自 Tomcat 7 的模块没有覆盖或实现 FormAuthenticator.doAuthenticate。因此,如果从 Tomcat 8 调用 Tomcat 7 的模块,它将调用父 doAuthenticate 方法并尝试基于表单的身份验证。
我已经 Tomcat 设置了 KeyCloak SAML Valve。
我在日志中看到 Valve 从 keycloak-saml.xml 加载并读取其配置。当我访问我的应用程序时,我还在日志中看到会话未通过身份验证。
在我的日志中,我看到它继续调用 FormAuthenticator 而不是 KeyCloak 验证器:
15-Jun-2020 11:07:33.281 DEBUG [https-jsse-nio-8443-exec-9] org.keycloak.adapters.saml.SamlUtil.validateSamlSession SamlSession was not found in the session
15-Jun-2020 11:07:33.282 FINE [https-jsse-nio-8443-exec-9] org.apache.catalina.authenticator.AuthenticatorBase.invoke Security checking request GET /orbeon/fr
15-Jun-2020 11:07:33.282 FINE [https-jsse-nio-8443-exec-9] org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking constraint 'SecurityConstraint[Form Runner services and public pages and resources]' against GET /fr --> true
15-Jun-2020 11:07:33.282 FINE [https-jsse-nio-8443-exec-9] org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking constraint 'SecurityConstraint[Form Runner services and public pages and resources]' against GET /fr --> true
15-Jun-2020 11:07:33.282 FINE [https-jsse-nio-8443-exec-9] org.apache.catalina.authenticator.AuthenticatorBase.invoke Calling hasUserDataPermission()
15-Jun-2020 11:07:33.282 FINE [https-jsse-nio-8443-exec-9] org.apache.catalina.realm.RealmBase.hasUserDataPermission User data constraint already satisfied
15-Jun-2020 11:07:33.282 FINE [https-jsse-nio-8443-exec-9] org.apache.catalina.authenticator.AuthenticatorBase.invoke Calling authenticate()
15-Jun-2020 11:07:33.282 FINE [https-jsse-nio-8443-exec-9] org.apache.catalina.authenticator.FormAuthenticator.doAuthenticate Checking for reauthenticate in session StandardSession[B4143AFBD9BB4D6D1E208687CF9F5581]
15-Jun-2020 11:07:33.282 FINE [https-jsse-nio-8443-exec-9] org.apache.catalina.authenticator.FormAuthenticator.doAuthenticate Save request in session 'B4143AFBD9BB4D6D1E208687CF9F5581'
15-Jun-2020 11:07:33.283 FINE [https-jsse-nio-8443-exec-9] org.apache.catalina.authenticator.FormAuthenticator.forwardToLoginPage Forwarding request for [/orbeon/fr] made with method [GET] to login page [null] of context [/orbeon] using request method GET
15-Jun-2020 11:07:33.283 WARNING [https-jsse-nio-8443-exec-9] org.apache.catalina.authenticator.FormAuthenticator.forwardToLoginPage No login page was defined for FORM authentication in context [/orbeon]
15-Jun-2020 11:07:33.283 FINE [https-jsse-nio-8443-exec-9] org.apache.catalina.authenticator.AuthenticatorBase.invoke Failed authenticate() test
将它与 Valve 工作的不同环境进行比较,我看到:
12-Jun-2020 14:21:43.644 FINE [ContainerBackgroundProcessor[StandardEngine[Catalina]]] org.apache.catalina.session.ManagerBase.processExpires Start expire sessions StandardManager at 1591989703644 sessioncount 0
12-Jun-2020 14:21:43.645 FINE [ContainerBackgroundProcessor[StandardEngine[Catalina]]] org.apache.catalina.session.ManagerBase.processExpires End expire sessions StandardManager processingTime 1 expired sessions: 0
12-Jun-2020 14:21:43.646 FINE [ContainerBackgroundProcessor[StandardEngine[Catalina]]] org.apache.catalina.session.ManagerBase.processExpires Start expire sessions StandardManager at 1591989703646 sessioncount 0
12-Jun-2020 14:21:43.646 FINE [ContainerBackgroundProcessor[StandardEngine[Catalina]]] org.apache.catalina.session.ManagerBase.processExpires End expire sessions StandardManager processingTime 0 expired sessions: 0
12-Jun-2020 14:21:54.746 DEBUG [https-jsse-nio-8443-exec-4] org.keycloak.adapters.saml.CatalinaSamlSessionStore.isLoggedIn session was null, returning null
12-Jun-2020 14:21:54.747 FINE [https-jsse-nio-8443-exec-4] org.apache.catalina.authenticator.AuthenticatorBase.invoke Security checking request GET /the-app/
12-Jun-2020 14:21:54.747 FINE [https-jsse-nio-8443-exec-4] org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking constraint 'SecurityConstraint[Form Runner services and public pages and resources]' against GET / --> true
12-Jun-2020 14:21:54.748 FINE [https-jsse-nio-8443-exec-4] org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking constraint 'SecurityConstraint[Form Runner services and public pages and resources]' against GET / --> true
12-Jun-2020 14:21:54.750 FINE [https-jsse-nio-8443-exec-4] org.apache.catalina.authenticator.jaspic.AuthConfigFactoryImpl.loadPersistentRegistrations Loading persistent provider registrations from [/opt/tomcat/conf/jaspic-providers.xml]
12-Jun-2020 14:21:54.765 FINE [https-jsse-nio-8443-exec-4] org.apache.catalina.authenticator.AuthenticatorBase.invoke Calling hasUserDataPermission()
12-Jun-2020 14:21:54.765 FINE [https-jsse-nio-8443-exec-4] org.apache.catalina.realm.RealmBase.hasUserDataPermission User data constraint already satisfied
12-Jun-2020 14:21:54.765 FINE [https-jsse-nio-8443-exec-4] org.apache.catalina.authenticator.AuthenticatorBase.invoke Calling authenticate()
12-Jun-2020 14:21:54.776 DEBUG [https-jsse-nio-8443-exec-4] org.keycloak.adapters.saml.SamlAuthenticator.authenticate SamlAuthenticator is using handler [org.keycloak.adapters.saml.profile.webbrowsersso.BrowserHandler@68df1d6a]
12-Jun-2020 14:21:54.776 DEBUG [https-jsse-nio-8443-exec-4] org.keycloak.adapters.saml.CatalinaSamlSessionStore.isLoggedIn session was null, returning null
12-Jun-2020 14:21:54.783 DEBUG [https-jsse-nio-8443-exec-4] org.keycloak.saml.common.DefaultPicketLinkLogger.debug org.keycloak.saml.processing.core.saml.v2.util.XMLTimeUtil issueInstant: 2020-06-12T19:21:54.781Z
12-Jun-2020 14:21:54.832 DEBUG [https-jsse-nio-8443-exec-4] org.keycloak.saml.common.DefaultPicketLinkLogger.debug The provider ApacheXMLDSig - 2.14 was added at position: 2
SLF4J: Failed to load class "org.slf4j.impl.StaticLoggerBinder".
SLF4J: Defaulting to no-operation (NOP) logger implementation
SLF4J: See http://www.slf4j.org/codes.html#StaticLoggerBinder for further details.
12-Jun-2020 14:21:54.911 FINE [https-jsse-nio-8443-exec-4] org.apache.catalina.authenticator.AuthenticatorBase.invoke Failed authenticate() test
我可以设置哪些记录器选项来确定为什么 Tomcat 正在加载表单身份验证而不是使用阀门?
有趣的是,我可以看到两种环境的 KeyCloak 日志记录 org.keycloak.adapters.saml.SamlUtil.validateSamlSession SamlSession was not found in the session。之后失败的环境似乎调用 FormAuthenticator 而工作环境调用 SamlAuthenticator
BOTH 环境显示 KeyCloak 正在初始化并读取其配置:
15-Jun-2020 11:40:56.921 DEBUG [localhost-startStop-1] org.keycloak.saml.common.DefaultPicketLinkLogger.usingLoggerImplementation Using logger implementation: org.keycloak.saml.common.DefaultPicketLinkLogger
15-Jun-2020 11:40:56.947 DEBUG [localhost-startStop-1] org.keycloak.saml.common.DefaultPicketLinkLogger.debug Element {urn:keycloak:saml:adapter}PrivateKey bypassed
15-Jun-2020 11:40:56.947 DEBUG [localhost-startStop-1] org.keycloak.saml.common.DefaultPicketLinkLogger.debug Element {urn:keycloak:saml:adapter}Certificate bypassed
15-Jun-2020 11:40:56.949 DEBUG [localhost-startStop-1] org.keycloak.saml.common.DefaultPicketLinkLogger.debug Element {urn:keycloak:saml:adapter}Attribute bypassed
15-Jun-2020 11:40:56.949 DEBUG [localhost-startStop-1] org.keycloak.saml.common.DefaultPicketLinkLogger.debug Element {urn:keycloak:saml:adapter}Attribute bypassed
15-Jun-2020 11:40:56.950 DEBUG [localhost-startStop-1] org.keycloak.saml.common.DefaultPicketLinkLogger.debug Element {urn:keycloak:saml:adapter}Property bypassed
15-Jun-2020 11:40:56.955 DEBUG [localhost-startStop-1] org.keycloak.saml.common.DefaultPicketLinkLogger.debug Element {urn:keycloak:saml:adapter}Certificate bypassed
15-Jun-2020 11:40:56.957 DEBUG [localhost-startStop-1] org.keycloak.adapters.saml.config.parsers.DeploymentBuilder.build Try to load key [mykey]
15-Jun-2020 11:40:57.320 DEBUG [localhost-startStop-1] org.keycloak.adapters.saml.RoleMappingsProviderUtils.loadProviders Loaded RoleMappingsProvider properties-based-role-mapper
15-Jun-2020 11:40:57.321 DEBUG [localhost-startStop-1] org.keycloak.adapters.saml.RoleMappingsProviderUtils.loadProviders Loaded RoleMappingsProvider properties-based-role-mapper
15-Jun-2020 11:40:57.321 DEBUG [localhost-startStop-1] org.keycloak.adapters.saml.PropertiesBasedRoleMapper.init Resource loader successfully loaded role mappings from /WEB-INF/role-mappings.properties
15-Jun-2020 11:40:57.322 DEBUG [localhost-startStop-1] org.keycloak.adapters.saml.AbstractSamlAuthenticatorValve.keycloakInit Keycloak is using a per-deployment configuration.
两个环境都有 META-INF/context.xml 作为:
<Context path="/orbeon">
<Valve className="org.keycloak.adapters.saml.tomcat.SamlAuthenticatorValve"/>
<Resource ... DATABASE RESOURCE INFO HERE ... />
</Context>
Web.xml 很长,但我认为安全配置的相关部分是:
<security-constraint>
<web-resource-collection>
<web-resource-name>Form Runner services and public pages and resources</web-resource-name>
<url-pattern>/*</url-pattern>
<url-pattern>/fr/service/*</url-pattern>
<url-pattern>/fr/style/*</url-pattern>
<url-pattern>/fr/not-found</url-pattern>
<url-pattern>/fr/unauthorized</url-pattern>
<url-pattern>/fr/error</url-pattern>
<url-pattern>/fr/login</url-pattern>
<url-pattern>/fr/login-error</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
<auth-constraint>
<role-name>orbeon-user</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/fr/login</form-login-page>
<form-error-page>/fr/login-error</form-error-page>
</form-login-config>
</login-config>
<security-role>
<role-name>orbeon-user</role-name>
</security-role>
<!-- End Form Runner authentication -->
<session-config>
<session-timeout>60</session-timeout>
</session-config>
我尝试将 login-config 更改为 BASIC 每 WAR Configuration and Tomcat SAML Adapters 。这不会改变任一环境中的行为。
我能够 POST 将 SAML 对象签名到 /orbeon/saml 并且我看到 KeyCloak 试图验证签名等等。这应该证明 KeyCloak 正在监听,并且我的问题出在应用程序中或 web.xml 用于身份验证重定向。
请检查您使用的KeyCloak适配器的版本。 Tomcat 版本 7 的适配器不同于 Tomcat 版本 8 和 9 的适配器。
如果我们比较来自 Tomcat 8,9 against the ones for Tomcat 7 的 KeyCloak 的两个适配器模块,我们会发现来自 Tomcat 7 的模块没有覆盖或实现 FormAuthenticator.doAuthenticate。因此,如果从 Tomcat 8 调用 Tomcat 7 的模块,它将调用父 doAuthenticate 方法并尝试基于表单的身份验证。