feat: updated SSO example to Keycloak 24.0.3

camunda-community-hub · Apr 24, 2024 · da6aae6 · da6aae6
1 parent 6e2db0c
commit da6aae6
Show file tree

Hide file tree

Showing 7 changed files with 20 additions and 9 deletions.
diff --git a/README.md b/README.md
@@ -451,9 +451,9 @@ Running unit tests from Maven requires configuring the details of a running Keyc
 | `KEYCLOAK_URL` | Keycloak server URL.<br />Default value: `http://localhost:8080/auth`                                                 |
 | `KEYCLOAK_ADMIN_USER` | The admin user of the Keycloak server.<br />Default value: `keycloak`                                                 |
 | `KEYCLOAK_ADMIN_PASSWORD` | The admin password of the Keycloak server.<br />Default value: `keycloak1!`                                           |
- | `KEYCLOAK_ENFORCE_SUBGROUPS_IN_GROUP_QUERY` | Wether to enforce subgroup results in group queries when testing with Keycloak >= `23.0.0`<br />Default value: `true` |
+| `KEYCLOAK_ENFORCE_SUBGROUPS_IN_GROUP_QUERY` | Wether to enforce subgroup results in group queries when testing with Keycloak >= `23.0.0`<br />Default value: `true` |
 In case you choose Keycloak in the new Quarkus distribution, please be aware that `/auth` has been removed from the default context path.
-Hence, it is required to change the `KEYCLOAK_URL` for the tests. Tests also run successfully against the Quarkus
+Hence, it is required to change the `KEYCLOAK_URL` for the tests. Tests run successfully against the Quarkus
 distribution, in case you start Keycloak in Development mode.
 
 ------------------------------------------------------------

diff --git a/examples/sso-kubernetes/k8s/deployment.yaml b/examples/sso-kubernetes/k8s/deployment.yaml
@@ -20,7 +20,7 @@ spec:
       spec:
          containers:
          - name: keycloak-showcase
-           image: gunnaraccso/camunda-showcase-keycloak:7.21.0
+           image: gunnaraccso/camunda-showcase-keycloak:7.21.1
            ports:
            - containerPort: 8080
            env:
@@ -39,7 +39,7 @@ spec:
            - name: KEYCLOAK_CLIENT_ID
              value: camunda-identity-service
            - name: KEYCLOAK_CLIENT_SECRET
-             value: GBLb9KSRxmmo81SIGH2BWu3GEtrofvWo
+             value: 0F0yFyCvv2T901fvMSbKlAd7f8QkyxNg
            livenessProbe:
              httpGet:
                path: /camunda/actuator/health/liveness

diff --git a/examples/sso-kubernetes/k8s/keycloak/deployment.yaml b/examples/sso-kubernetes/k8s/keycloak/deployment.yaml
@@ -20,7 +20,7 @@ spec:
       spec:
          containers:
          - name: keycloak-server
-           image: gunnaraccso/keycloak.server:21.1.1 # quay.io/keycloak/keycloak
+           image: gunnaraccso/keycloak.server:24.0.3 # quay.io/keycloak/keycloak
            ports:
            - containerPort: 8080
              name: http

diff --git a/examples/sso-kubernetes/k8s/localhost/endpoint.yaml b/examples/sso-kubernetes/k8s/localhost/endpoint.yaml
@@ -11,4 +11,4 @@ ports:
     port: 80
 endpoints:
   - addresses:
-      - "172.28.160.1"
+      - "172.30.240.1"
diff --git a/examples/sso-kubernetes/k8s/postgresql/deployment.yaml b/examples/sso-kubernetes/k8s/postgresql/deployment.yaml
@@ -15,7 +15,7 @@ spec:
       spec:
          containers:
          - name: postgres
-           image: postgres:11.4-alpine
+           image: postgres:16.2-alpine
            ports:
            - containerPort: 5432
            env:

diff --git a/...s/src/main/java/org/camunda/bpm/extension/keycloak/showcase/sso/WebAppSecurityConfig.java b/...s/src/main/java/org/camunda/bpm/extension/keycloak/showcase/sso/WebAppSecurityConfig.java
@@ -11,6 +11,8 @@
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.web.SecurityFilterChain;
+import org.springframework.security.web.firewall.HttpFirewall;
+import org.springframework.security.web.firewall.StrictHttpFirewall;
 import org.springframework.web.context.request.RequestContextListener;
 import org.springframework.web.filter.ForwardedHeaderFilter;
 
@@ -80,5 +82,13 @@ public FilterRegistrationBean<ForwardedHeaderFilter> forwardedHeaderFilter() {
 	public RequestContextListener requestContextListener() {
 	    return new RequestContextListener();
 	}
-
+
+    // Modify firewall in order to allow request details for child groups
+    @Bean
+    public HttpFirewall getHttpFirewall() {
+        StrictHttpFirewall strictHttpFirewall = new StrictHttpFirewall();
+        strictHttpFirewall.setAllowUrlEncodedPercent(true);
+        strictHttpFirewall.setAllowUrlEncodedSlash(true);
+        return strictHttpFirewall;
+    }
 }
diff --git a/examples/sso-kubernetes/src/main/resources/application.yaml b/examples/sso-kubernetes/src/main/resources/application.yaml
@@ -38,7 +38,7 @@ keycloak:
 
   # Keycloak Camunda Identity Client
   client.id: ${KEYCLOAK_CLIENT_ID:camunda-identity-service}
-  client.secret: ${KEYCLOAK_CLIENT_SECRET:GBLb9KSRxmmo81SIGH2BWu3GEtrofvWo}
+  client.secret: ${KEYCLOAK_CLIENT_SECRET:0F0yFyCvv2T901fvMSbKlAd7f8QkyxNg}
 
 # Spring Boot Security OAuth2 SSO
 spring.security:
@@ -82,5 +82,6 @@ plugin.identity.keycloak:
   useEmailAsCamundaUserId: false
   useUsernameAsCamundaUserId: true
   useGroupPathAsCamundaGroupId: true
+  enforceSubgroupsInGroupQuery: true
   administratorGroupName: camunda-admin
   disableSSLCertificateValidation: true