After switch from FormAuthentication via Shiro, I switched to Pac4, Shiro with Keycloak.
I recognized in my JSF pages the Ajax requests are not working anymore, like:
<h:form>
<p:outputPanel deferred="true" loaded="#{not empty myBean.lazyModel}">
<p:ajax event="load" listener="#{myBean.init()}" />
.....
myBean.init() is never called?
Edit: I´ve updated the shiro.ini with this line, than it´s working. But I don´t think this is the correct approach!
oidcSecurityFilter.authorizers = none
Definition of: oidcSecurityFilter
oidcSecurityFilter = org.pac4j.jee.filter.SecurityFilter
If I debug in the org.pac4j.jee.filter.SecurityFilter I got for:
final SecurityLogic bestLogic = #DefaultSecurityLogic# | clientFinder: org.pac4j.core.client.finder.DefaultSecurityClientFinder@8beb950 | authorizationChecker: org.pac4j.core.authorization.checker.DefaultAuthorizationChecker@707a8365 | matchingChecker: org.pac4j.core.matching.checker.DefaultMatchingChecker@55ba1e41 | errorUrl: null | savedRequestHandler: org.pac4j.core.engine.savedrequest.DefaultSavedRequestHandler@6d270088 |
I´m not authenticated due this line in 138: org.pac4j.core.engine.DefaultSecurityLogic
if (isNotEmpty(profiles)) {
LOGGER.debug("authorizers: {}", authorizers);
if (authorizationChecker.isAuthorized(context, sessionStore, profiles, authorizers, config.getAuthorizers(), currentClients)) {
It´s using the org.pac4j.core.authorization.checker.DefaultAuthorizationChecker
If I not define this extra line in shiro.ini, the authorizers are:
[#CsrfAuthorizer# | parameterName: pac4jCsrfToken | headerName: pac4jCsrfToken | checkAllRequests: false |, #IsAuthenticatedAuthorizer# | redirectionUrl: null |]
Is this a bug? Do I need some further settings in shiro.ini ?