Hello, I am trying to use Vaadin in a legacy application, in conjunction with Keycloak.
As it is a legacy system, it’s not possible to use or upgrade to Spring / Spring Security.
It is using Java 11, with Payara as an application server. The Vaadin application is a PWA.
This is for the context.
So, I have manually done the whole oauth exchange process,using a Filter to handle detection of the token, redirects to keycloak login page if none, as well as a CallbackServlet redirecting to vaadin login page, which will authenticate the keycloak user using our legacy user authentication.
I realize it’s not an ideal system at all, but I can’t modify it for now.
The problem I encounters is the following : after keycloak whole authentication process, I use an HTTP redirection (302 Location) to get the user to our app homepage.
While doing this, there are some elements that are subjected to the redirection, the problematic one being sw.js file. And as Chrome indicated, it is disallowed to have a script behind a redirection.
I may be able to give some parts of software (excluding redacted parts of course), but even though it is not a perfect solution, is there any way to handle Keycloak authentication while keeping Payara & Vaadin ? For the redirection, we thought of having an intermediate element (like a Servlet) handling the redirection, but using a different way, without a HTTP 302, but we’re unsure if it’s the right way.
Any tips or ideas ? I realize it’s a very specific situation.