[keycloak-dev] [keycloak-user] /authz/protection/permission/ticket usage?
Pedro Igor Silva
psilva at redhat.com
Fri Nov 9 10:58:14 EST 2018
Could not reproduce this. Can you give me an example of the GET request ?
On Fri, Nov 9, 2018 at 12:54 PM Ulrik Sjölin <ulrik.sjolin at gmail.com> wrote:
> Hello,
>
> Thank you for you quick answer, things are really close now :)
>
> Unfortunately using returnNames in GET permission/ticket triggers an NPE
> when I use returnNames. I have built from tip of master
> (29f8187978ea464ff6636981ede22ac5f7f86075).
> I paste in the full console printout below. The NPE occurs at:
>
> 15:13:47,468 ERROR XNIO-1 task-15
> [org.keycloak.services.error.KeycloakErrorHandler] Uncaught server error
> java.lang.NullPointerException
> at
>
> org.keycloak.models.utils.ModelToRepresentation.toRepresentation(ModelToRepresentation.java:877)
>
> The function in question seems to fail to get the owner. I tried to use
> ownerName when creating the ticket, and sure enough I got:
>
> [
> {
> "id": "9785e990-8f14-408b-814b-f8f8b46e5076",
> "owner": "5759f399-a9c0-47e1-8eb7-dd8b9148aaec",
> "resource": "740fb06e-a543-4cca-9be1-ab240710c4c9",
> "scope": "55b45b56-2fcb-4b18-b9ab-ec68c53fc14b",
> "granted": true,
> "requester": "b4e263e7-7739-4e0b-b554-b96520d27bae"
> }
> ]
>
> So the owner field is set in the DB but it seems that line 874 still sets
> owner variable to null… I am really at loss what to do. I suspect a patch
> where we
> check for null on owner and requester is not the right thing to do :)
>
> 858 public static PermissionTicketRepresentation
> toRepresentation(PermissionTicket ticket, AuthorizationProvider
> authorization, boolean returnNames) {
> 859 PermissionTicketRepresentation representation = new
> PermissionTicketRepresentation();
> 860
> 861 representation.setId(ticket.getId());
> 862 representation.setGranted(ticket.isGranted());
> 863 representation.setOwner(ticket.getOwner());
> 864 representation.setRequester(ticket.getRequester());
> 865
> 866 Resource resource = ticket.getResource();
> 867
> 868 representation.setResource(resource.getId());
> 869
> 870 if (returnNames) {
> 871 representation.setResourceName(resource.getName());
> 872 KeycloakSession keycloakSession =
> authorization.getKeycloakSession();
> 873 RealmModel realm = authorization.getRealm();
> 874 UserModel owner =
> keycloakSession.users().getUserById(ticket.getOwner(), realm);
> 875 UserModel requester =
> keycloakSession.users().getUserById(ticket.getRequester(), realm);
> 876 representation.setRequesterName(requester.getUsername());
> 877 representation.setOwnerName(owner.getUsername());
> 878 }
> 879
> 880 Scope scope = ticket.getScope();
> 881
> 882 if (scope != null) {
> 883 representation.setScope(scope.getId());
> 884 if (returnNames) {
> 885 representation.setScopeName(scope.getName());
> 886 }
> 887 }
> 888
> 889 return representation;
> 890 }
> 891 }
>
>
> Best Regards,
>
> Ulrik
>
> 15:13:47,468 ERROR XNIO-1 task-15
> [org.keycloak.services.error.KeycloakErrorHandler] Uncaught server error
> java.lang.NullPointerException
> at
>
> org.keycloak.models.utils.ModelToRepresentation.toRepresentation(ModelToRepresentation.java:877)
> at
>
> org.keycloak.authorization.protection.permission.PermissionTicketService.lambda$find$90(PermissionTicketService.java:224)
> at
> java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:193)
> at
> java.util.LinkedList$LLSpliterator.forEachRemaining(LinkedList.java:1235)
> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:481)
> at
>
> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
> at
> java.util.stream.ReduceOps$ReduceOp.evaluateSequential(ReduceOps.java:708)
> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
> at java.util.stream.ReferencePipeline.collect(ReferencePipeline.java:499)
> at
>
> org.keycloak.authorization.protection.permission.PermissionTicketService.find(PermissionTicketService.java:225)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at
>
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> at
>
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:497)
> at
>
> org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:140)
> at
>
> org.jboss.resteasy.core.ResourceMethodInvoker.internalInvokeOnTarget(ResourceMethodInvoker.java:509)
> at
>
> org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTargetAfterFilter(ResourceMethodInvoker.java:399)
> at
>
> org.jboss.resteasy.core.ResourceMethodInvoker.lambda$invokeOnTarget$0(ResourceMethodInvoker.java:363)
> at
>
> org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:358)
> at
>
> org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:365)
> at
>
> org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:337)
> at
>
> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:137)
> at
>
> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:106)
> at
>
> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:132)
> at
>
> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:106)
> at
>
> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:132)
> at
>
> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:100)
> at
>
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:443)
> at
>
> org.jboss.resteasy.core.SynchronousDispatcher.lambda$invoke$4(SynchronousDispatcher.java:233)
> at
>
> org.jboss.resteasy.core.SynchronousDispatcher.lambda$preprocess$0(SynchronousDispatcher.java:139)
> at
>
> org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:358)
> at
>
> org.jboss.resteasy.core.SynchronousDispatcher.preprocess(SynchronousDispatcher.java:142)
> at
>
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:219)
> at
>
> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:227)
> at
>
> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
> at
>
> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:847)
> at
>
> io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:74)
> at
>
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
> at
>
> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)
> at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
> at
>
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
> at
>
> io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
> at
>
> io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
> at
>
> io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68)
> at
>
> io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
> at
>
> io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:132)
> at
>
> io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
> at
>
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> at
>
> io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
> at
>
> io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
> at
>
> io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
> at
>
> io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
> at
>
> io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
> at
>
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> at
>
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> at
>
> io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292)
> at
>
> io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81)
> at
>
> io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138)
> at
>
> io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135)
> at
>
> io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
> at
>
> io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
> at
>
> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272)
> at
>
> io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
> at
>
> io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104)
> at io.undertow.server.Connectors.executeRootHandler(Connectors.java:360)
> at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:830)
> at
>
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
> at
>
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
> at java.lang.Thread.run(Thread.java:745)
> 15:15:05,130 ERROR XNIO-1 task-22
> [org.keycloak.services.error.KeycloakErrorHandler] Uncaught server error
> java.lang.NullPointerException
> at
>
> org.keycloak.models.utils.ModelToRepresentation.toRepresentation(ModelToRepresentation.java:877)
> at
>
> org.keycloak.authorization.protection.permission.PermissionTicketService.lambda$find$90(PermissionTicketService.java:224)
> at
> java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:193)
> at
> java.util.LinkedList$LLSpliterator.forEachRemaining(LinkedList.java:1235)
> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:481)
> at
>
> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
> at
> java.util.stream.ReduceOps$ReduceOp.evaluateSequential(ReduceOps.java:708)
> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
> at java.util.stream.ReferencePipeline.collect(ReferencePipeline.java:499)
> at
>
> org.keycloak.authorization.protection.permission.PermissionTicketService.find(PermissionTicketService.java:225)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at
>
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> at
>
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:497)
> at
>
> org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:140)
> at
>
> org.jboss.resteasy.core.ResourceMethodInvoker.internalInvokeOnTarget(ResourceMethodInvoker.java:509)
> at
>
> org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTargetAfterFilter(ResourceMethodInvoker.java:399)
> at
>
> org.jboss.resteasy.core.ResourceMethodInvoker.lambda$invokeOnTarget$0(ResourceMethodInvoker.java:363)
> at
>
> org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:358)
> at
>
> org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:365)
> at
>
> org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:337)
> at
>
> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:137)
> at
>
> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:106)
> at
>
> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:132)
> at
>
> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:106)
> at
>
> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:132)
> at
>
> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:100)
> at
>
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:443)
> at
>
> org.jboss.resteasy.core.SynchronousDispatcher.lambda$invoke$4(SynchronousDispatcher.java:233)
> at
>
> org.jboss.resteasy.core.SynchronousDispatcher.lambda$preprocess$0(SynchronousDispatcher.java:139)
> at
>
> org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:358)
> at
>
> org.jboss.resteasy.core.SynchronousDispatcher.preprocess(SynchronousDispatcher.java:142)
> at
>
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:219)
> at
>
> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:227)
> at
>
> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
> at
>
> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:847)
> at
>
> io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:74)
> at
>
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
> at
>
> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)
> at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
> at
>
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
> at
>
> io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
> at
>
> io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
> at
>
> io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68)
> at
>
> io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
> at
>
> io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:132)
> at
>
> io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
> at
>
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> at
>
> io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
> at
>
> io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
> at
>
> io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
> at
>
> io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
> at
>
> io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
> at
>
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> at
>
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> at
>
> io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292)
> at
>
> io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81)
> at
>
> io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138)
> at
>
> io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135)
> at
>
> io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
> at
>
> io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
> at
>
> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272)
> at
>
> io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
> at
>
> io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104)
> at io.undertow.server.Connectors.executeRootHandler(Connectors.java:360)
> at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:830)
> at
>
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
> at
>
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
> at java.lang.Thread.run(Thread.java:745)
>
>
> On 9 November 2018 at 14:37:01, Pedro Igor Silva (psilva at redhat.com)
> wrote:
>
> Hi,
>
> You can use "scopeName" and "requesterName" properties for that. Take a
> look here
>
> https://github.com/keycloak/keycloak/blob/5cbe595fe3094aae8135b8f2c729e9af0cbdd076/core/src/main/java/org/keycloak/representations/idm/authorization/PermissionTicketRepresentation.java#L22
> .
>
> Regards.
> Pedro Igor
>
> On Fri, Nov 9, 2018 at 7:18 AM Ulrik Sjölin <ulrik.sjolin at gmail.com>
> wrote:
>
> > Hello,
> >
> > I have a question on how to use the
> > API: /authz/protection/permission/ticket
> >
> > I can call the endpoint successfully if I do the call with only ids:
> >
> > curl --silent -X POST \
> > http://
> > ${host}:${port}/auth/realms/${realm}/authz/protection/permission/ticket
> > \
> > -H "Authorization: Bearer ${service_access_token}" \
> > -H "Content-Type: application/json" \
> > -d "{
> > \"resource\":\"${resource_id}\",
> > \"scope\":\"40065a35-02d5-4db9-be46-02566cf7a666\",
> > \"requester\":\"79ae9a5a-0304-41ec-b721-d57a09d419cb\",
> > \"granted\":\"true\"
> > }”
> >
> > It would however be a lot more workable for me if I could use names like:
> >
> > curl --silent -X POST \
> > http://
> > ${host}:${port}/auth/realms/${realm}/authz/protection/permission/ticket
> > \
> > -H "Authorization: Bearer ${service_access_token}" \
> > -H "Content-Type: application/json" \
> > -d "{
> > \"resource\":\"${resource_id}\",
> > \"scope\":\”Read\",
> > \"requester\":\”alice\",
> > \"granted\":\"true\"
> > }”
> >
> > But when I do this I get:
> >
> > {"error":"invalid_scope","error_description":"Scope [Read] is invalid”}
> > {"error":"invalid_permission","error_description":"Requester does not
> > exists in this server as user.”}
> >
> > Looking at the code there seems to be lookups from names to id, but
> > for some reason it fails. What
> > am I doing wrong? Any help is greatly appreciated.
> >
> > Best Regards,
> >
> > Ulrik Sjölin
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
More information about the keycloak-dev
mailing list