[keycloak-user] "Error! An unexpected server error has occurred" in Keycloak admin interface when retrieving a user

Marek Posolda mposolda at redhat.com
Wed Sep 14 04:20:43 EDT 2016 

It seems that for view/update UserFederation, we currently require 
permissions to "view-users" or "manage-users" . This looks like a bug as 
admin, who is able just to manage users, shouldn't be allowed to manage 
user federation providers. It seems this should either be "view-realm" 
or "manage-realm" or separate dedicated roles for user federation 
providers.

Could you please create JIRA?

Thanks,
Marek

On 14/09/16 09:41, Edgar Vonk - Info.nl wrote:
> Hi Marek,
>
> Very sorry, this was our fault. We were using an outdated and customized version of the users.js file from Keycloak in our theme and this was causing the issue.
>
> We do now see a somewhat related issue in that our user admin accounts (with the manage-users realm-management role) now also see the ‘Configure - User Federation’ menu item and are actually able to change some (but not all) settings in our user federation (and can even delete them I think). Maybe any ideas on how to make sure these users no longer get access to Configure - User Federation?
>
> cheers
>
> Edgar
>
>
>> On 08 Sep 2016, at 14:04, Marek Posolda <mposolda at redhat.com> wrote:
>>
>> Hi Edgar,
>>
>> I was trying to reproduce, but wasn't able. The expected format to invoke this endpoint should be /auth/admin/realms/our-custom-realm/attack-detection/brute-force/users /{userId} so I understand why it fails. But I am not seeing anything in admin console UI, which invokes it from this format.
>>
>> Feel free to create JIRA if you find steps to reproduce it from clean KC.
>>
>> Marek
>>
>> On 07/09/16 13:33, Edgar Vonk - Info.nl wrote:
>>> Hi Marek,
>>>
>>> It’s the brute force detection REST endpoint that is causing the issue.
>>>
>>> /auth/admin/realms/our-custom-realm/attack-detection/brute-force/users?username=edgar at info.nl
>>>
>>> gives a: “Failed to load resource: the server responded with a status of 405 (Method Not Allowed)"
>>>
>>>
>>>> On 07 Sep 2016, at 12:27, Edgar Vonk - Info.nl <Edgar at info.nl> wrote:
>>>>
>>>> Hi Marek,
>>>>
>>>> Thanks for the quick reply. Sorry, forgot to mention that: I did also add the view-users role. However the issue remains unfortunately.
>>>>
>>>> Will try to find the endpoint in question and report back!
>>>>
>>>> cheers
>>>>
>>>>> On 07 Sep 2016, at 11:24, Marek Posolda <mposolda at redhat.com> wrote:
>>>>>
>>>>> I guess you need to add "view-users" role as well?
>>>>>
>>>>> For tracking, you can try to enable FF plugin like Firebug (or similar in Chrome) and see what REST endpoint exactly returns 405 and what role it requires.
>>>>>
>>>>> Marek
>>>>>
>>>>> On 07/09/16 10:55, Edgar Vonk - Info.nl wrote:
>>>>>> Using a specific user admin account that is part of our Keycloak customers realm (not the master realm) with permissions to edit users only (manage-users realm-management role) whenever I click on a user in the Keycloak admin interface (Manage - Users) I get a "Error! An unexpected server error has occurred” with the stacktrace below in the logs. All actions do seem to work properly however. It also happens when I create a user, but also there the user is created just fine it seems.
>>>>>>
>>>>>> I am guessing it is a permission issue on some REST endpoint in the admin interface or something?
>>>>>>
>>>>>>
>>>>>> [0m08:14:06,715 ERROR [org.jboss.resteasy.resteasy_jaxrs.i18n] (default task-40) RESTEASY002010: Failed to execute: javax.ws.rs.NotAllowedException: RESTEASY003650: No resource method found for GET, return 405 with Allow header
>>>>>> 	at org.jboss.resteasy.core.registry.SegmentNode.match(SegmentNode.java:377)
>>>>>> 	at org.jboss.resteasy.core.registry.SegmentNode.match(SegmentNode.java:116)
>>>>>> 	at org.jboss.resteasy.core.registry.RootNode.match(RootNode.java:43)
>>>>>> 	at org.jboss.resteasy.core.LocatorRegistry.getResourceInvoker(LocatorRegistry.java:79)
>>>>>> 	at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:129)
>>>>>> 	at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107)
>>>>>> 	at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133)
>>>>>> 	at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107)
>>>>>> 	at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133)
>>>>>> 	at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101)
>>>>>> 	at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395)
>>>>>> 	at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202)
>>>>>> 	at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221)
>>>>>> 	at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
>>>>>> 	at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
>>>>>> 	at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
>>>>>> 	at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
>>>>>> 	at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
>>>>>> 	at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)
>>>>>> 	at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
>>>>>> 	at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
>>>>>> 	at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
>>>>>> 	at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
>>>>>> 	at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
>>>>>> 	at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
>>>>>> 	at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>>>>>> 	at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
>>>>>> 	at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
>>>>>> 	at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>>>>>> 	at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
>>>>>> 	at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
>>>>>> 	at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
>>>>>> 	at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
>>>>>> 	at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
>>>>>> 	at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
>>>>>> 	at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>>>>>> 	at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
>>>>>> 	at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>>>>>> 	at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>>>>>> 	at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284)
>>>>>> 	at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263)
>>>>>> 	at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
>>>>>> 	at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174)
>>>>>> 	at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
>>>>>> 	at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793)
>>>>>> 	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
>>>>>> 	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
>>>>>> 	at java.lang.Thread.run(Thread.java:745)
>>>>>>
>>>>>> _______________________________________________
>>>>>> keycloak-user mailing list
>>>>>> keycloak-user at lists.jboss.org
>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>

More information about the keycloak-user mailing list