[keycloak-user] "Error! An unexpected server error has occurred" in Keycloak admin interface when retrieving a user

Edgar Vonk - Info.nl Edgar at info.nl
Wed Sep 14 06:24:41 EDT 2016 

Ok, thanks! I created https://issues.jboss.org/browse/KEYCLOAK-3576

> On 14 Sep 2016, at 10:20, Marek Posolda <mposolda at redhat.com> wrote:
> 
> It seems that for view/update UserFederation, we currently require permissions to "view-users" or "manage-users" . This looks like a bug as admin, who is able just to manage users, shouldn't be allowed to manage user federation providers. It seems this should either be "view-realm" or "manage-realm" or separate dedicated roles for user federation providers.
> 
> Could you please create JIRA?
> 
> Thanks,
> Marek
> 
> On 14/09/16 09:41, Edgar Vonk - Info.nl wrote:
>> Hi Marek,
>> 
>> Very sorry, this was our fault. We were using an outdated and customized version of the users.js file from Keycloak in our theme and this was causing the issue.
>> 
>> We do now see a somewhat related issue in that our user admin accounts (with the manage-users realm-management role) now also see the ‘Configure - User Federation’ menu item and are actually able to change some (but not all) settings in our user federation (and can even delete them I think). Maybe any ideas on how to make sure these users no longer get access to Configure - User Federation?
>> 
>> cheers
>> 
>> Edgar
>> 
>> 
>>> On 08 Sep 2016, at 14:04, Marek Posolda <mposolda at redhat.com> wrote:
>>> 
>>> Hi Edgar,
>>> 
>>> I was trying to reproduce, but wasn't able. The expected format to invoke this endpoint should be /auth/admin/realms/our-custom-realm/attack-detection/brute-force/users /{userId} so I understand why it fails. But I am not seeing anything in admin console UI, which invokes it from this format.
>>> 
>>> Feel free to create JIRA if you find steps to reproduce it from clean KC.
>>> 
>>> Marek
>>> 
>>> On 07/09/16 13:33, Edgar Vonk - Info.nl wrote:
>>>> Hi Marek,
>>>> 
>>>> It’s the brute force detection REST endpoint that is causing the issue.
>>>> 
>>>> /auth/admin/realms/our-custom-realm/attack-detection/brute-force/users?username=edgar at info.nl
>>>> 
>>>> gives a: “Failed to load resource: the server responded with a status of 405 (Method Not Allowed)"
>>>> 
>>>> 
>>>>> On 07 Sep 2016, at 12:27, Edgar Vonk - Info.nl <Edgar at info.nl> wrote:
>>>>> 
>>>>> Hi Marek,
>>>>> 
>>>>> Thanks for the quick reply. Sorry, forgot to mention that: I did also add the view-users role. However the issue remains unfortunately.
>>>>> 
>>>>> Will try to find the endpoint in question and report back!
>>>>> 
>>>>> cheers
>>>>> 
>>>>>> On 07 Sep 2016, at 11:24, Marek Posolda <mposolda at redhat.com> wrote:
>>>>>> 
>>>>>> I guess you need to add "view-users" role as well?
>>>>>> 
>>>>>> For tracking, you can try to enable FF plugin like Firebug (or similar in Chrome) and see what REST endpoint exactly returns 405 and what role it requires.
>>>>>> 
>>>>>> Marek
>>>>>> 
>>>>>> On 07/09/16 10:55, Edgar Vonk - Info.nl wrote:
>>>>>>> Using a specific user admin account that is part of our Keycloak customers realm (not the master realm) with permissions to edit users only (manage-users realm-management role) whenever I click on a user in the Keycloak admin interface (Manage - Users) I get a "Error! An unexpected server error has occurred” with the stacktrace below in the logs. All actions do seem to work properly however. It also happens when I create a user, but also there the user is created just fine it seems.
>>>>>>> 
>>>>>>> I am guessing it is a permission issue on some REST endpoint in the admin interface or something?
>>>>>>> 
>>>>>>> 
>>>>>>> [0m08:14:06,715 ERROR [org.jboss.resteasy.resteasy_jaxrs.i18n] (default task-40) RESTEASY002010: Failed to execute: javax.ws.rs.NotAllowedException: RESTEASY003650: No resource method found for GET, return 405 with Allow header
>>>>>>> 	at org.jboss.resteasy.core.registry.SegmentNode.match(SegmentNode.java:377)
>>>>>>> 	at org.jboss.resteasy.core.registry.SegmentNode.match(SegmentNode.java:116)
>>>>>>> 	at org.jboss.resteasy.core.registry.RootNode.match(RootNode.java:43)
>>>>>>> 	at org.jboss.resteasy.core.LocatorRegistry.getResourceInvoker(LocatorRegistry.java:79)
>>>>>>> 	at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:129)
>>>>>>> 	at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107)
>>>>>>> 	at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133)
>>>>>>> 	at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107)
>>>>>>> 	at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133)
>>>>>>> 	at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101)
>>>>>>> 	at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395)
>>>>>>> 	at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202)
>>>>>>> 	at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221)
>>>>>>> 	at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
>>>>>>> 	at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
>>>>>>> 	at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
>>>>>>> 	at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
>>>>>>> 	at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
>>>>>>> 	at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)
>>>>>>> 	at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
>>>>>>> 	at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
>>>>>>> 	at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
>>>>>>> 	at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
>>>>>>> 	at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
>>>>>>> 	at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
>>>>>>> 	at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>>>>>>> 	at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
>>>>>>> 	at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
>>>>>>> 	at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>>>>>>> 	at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
>>>>>>> 	at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
>>>>>>> 	at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
>>>>>>> 	at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
>>>>>>> 	at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
>>>>>>> 	at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
>>>>>>> 	at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>>>>>>> 	at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
>>>>>>> 	at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>>>>>>> 	at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>>>>>>> 	at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284)
>>>>>>> 	at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263)
>>>>>>> 	at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
>>>>>>> 	at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174)
>>>>>>> 	at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
>>>>>>> 	at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793)
>>>>>>> 	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
>>>>>>> 	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
>>>>>>> 	at java.lang.Thread.run(Thread.java:745)
>>>>>>> 
>>>>>>> _______________________________________________
>>>>>>> keycloak-user mailing list
>>>>>>> keycloak-user at lists.jboss.org
>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>> _______________________________________________
>>>>> keycloak-user mailing list
>>>>> keycloak-user at lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>> 
>

More information about the keycloak-user mailing list