[keycloak-user] Keycloak with EZproxy
Stian Thorgersen
sthorger at redhat.com
Fri Sep 30 03:25:35 EDT 2016
"XML External Entity switches are not supported. You may get XML injection
vulnerabilities." is just a warning and shouldn't have anything to do with
the issue.
Try enabling trace logging for org.keycloak and see if you get any more
details.
On 23 September 2016 at 14:52, Bill Kuntz <WKuntz at flvc.org> wrote:
> Thanks.
>
>
>
> When we attempt to authenticate using keycloak 2.2.0_final, we get the
> following log entries on the Keycloak server:
>
>
>
> 2016-09-23 08:44:09,842 WARN [org.keycloak.saml.common] (default task-1)
> XML External Entity switches are not supported. You may get XML injection
> vulnerabilities.
>
> 2016-09-23 08:44:09,948 ERROR [org.keycloak.protocol.saml.SamlService]
> (default task-1) request validation failed: org.keycloak.common.VerificationException:
> Invalid signature on document
>
> at org.keycloak.protocol.saml.SamlProtocolUtils.
> verifyDocumentSignature(SamlProtocolUtils.java:57)
>
> at org.keycloak.protocol.saml.SamlProtocolUtils.
> verifyDocumentSignature(SamlProtocolUtils.java:50)
>
> at org.keycloak.protocol.saml.SamlService$
> PostBindingProtocol.verifySignature(SamlService.java:405)
>
> at org.keycloak.protocol.saml.SamlService$BindingProtocol.
> handleSamlRequest(SamlService.java:186)
>
> at org.keycloak.protocol.saml.SamlService$
> PostBindingProtocol.execute(SamlService.java:428)
>
> at org.keycloak.protocol.saml.SamlService.postBinding(
> SamlService.java:504)
>
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native
> Method)
>
> at sun.reflect.NativeMethodAccessorImpl.invoke(
> NativeMethodAccessorImpl.java:62)
>
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(
> DelegatingMethodAccessorImpl.java:43)
>
> at java.lang.reflect.Method.invoke(Method.java:498)
>
> at org.jboss.resteasy.core.MethodInjectorImpl.invoke(
> MethodInjectorImpl.java:139)
>
> at org.jboss.resteasy.core.ResourceMethodInvoker.
> invokeOnTarget(ResourceMethodInvoker.java:295)
>
> at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(
> ResourceMethodInvoker.java:249)
>
> at org.jboss.resteasy.core.ResourceLocatorInvoker.
> invokeOnTargetObject(ResourceLocatorInvoker.java:138)
>
> at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(
> ResourceLocatorInvoker.java:101)
>
> at org.jboss.resteasy.core.SynchronousDispatcher.invoke(
> SynchronousDispatcher.java:395)
>
> at org.jboss.resteasy.core.SynchronousDispatcher.invoke(
> SynchronousDispatcher.java:202)
>
> at org.jboss.resteasy.plugins.server.servlet.
> ServletContainerDispatcher.service(ServletContainerDispatcher.java:221)
>
> at org.jboss.resteasy.plugins.server.servlet.
> HttpServletDispatcher.service(HttpServletDispatcher.java:56)
>
> at org.jboss.resteasy.plugins.server.servlet.
> HttpServletDispatcher.service(HttpServletDispatcher.java:51)
>
> at javax.servlet.http.HttpServlet.service(
> HttpServlet.java:790)
>
> at io.undertow.servlet.handlers.
> ServletHandler.handleRequest(ServletHandler.java:85)
>
> at io.undertow.servlet.handlers.
> FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
>
> at org.keycloak.services.filters.
> KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.
> java:90)
>
> at io.undertow.servlet.core.ManagedFilter.doFilter(
> ManagedFilter.java:60)
>
> at io.undertow.servlet.handlers.
> FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
>
> at io.undertow.servlet.handlers.
> FilterHandler.handleRequest(FilterHandler.java:84)
>
> at io.undertow.servlet.handlers.security.
> ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.
> java:62)
>
> at io.undertow.servlet.handlers.ServletDispatchingHandler.
> handleRequest(ServletDispatchingHandler.java:36)
>
> at org.wildfly.extension.undertow.security.
> SecurityContextAssociationHandler.handleRequest(
> SecurityContextAssociationHandler.java:78)
>
> at io.undertow.server.handlers.PredicateHandler.
> handleRequest(PredicateHandler.java:43)
>
> at io.undertow.servlet.handlers.security.
> SSLInformationAssociationHandler.handleRequest(
> SSLInformationAssociationHandler.java:131)
>
> at io.undertow.servlet.handlers.security.
> ServletAuthenticationCallHandler.handleRequest(
> ServletAuthenticationCallHandler.java:57)
>
> at io.undertow.server.handlers.PredicateHandler.
> handleRequest(PredicateHandler.java:43)
>
> at io.undertow.security.handlers.
> AbstractConfidentialityHandler.handleRequest(
> AbstractConfidentialityHandler.java:46)
>
> at io.undertow.servlet.handlers.security.
> ServletConfidentialityConstraintHandler.handleRequest(
> ServletConfidentialityConstraintHandler.java:64)
>
> at io.undertow.security.handlers.
> AuthenticationMechanismsHandler.handleRequest(
> AuthenticationMechanismsHandler.java:60)
>
> at io.undertow.servlet.handlers.security.
> CachedAuthenticatedSessionHandler.handleRequest(
> CachedAuthenticatedSessionHandler.java:77)
>
> at io.undertow.security.handlers.
> NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.
> java:50)
>
> at io.undertow.security.handlers.
> AbstractSecurityContextAssociationHandler.handleRequest(
> AbstractSecurityContextAssociationHandler.java:43)
>
> at io.undertow.server.handlers.PredicateHandler.
> handleRequest(PredicateHandler.java:43)
>
> at org.wildfly.extension.undertow.security.jacc.
> JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
>
> at io.undertow.server.handlers.PredicateHandler.
> handleRequest(PredicateHandler.java:43)
>
> at io.undertow.server.handlers.PredicateHandler.
> handleRequest(PredicateHandler.java:43)
>
> at io.undertow.servlet.handlers.ServletInitialHandler.
> handleFirstRequest(ServletInitialHandler.java:284)
>
> at io.undertow.servlet.handlers.ServletInitialHandler.
> dispatchRequest(ServletInitialHandler.java:263)
>
> at io.undertow.servlet.handlers.
> ServletInitialHandler.access$000(ServletInitialHandler.java:81)
>
> at io.undertow.servlet.handlers.ServletInitialHandler$1.
> handleRequest(ServletInitialHandler.java:174)
>
> at io.undertow.server.Connectors.
> executeRootHandler(Connectors.java:202)
>
> at io.undertow.server.HttpServerExchange$1.run(
> HttpServerExchange.java:793)
>
> at java.util.concurrent.ThreadPoolExecutor.runWorker(
> ThreadPoolExecutor.java:1142)
>
> at java.util.concurrent.ThreadPoolExecutor$Worker.run(
> ThreadPoolExecutor.java:617)
>
> at java.lang.Thread.run(Thread.java:745)
>
>
>
> 2016-09-23 08:44:10,075 WARN [org.keycloak.events] (default task-1)
> type=LOGIN_ERROR, realmId=FLVC, clientId=null, userId=null,
> ipAddress=192.168.33.51, error=invalid_signature
>
>
>
> I have verified that the keys on the client match the server. Does the
> XML External Entities have something to do with this?
>
>
>
> Any help is appreciated.
>
>
>
> Thanks,
>
> Bill
>
>
>
> *From:* Stian Thorgersen [mailto:sthorger at redhat.com]
> *Sent:* Thursday, September 08, 2016 2:31 AM
> *To:* Bill Kuntz
> *Cc:* keycloak-user at lists.jboss.org
> *Subject:* Re: [keycloak-user] Keycloak with EZproxy
>
>
>
> Not sure what they mean about "authentication sequence identical to a
> standard Shibboleth Identity Provider", but Keycloak is pretty configurable
> so it should be possible to adapt the SAML configuration for the client to
> make it work with EZProxy.
>
>
>
> On 1 September 2016 at 17:47, Bill Kuntz <WKuntz at flvc.org> wrote:
>
> Has anyone successfully used Keycloak with OCLC's EZProxy? We have been
> experimenting with Keycloak, and have been able to get it working with
> other SPs, but not EZProxy.
>
> OCLC says " EZproxy supports connecting to non-Shibboleth SAML2 SSO
> systems if and only if that system uses an authentication sequence
> identical to a standard Shibboleth Identity Provider (IDP)."
>
> Thanks,
> Bill
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
More information about the keycloak-user
mailing list